Minimal Permissions and Role to Create Clusters

Configure IAM Prerequisites before starting a cluster

This section guides you in creating and using a minimally-scoped policy to create DKP clusters on an AWS account. For multi-tenancy, every tenant should be in a different AWS account to ensure they are truly independent of other tenants in order to enforce security.

Prerequisites

Before applying the IAM Policies, verify the following:

• You have a valid AWS account with credentials configured that can manage CloudFormation Stacks, IAM Policies, IAM Roles, and IAM Instance Profiles.

• The AWS CLI utility is installed.

Minimal Permissions

The following is an AWSCloudFormation stack that creates:

• A policy named dkp-bootstrapper-policy that enumerates the minimal permissions for a user that can create dkp aws clusters.

• A role named dkp-bootstrapper-role that uses the dkp-bootstrapper-policy with a trust policy to allow IAM users and ec2 instances from MYAWSACCOUNTID to use the role via STS.

• An instance profile DKPBootstrapInstanceProfile that wraps the dkp-bootstrapper-role to be used by ec2 instances.

Create Resources in CloudFormation Stack

To create the resources in the CloudFormation stack:

1. Copy the following contents into a file:

   YAML

   AWSTemplateFormatVersion: 2010-09-09
   Resources:
     AWSIAMInstanceProfileDKPBootstrapper:
       Properties:
         InstanceProfileName: DKPBootstrapInstanceProfile
         Roles:
         - Ref: DKPBootstrapRole
       Type: AWS::IAM::InstanceProfile
     AWSIAMManagedPolicyDKPBootstrapper:
       Properties:
         Description: Minimal policy to create dkp clusters in AWS
         ManagedPolicyName: dkp-bootstrapper-policy
         PolicyDocument:
           Statement:
           - Action:
             - ec2:AllocateAddress
             - ec2:AssociateRouteTable
             - ec2:AttachInternetGateway
             - ec2:AuthorizeSecurityGroupIngress
             - ec2:CreateInternetGateway
             - ec2:CreateNatGateway
             - ec2:CreateRoute
             - ec2:CreateRouteTable
             - ec2:CreateSecurityGroup
             - ec2:CreateSubnet
             - ec2:CreateTags
             - ec2:CreateVpc
             - ec2:ModifyVpcAttribute
             - ec2:DeleteInternetGateway
             - ec2:DeleteNatGateway
             - ec2:DeleteRouteTable
             - ec2:DeleteSecurityGroup
             - ec2:DeleteSubnet
             - ec2:DeleteTags
             - ec2:DeleteVpc
             - ec2:DescribeAccountAttributes
             - ec2:DescribeAddresses
             - ec2:DescribeAvailabilityZones
             - ec2:DescribeInstanceTypes
             - ec2:DescribeInternetGateways
             - ec2:DescribeImages
             - ec2:DescribeNatGateways
             - ec2:DescribeNetworkInterfaces
             - ec2:DescribeNetworkInterfaceAttribute
             - ec2:DescribeRouteTables
             - ec2:DescribeSecurityGroups
             - ec2:DescribeSubnets
             - ec2:DescribeVpcs
             - ec2:DescribeVpcAttribute
             - ec2:DescribeVolumes
             - ec2:DetachInternetGateway
             - ec2:DisassociateRouteTable
             - ec2:DisassociateAddress
             - ec2:ModifyInstanceAttribute
             - ec2:ModifyInstanceMetadataOptions
             - ec2:ModifyNetworkInterfaceAttribute
             - ec2:ModifySubnetAttribute
             - ec2:ReleaseAddress
             - ec2:RevokeSecurityGroupIngress
             - ec2:RunInstances
             - ec2:TerminateInstances
             - tag:GetResources
             - elasticloadbalancing:AddTags
             - elasticloadbalancing:CreateLoadBalancer
             - elasticloadbalancing:ConfigureHealthCheck
             - elasticloadbalancing:DeleteLoadBalancer
             - elasticloadbalancing:DescribeLoadBalancers
             - elasticloadbalancing:DescribeLoadBalancerAttributes
             - elasticloadbalancing:DescribeTargetGroups
             - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
             - elasticloadbalancing:DescribeTags
             - elasticloadbalancing:ModifyLoadBalancerAttributes
             - elasticloadbalancing:RegisterInstancesWithLoadBalancer
             - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
             - elasticloadbalancing:RemoveTags
             - autoscaling:DescribeAutoScalingGroups
             - autoscaling:DescribeInstanceRefreshes
             - ec2:CreateLaunchTemplate
             - ec2:CreateLaunchTemplateVersion
             - ec2:DescribeLaunchTemplates
             - ec2:DescribeLaunchTemplateVersions
             - ec2:DeleteLaunchTemplate
             - ec2:DeleteLaunchTemplateVersions
             - ec2:DescribeKeyPairs
             Effect: Allow
             Resource:
             - '*'
           - Action:
             - autoscaling:CreateAutoScalingGroup
             - autoscaling:UpdateAutoScalingGroup
             - autoscaling:CreateOrUpdateTags
             - autoscaling:StartInstanceRefresh
             - autoscaling:DeleteAutoScalingGroup
             - autoscaling:DeleteTags
             Effect: Allow
             Resource:
             - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
           - Action:
             - ecr:DescribeRepositories
             - ecr:CreateRepository
             - ecr:PutLifecyclePolicy
             - ecr:CompleteLayerUpload
             - ecr:GetAuthorizationToken
             - ecr:UploadLayerPart
             - ecr:InitiateLayerUpload
             - ecr:BatchCheckLayerAvailability
             - ecr:BatchGetImage
             - ecr:GetDownloadUrlForLayer
             - ecr:PutImage
             Effect: Allow
             Resource:
             - arn:aws:ecr:*:MYAWSACCOUNT:repository/*
           - Action:
             - iam:CreateServiceLinkedRole
             Condition:
               StringLike:
                 iam:AWSServiceName: autoscaling.amazonaws.com
             Effect: Allow
             Resource:
             - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
           - Action:
             - iam:CreateServiceLinkedRole
             Condition:
               StringLike:
                 iam:AWSServiceName: elasticloadbalancing.amazonaws.com
             Effect: Allow
             Resource:
             - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
           - Action:
             - iam:CreateServiceLinkedRole
             Condition:
               StringLike:
                 iam:AWSServiceName: spot.amazonaws.com
             Effect: Allow
             Resource:
             - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot
           - Action:
             - iam:PassRole
             Effect: Allow
             Resource:
             - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io
           - Action:
             - secretsmanager:CreateSecret
             - secretsmanager:DeleteSecret
             - secretsmanager:TagResource
             Effect: Allow
             Resource:
             - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*
           Version: 2012-10-17
         Roles:
         - Ref: DKPBootstrapRole
       Type: AWS::IAM::ManagedPolicy
     DKPBootstrapRole:
       Properties:
         AssumeRolePolicyDocument:
           Statement:
           - Action:
             - sts:AssumeRole
             Effect: Allow
             Principal:
               Service:
               - ec2.amazonaws.com
           - Action:
               - sts:AssumeRole
             Effect: Allow
             Principal:
                   AWS: arn:aws:iam::MYAWSACCOUNT:root
           Version: 2012-10-17
         RoleName: dkp-bootstrapper-role
       Type: AWS::IAM::Role

2. Replace the following with the correct values:

   1. MYFILENAME.yaml - give your file a meaningful name.

   2. MYSTACKNAME - give your cloudformation stack a meaningful name.

   3. MYAWSACCOUNT- replace with an AWS Account ID number such as: 111122223333

3. Run the following command to create the stack :

aws cloudformation create-stack --template-body=file://MYFILENAME.yaml --stack-name=MYSTACKNAME --capabilities CAPABILITY_NAMED_IAM

Leverage the Role

Use temporary User Access Keys via STS.

The created dkp-bootstrapper-role can be assumed by IAM users for temporary credentials via STS by running the command below:

aws sts assume-role --role-arn arn:aws:iam::MYAWSACCOUNT:role/dkp-bootstrapper-role --role-session-name EXAMPLE 

Which returns something similar to this:

{
    "Credentials": {
        "AccessKeyId": "ASIA6RTF53ZH5B52EVM5",
        "SecretAccessKey": "BSssyvSsdfJY74jubsadfdsafdsaH7x1L+8Vk/",
        "SessionToken": "IQoJb3JpZ2z5cyChb9PtJvP0S6KAi",
        "Expiration": "2022-07-14T20:19:13+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "ASIA6RTF53ZH5B52EVM5:test",
        "Arn": "arn:aws:sts::MYAWSACCOUNTID:assumed-role/dkp-bootstrapper-role/test"
    }
}

And then export the following environment variables with the results:

export AWS_ACCESS_KEY_ID=(.Credentials.AccessKeyId)

export AWS_SECRET_ACCESS_KEY=(.Credentials.SecretAccessKey)

export AWS_SESSION_TOKEN=(.Credentials.SessionToken)

These credentials are short lived and would need to be updated in the bootstrap cluster

Use EC2 Instance Profiles

The created dkp-bootstrapper-role can be assumed by an ec2 instance a user would run dkp create cluster commands from. To do this, specify the IAM Instance Profile DKPBootstrapInstanceProfile on creation.

Use Access Keys

AWS administrators can attach the dkp-bootstrapper-policy to an existing IAM user and authenticate with Access Keys on the work station they would run dkp create cluster commands from by exporting the following environment variables with the appropriate values for the IAM user.

export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2 

In regards to Access Keys usage, a system administrator should always consider AWS’s Best practices.

EKS cluster minimal permissions are required if attaching an EKS cluster. Refer to Minimal User Permission for EKS Cluster Creation. The CloudFormation stack on that page adds a policy named eks-bootstrapper to manage EKS cluster to the dkp-bootstrapper-role created by the CloudFormation stack on this page.

If your organization uses encrypted AMI’s (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html ), then you will need to add additional permissions to the control plane policy to allow access to the Amazon Key Management Services. See the following documentation for information on the necessary policies you may need: AWS Key Policies.

Next Step:

Cluster IAM Policies, Roles, and Artifacts