Skip to main content
Skip table of contents

AWS Minimal Permissions and Role to Create Clusters

Configure IAM Prerequisites before starting a cluster

This section guides you in creating and using a minimally-scoped policy to create DKP clusters on an AWS account. For multi-tenancy, every tenant should be in a different AWS account to ensure they are truly independent of other tenants in order to enforce security.

Prerequisites

Before applying the IAM Policies, verify the following:

Minimal Permissions

The following is an AWSCloudFormation stack that creates:

  • A policy named dkp-bootstrapper-policy that enumerates the minimal permissions for a user that can create dkp aws clusters.

  • A role named dkp-bootstrapper-role that uses the dkp-bootstrapper-policy with a trust policy to allow IAM users and ec2 instances from MYAWSACCOUNTID to use the role via STS.

  • An instance profile DKPBootstrapInstanceProfile that wraps the dkp-bootstrapper-role to be used by ec2 instances.

Create Resources in CloudFormation Stack

To create the resources in the CloudFormation stack:

  1. Copy the following contents into a file:

    YAML
    AWSTemplateFormatVersion: 2010-09-09
    Resources:
      AWSIAMInstanceProfileDKPBootstrapper:
        Properties:
          InstanceProfileName: DKPBootstrapInstanceProfile
          Roles:
          - Ref: DKPBootstrapRole
        Type: AWS::IAM::InstanceProfile
      AWSIAMManagedPolicyDKPBootstrapper:
        Properties:
          Description: Minimal policy to create dkp clusters in AWS
          ManagedPolicyName: dkp-bootstrapper-policy
          PolicyDocument:
            Statement:
            - Action:
              - ec2:AllocateAddress
              - ec2:AssociateRouteTable
              - ec2:AttachInternetGateway
              - ec2:AuthorizeSecurityGroupIngress
              - ec2:CreateInternetGateway
              - ec2:CreateNatGateway
              - ec2:CreateRoute
              - ec2:CreateRouteTable
              - ec2:CreateSecurityGroup
              - ec2:CreateSubnet
              - ec2:CreateTags
              - ec2:CreateVpc
              - ec2:ModifyVpcAttribute
              - ec2:DeleteInternetGateway
              - ec2:DeleteNatGateway
              - ec2:DeleteRouteTable
              - ec2:DeleteSecurityGroup
              - ec2:DeleteSubnet
              - ec2:DeleteTags
              - ec2:DeleteVpc
              - ec2:DescribeAccountAttributes
              - ec2:DescribeAddresses
              - ec2:DescribeAvailabilityZones
              - ec2:DescribeInstanceTypes
              - ec2:DescribeInternetGateways
              - ec2:DescribeImages
              - ec2:DescribeNatGateways
              - ec2:DescribeNetworkInterfaces
              - ec2:DescribeNetworkInterfaceAttribute
              - ec2:DescribeRouteTables
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSubnets
              - ec2:DescribeVpcs
              - ec2:DescribeVpcAttribute
              - ec2:DescribeVolumes
              - ec2:DetachInternetGateway
              - ec2:DisassociateRouteTable
              - ec2:DisassociateAddress
              - ec2:ModifyInstanceAttribute
              - ec2:ModifyInstanceMetadataOptions
              - ec2:ModifyNetworkInterfaceAttribute
              - ec2:ModifySubnetAttribute
              - ec2:ReleaseAddress
              - ec2:RevokeSecurityGroupIngress
              - ec2:RunInstances
              - ec2:TerminateInstances
              - tag:GetResources
              - elasticloadbalancing:AddTags
              - elasticloadbalancing:CreateLoadBalancer
              - elasticloadbalancing:ConfigureHealthCheck
              - elasticloadbalancing:DeleteLoadBalancer
              - elasticloadbalancing:DescribeLoadBalancers
              - elasticloadbalancing:DescribeLoadBalancerAttributes
              - elasticloadbalancing:DescribeTargetGroups
              - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
              - elasticloadbalancing:DescribeTags
              - elasticloadbalancing:ModifyLoadBalancerAttributes
              - elasticloadbalancing:RegisterInstancesWithLoadBalancer
              - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
              - elasticloadbalancing:RemoveTags
              - autoscaling:DescribeAutoScalingGroups
              - autoscaling:DescribeInstanceRefreshes
              - ec2:CreateLaunchTemplate
              - ec2:CreateLaunchTemplateVersion
              - ec2:DescribeLaunchTemplates
              - ec2:DescribeLaunchTemplateVersions
              - ec2:DeleteLaunchTemplate
              - ec2:DeleteLaunchTemplateVersions
              - ec2:DescribeKeyPairs
              Effect: Allow
              Resource:
              - '*'
            - Action:
              - autoscaling:CreateAutoScalingGroup
              - autoscaling:UpdateAutoScalingGroup
              - autoscaling:CreateOrUpdateTags
              - autoscaling:StartInstanceRefresh
              - autoscaling:DeleteAutoScalingGroup
              - autoscaling:DeleteTags
              Effect: Allow
              Resource:
              - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*
            - Action:
              - ecr:DescribeRepositories
              - ecr:CreateRepository
              - ecr:PutLifecyclePolicy
              - ecr:CompleteLayerUpload
              - ecr:GetAuthorizationToken
              - ecr:UploadLayerPart
              - ecr:InitiateLayerUpload
              - ecr:BatchCheckLayerAvailability
              - ecr:BatchGetImage
              - ecr:GetDownloadUrlForLayer
              - ecr:PutImage
              Effect: Allow
              Resource:
              - arn:aws:ecr:*:MYAWSACCOUNT:repository/*
            - Action:
              - iam:CreateServiceLinkedRole
              Condition:
                StringLike:
                  iam:AWSServiceName: autoscaling.amazonaws.com
              Effect: Allow
              Resource:
              - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling
            - Action:
              - iam:CreateServiceLinkedRole
              Condition:
                StringLike:
                  iam:AWSServiceName: elasticloadbalancing.amazonaws.com
              Effect: Allow
              Resource:
              - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
            - Action:
              - iam:CreateServiceLinkedRole
              Condition:
                StringLike:
                  iam:AWSServiceName: spot.amazonaws.com
              Effect: Allow
              Resource:
              - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot
            - Action:
              - iam:PassRole
              Effect: Allow
              Resource:
              - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io
            - Action:
              - secretsmanager:CreateSecret
              - secretsmanager:DeleteSecret
              - secretsmanager:TagResource
              Effect: Allow
              Resource:
              - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*
            Version: 2012-10-17
          Roles:
          - Ref: DKPBootstrapRole
        Type: AWS::IAM::ManagedPolicy
      DKPBootstrapRole:
        Properties:
          AssumeRolePolicyDocument:
            Statement:
            - Action:
              - sts:AssumeRole
              Effect: Allow
              Principal:
                Service:
                - ec2.amazonaws.com
            - Action:
                - sts:AssumeRole
              Effect: Allow
              Principal:
                    AWS: arn:aws:iam::MYAWSACCOUNT:root
            Version: 2012-10-17
          RoleName: dkp-bootstrapper-role
        Type: AWS::IAM::Role

If your organization uses Flatcar, add the following s3 permissions to your CloudFormation stack in the dkp-bootstrapper-policy:

CODE
- Action:
          - 's3:CreateBucket'
          - 's3:DeleteBucket'
          - 's3:PutObject'
          - 's3:DeleteObject'
          - 's3:PutBucketPolicy'
          Effect: Allow
          Resource:
          - 'arn:*:s3:::cluster-api-provider-aws-*'
  1. Replace the following with the correct values:

    1. MYFILENAME.yaml - give your file a meaningful name.

    2. MYSTACKNAME - give your cloudformation stack a meaningful name.

    3. MYAWSACCOUNT- replace with an AWS Account ID number such as: 111122223333

  2. Run the following command to create the stack :

BASH
aws cloudformation create-stack --template-body=file://MYFILENAME.yaml --stack-name=MYSTACKNAME --capabilities CAPABILITY_NAMED_IAM

Leverage the Role

Use temporary User Access Keys via STS.

The created dkp-bootstrapper-role can be assumed by IAM users for temporary credentials via STS by running the command below:

CODE
aws sts assume-role --role-arn arn:aws:iam::MYAWSACCOUNT:role/dkp-bootstrapper-role --role-session-name EXAMPLE 

Which returns something similar to this:

JS
{
    "Credentials": {
        "AccessKeyId": "ASIA6RTF53ZH5B52EVM5",
        "SecretAccessKey": "BSssyvSsdfJY74jubsadfdsafdsaH7x1L+8Vk/",
        "SessionToken": "IQoJb3JpZ2z5cyChb9PtJvP0S6KAi",
        "Expiration": "2022-07-14T20:19:13+00:00"
    },
    "AssumedRoleUser": {
        "AssumedRoleId": "ASIA6RTF53ZH5B52EVM5:test",
        "Arn": "arn:aws:sts::MYAWSACCOUNTID:assumed-role/dkp-bootstrapper-role/test"
    }
}

And then export the following environment variables with the results:

CODE
export AWS_ACCESS_KEY_ID=(.Credentials.AccessKeyId)

export AWS_SECRET_ACCESS_KEY=(.Credentials.SecretAccessKey)

export AWS_SESSION_TOKEN=(.Credentials.SessionToken)

These credentials are short lived and would need to be updated in the bootstrap cluster

Use EC2 Instance Profiles

The created dkp-bootstrapper-role can be assumed by an ec2 instance a user would run dkp create cluster commands from. To do this, specify the IAM Instance Profile DKPBootstrapInstanceProfile on creation.

Use Access Keys

AWS administrators can attach the dkp-bootstrapper-policy to an existing IAM user and authenticate with Access Keys on the work station they would run dkp create cluster commands from by exporting the following environment variables with the appropriate values for the IAM user.

CODE
export AWS_ACCESS_KEY_ID=AKIAIOSFODNN7EXAMPLE
export AWS_SECRET_ACCESS_KEY=wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY
export AWS_DEFAULT_REGION=us-west-2 

In regards to Access Keys usage, a system administrator should always consider AWS’s Best practices.

EKS cluster minimal permissions are required if attaching an EKS cluster. Refer to Minimal User Permission for EKS Cluster Creation. The CloudFormation stack on that page adds a policy named eks-bootstrapper to manage EKS cluster to the dkp-bootstrapper-role created by the CloudFormation stack on this page.

If your organization uses encrypted AMI’s (https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/AMIEncryption.html ), then you will need to add additional permissions to the control plane policy to allow access to the Amazon Key Management Services. See the following documentation for information on the necessary policies you may need: AWS Key Policies.

Return to EKS Cluster IAM Permissions and Roles or proceed to the next AWS step below.

Next Step:

AWS Cluster IAM Policies, Roles, and Artifacts

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.