AWS Minimal Permissions and Role to Create Clusters
Configure IAM Prerequisites before starting a cluster
This section guides you in creating and using a minimally-scoped policy to create DKP clusters on an AWS account. For multi-tenancy, every tenant should be in a different AWS account to ensure they are truly independent of other tenants in order to enforce security.
Prerequisites
Before applying the IAM Policies, verify the following:
You have a valid AWS account with credentials configured that can manage CloudFormation Stacks, IAM Policies, IAM Roles, and IAM Instance Profiles.
The AWS CLI utility is installed.
Minimal Permissions
The following is an AWSCloudFormation stack that creates:
A policy named
dkp-bootstrapper-policy
that enumerates the minimal permissions for a user that can create dkp aws clusters.A role named
dkp-bootstrapper-role
that uses thedkp-bootstrapper-policy
with a trust policy to allow IAM users and ec2 instances fromMYAWSACCOUNTID
to use the role via STS.An instance profile
DKPBootstrapInstanceProfile
that wraps thedkp-bootstrapper-role
to be used by ec2 instances.
Create Resources in CloudFormation Stack
To create the resources in the CloudFormation stack:
Copy the following contents into a file:
YAMLAWSTemplateFormatVersion: 2010-09-09 Resources: AWSIAMInstanceProfileDKPBootstrapper: Properties: InstanceProfileName: DKPBootstrapInstanceProfile Roles: - Ref: DKPBootstrapRole Type: AWS::IAM::InstanceProfile AWSIAMManagedPolicyDKPBootstrapper: Properties: Description: Minimal policy to create dkp clusters in AWS ManagedPolicyName: dkp-bootstrapper-policy PolicyDocument: Statement: - Action: - ec2:AllocateAddress - ec2:AssociateRouteTable - ec2:AttachInternetGateway - ec2:AuthorizeSecurityGroupIngress - ec2:CreateInternetGateway - ec2:CreateNatGateway - ec2:CreateRoute - ec2:CreateRouteTable - ec2:CreateSecurityGroup - ec2:CreateSubnet - ec2:CreateTags - ec2:CreateVpc - ec2:ModifyVpcAttribute - ec2:DeleteInternetGateway - ec2:DeleteNatGateway - ec2:DeleteRouteTable - ec2:DeleteSecurityGroup - ec2:DeleteSubnet - ec2:DeleteTags - ec2:DeleteVpc - ec2:DescribeAccountAttributes - ec2:DescribeAddresses - ec2:DescribeAvailabilityZones - ec2:DescribeInstanceTypes - ec2:DescribeInternetGateways - ec2:DescribeImages - ec2:DescribeNatGateways - ec2:DescribeNetworkInterfaces - ec2:DescribeNetworkInterfaceAttribute - ec2:DescribeRouteTables - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVpcs - ec2:DescribeVpcAttribute - ec2:DescribeVolumes - ec2:DetachInternetGateway - ec2:DisassociateRouteTable - ec2:DisassociateAddress - ec2:ModifyInstanceAttribute - ec2:ModifyInstanceMetadataOptions - ec2:ModifyNetworkInterfaceAttribute - ec2:ModifySubnetAttribute - ec2:ReleaseAddress - ec2:RevokeSecurityGroupIngress - ec2:RunInstances - ec2:TerminateInstances - tag:GetResources - elasticloadbalancing:AddTags - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - elasticloadbalancing:RemoveTags - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeInstanceRefreshes - ec2:CreateLaunchTemplate - ec2:CreateLaunchTemplateVersion - ec2:DescribeLaunchTemplates - ec2:DescribeLaunchTemplateVersions - ec2:DeleteLaunchTemplate - ec2:DeleteLaunchTemplateVersions - ec2:DescribeKeyPairs Effect: Allow Resource: - '*' - Action: - autoscaling:CreateAutoScalingGroup - autoscaling:UpdateAutoScalingGroup - autoscaling:CreateOrUpdateTags - autoscaling:StartInstanceRefresh - autoscaling:DeleteAutoScalingGroup - autoscaling:DeleteTags Effect: Allow Resource: - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/* - Action: - ecr:DescribeRepositories - ecr:CreateRepository - ecr:PutLifecyclePolicy - ecr:CompleteLayerUpload - ecr:GetAuthorizationToken - ecr:UploadLayerPart - ecr:InitiateLayerUpload - ecr:BatchCheckLayerAvailability - ecr:BatchGetImage - ecr:GetDownloadUrlForLayer - ecr:PutImage Effect: Allow Resource: - arn:aws:ecr:*:MYAWSACCOUNT:repository/* - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: autoscaling.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: elasticloadbalancing.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: spot.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot - Action: - iam:PassRole Effect: Allow Resource: - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io - Action: - secretsmanager:CreateSecret - secretsmanager:DeleteSecret - secretsmanager:TagResource Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* Version: 2012-10-17 Roles: - Ref: DKPBootstrapRole Type: AWS::IAM::ManagedPolicy DKPBootstrapRole: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com - Action: - sts:AssumeRole Effect: Allow Principal: AWS: arn:aws:iam::MYAWSACCOUNT:root Version: 2012-10-17 RoleName: dkp-bootstrapper-role Type: AWS::IAM::Role
If your organization uses Flatcar, add the following s3 permissions to your CloudFormation stack in the dkp-bootstrapper-policy
:
- Action:
- 's3:CreateBucket'
- 's3:DeleteBucket'
- 's3:PutObject'
- 's3:DeleteObject'
- 's3:PutBucketPolicy'
Effect: Allow
Resource:
- 'arn:*:s3:::cluster-api-provider-aws-*'
Replace the following with the correct values:
MYFILENAME.yaml
- give your file a meaningful name.MYSTACKNAME
- give your cloudformation stack a meaningful name.MYAWSACCOUNT
- replace with an AWS Account ID number such as:111122223333
Run the following command to create the stack :
aws cloudformation create-stack --template-body=file://MYFILENAME.yaml --stack-name=MYSTACKNAME --capabilities CAPABILITY_NAMED_IAM
Leverage the Role
Use temporary User Access Keys via STS.
The created dkp-bootstrapper-role
can be assumed by IAM users for temporary credentials via STS by running the command below:
aws sts assume-role --role-arn arn:aws:iam::MYAWSACCOUNT:role/dkp-bootstrapper-role --role-session-name EXAMPLE
Which returns something similar to this:
{
"Credentials": {
"AccessKeyId": "ASIA6RTF53ZH5B52EVM5",
"SecretAccessKey": "BSssyvSsdfJY74jubsadfdsafdsaH7x1L+8Vk/",
"SessionToken": "IQoJb3JpZ2z5cyChb9PtJvP0S6KAi",
"Expiration": "2022-07-14T20:19:13+00:00"
},
"AssumedRoleUser": {
"AssumedRoleId": "ASIA6RTF53ZH5B52EVM5:test",
"Arn": "arn:aws:sts::MYAWSACCOUNTID:assumed-role/dkp-bootstrapper-role/test"
}
}
And then export
the following environment variables with the results:
export AWS_ACCESS_KEY_ID=(.Credentials.AccessKeyId)
export AWS_SECRET_ACCESS_KEY=(.Credentials.SecretAccessKey)
export AWS_SESSION_TOKEN=(.Credentials.SessionToken)
These credentials are short lived and would need to be updated in the bootstrap cluster
Use EC2 Instance Profiles
The created dkp-bootstrapper-role
can be assumed by an ec2 instance a user would run dkp create cluster
commands from. To do this, specify the IAM Instance Profile DKPBootstrapInstanceProfile
on creation.
Use Access Keys
AWS administrators can attach the dkp-bootstrapper-policy
to an existing IAM user and authenticate with Access Keys on the work station they would run dkp create cluster
commands from by exporting the following environment variables with the appropriate values for the IAM user.
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2
In regards to Access Keys usage, a system administrator should always consider AWS’s Best practices.
EKS cluster minimal permissions are required if attaching an EKS cluster. Refer to Minimal User Permission for EKS Cluster Creation. The CloudFormation stack on that page adds a policy named eks-bootstrapper
to manage EKS cluster to the dkp-bootstrapper-role
created by the CloudFormation stack on this page.
If your organization uses encrypted AMI’s (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html ), then you will need to add additional permissions to the control plane policy to allow access to the Amazon Key Management Services. See the following documentation for information on the necessary policies you may need: AWS Key Policies.
Return to EKS Cluster IAM Permissions and Roles or proceed to the next AWS step below.