Add AWS IAM policy file for selfhost permission (#484)

Superm4n97 · web-flow · commit f6abce7b1535 · 2025-10-08T21:26:10.000+08:00
Signed-off-by: rasel &lt;rasel@appscode.com&gt;
diff --git a/files/products/appscode/aws-selfhost/iam-ec2-permissions.json b/files/products/appscode/aws-selfhost/iam-ec2-permissions.json
@@ -0,0 +1,206 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+
+    {
+      "Action": [
+        "iam:ListOpenIDConnectProviders",
+        "iam:ListPolicies"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "iam:UpdateRole"
+      ],
+      "Resource": "arn:*:iam::*:role/Ace*",
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "ec2:TerminateInstances"
+      ],
+      "Resource": "arn:*:ec2:*:*:instance/i-*",
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "autoscaling:CreateAutoScalingGroup",
+        "autoscaling:UpdateAutoScalingGroup",
+        "autoscaling:CreateOrUpdateTags",
+        "autoscaling:StartInstanceRefresh",
+        "autoscaling:DeleteAutoScalingGroup",
+        "autoscaling:DeleteTags"
+      ],
+      "Resource": "arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*",
+      "Effect": "Allow"
+    },
+    {
+      "Condition": {
+        "StringLike": {
+          "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
+        }
+      },
+      "Action": [
+        "iam:CreateServiceLinkedRole"
+      ],
+      "Resource": [
+        "arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Condition": {
+        "StringLike": {
+          "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
+        }
+      },
+      "Action": [
+        "iam:CreateServiceLinkedRole"
+      ],
+      "Resource": [
+        "arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Condition": {
+        "StringLike": {
+          "iam:AWSServiceName": "spot.amazonaws.com"
+        }
+      },
+      "Action": [
+        "iam:CreateServiceLinkedRole"
+      ],
+      "Resource": [
+        "arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "iam:PassRole"
+      ],
+      "Resource": [
+        "arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io",
+        "arn:*:iam::*:role/Ace*",
+        "arn:*:iam::*:role/controllers*",
+        "arn:*:iam::*:role/nodes*",
+        "arn:*:iam::*:role/control-plane*",
+        "arn:*:iam::*:role/controlplane*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "secretsmanager:CreateSecret",
+        "secretsmanager:DeleteSecret",
+        "secretsmanager:TagResource"
+      ],
+      "Resource": [
+        "arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "s3:CreateBucket",
+        "s3:ListBucket",
+        "s3:PutBucketCORS",
+        "s3:DeleteBucket",
+        "s3:GetBucketLocation",
+        "s3:PutBucketOwnershipControls"
+      ],
+      "Resource": [
+        "arn:*:s3:::ace*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "s3:PutObject",
+        "s3:GetObject",
+        "s3:DeleteObject"
+      ],
+      "Resource": [
+        "arn:*:s3:::ace*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "cloudformation:*"
+      ],
+      "Resource": [
+        "arn:*:cloudformation:*:*:stack/*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "iam:CreateInstanceProfile",
+        "iam:DeleteInstanceProfile",
+        "iam:GetInstanceProfile",
+        "iam:RemoveRoleFromInstanceProfile",
+        "iam:AddRoleToInstanceProfile"
+      ],
+      "Resource": [
+        "arn:*:iam::*:instance-profile/controllers*",
+        "arn:*:iam::*:instance-profile/nodes*",
+        "arn:*:iam::*:instance-profile/control-plane*",
+        "arn:*:iam::*:instance-profile/controlplane*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "iam:GetRole",
+        "iam:ListAttachedRolePolicies"
+      ],
+      "Resource": [
+        "arn:*:iam::*:role/*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "iam:CreateRole",
+        "iam:DeleteRole",
+        "iam:AttachRolePolicy",
+        "iam:PutRolePolicy",
+        "iam:UpdateAssumeRolePolicy",
+        "iam:ListInstanceProfilesForRole",
+        "iam:DetachRolePolicy",
+        "iam:DeleteRolePolicy",
+        "iam:GetRolePolicy",
+        "iam:TagRole",
+        "iam:UntagRole"
+      ],
+      "Resource": [
+        "arn:*:iam::*:role/Ace*",
+        "arn:*:iam::*:role/controllers*",
+        "arn:*:iam::*:role/nodes*",
+        "arn:*:iam::*:role/control-plane*",
+        "arn:*:iam::*:role/controlplane*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "iam:GetPolicy",
+        "iam:CreatePolicy",
+        "iam:DeletePolicy",
+        "iam:ListPolicyVersions"
+      ],
+      "Resource": [
+        "arn:*:iam::*:policy/Ace*",
+        "arn:*:iam::*:policy/controllers*",
+        "arn:*:iam::*:policy/nodes*",
+        "arn:*:iam::*:policy/control-plane*",
+        "arn:*:iam::*:policy/csi*"
+      ],
+      "Effect": "Allow"
+    }
+  ]
+}
diff --git a/files/products/appscode/aws-selfhost/iam-eks-permissions.json b/files/products/appscode/aws-selfhost/iam-eks-permissions.json
@@ -0,0 +1,155 @@
+{
+  "Version": "2012-10-17",
+  "Statement": [
+    {
+      "Action": [
+        "ec2:DescribeIpamPools",
+        "ec2:AllocateIpamPoolCidr",
+        "ec2:AttachNetworkInterface",
+        "ec2:DetachNetworkInterface",
+        "ec2:AllocateAddress",
+        "ec2:AssignIpv6Addresses",
+        "ec2:AssignPrivateIpAddresses",
+        "ec2:UnassignPrivateIpAddresses",
+        "ec2:AssociateRouteTable",
+        "ec2:AssociateVpcCidrBlock",
+        "ec2:AttachInternetGateway",
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:CreateCarrierGateway",
+        "ec2:CreateInternetGateway",
+        "ec2:CreateEgressOnlyInternetGateway",
+        "ec2:CreateNatGateway",
+        "ec2:CreateNetworkInterface",
+        "ec2:CreateRoute",
+        "ec2:CreateRouteTable",
+        "ec2:CreateSecurityGroup",
+        "ec2:CreateSubnet",
+        "ec2:CreateTags",
+        "ec2:CreateVpc",
+        "ec2:CreateVpcEndpoint",
+        "ec2:DisassociateVpcCidrBlock",
+        "ec2:ModifyVpcAttribute",
+        "ec2:ModifyVpcEndpoint",
+        "ec2:DeleteCarrierGateway",
+        "ec2:DeleteInternetGateway",
+        "ec2:DeleteEgressOnlyInternetGateway",
+        "ec2:DeleteNatGateway",
+        "ec2:DeleteRouteTable",
+        "ec2:ReplaceRoute",
+        "ec2:DeleteSecurityGroup",
+        "ec2:DeleteSubnet",
+        "ec2:DeleteTags",
+        "ec2:DeleteVpc",
+        "ec2:DeleteVpcEndpoints",
+        "ec2:DescribeAccountAttributes",
+        "ec2:DescribeAddresses",
+        "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeCarrierGateways",
+        "ec2:DescribeInstances",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeInternetGateways",
+        "ec2:DescribeEgressOnlyInternetGateways",
+        "ec2:DescribeInstanceTypes",
+        "ec2:DescribeImages",
+        "ec2:DescribeNatGateways",
+        "ec2:DescribeNetworkInterfaces",
+        "ec2:DescribeNetworkInterfaceAttribute",
+        "ec2:DescribeRouteTables",
+        "ec2:DescribeSecurityGroups",
+        "ec2:DescribeSubnets",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeDhcpOptions",
+        "ec2:DescribeVpcAttribute",
+        "ec2:DescribeVpcEndpoints",
+        "ec2:DescribeVolumes",
+        "ec2:DescribeTags",
+        "ec2:DetachInternetGateway",
+        "ec2:DisassociateRouteTable",
+        "ec2:DisassociateAddress",
+        "ec2:ModifyInstanceAttribute",
+        "ec2:ModifyNetworkInterfaceAttribute",
+        "ec2:ModifySubnetAttribute",
+        "ec2:ReleaseAddress",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:RunInstances",
+        "tag:GetResources",
+        "elasticloadbalancing:AddTags",
+        "elasticloadbalancing:CreateLoadBalancer",
+        "elasticloadbalancing:ConfigureHealthCheck",
+        "elasticloadbalancing:DeleteLoadBalancer",
+        "elasticloadbalancing:DeleteTargetGroup",
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "elasticloadbalancing:DescribeLoadBalancerAttributes",
+        "elasticloadbalancing:DescribeTargetGroups",
+        "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+        "elasticloadbalancing:SetSecurityGroups",
+        "elasticloadbalancing:DescribeTags",
+        "elasticloadbalancing:ModifyLoadBalancerAttributes",
+        "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+        "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+        "elasticloadbalancing:RemoveTags",
+        "elasticloadbalancing:SetSubnets",
+        "elasticloadbalancing:ModifyTargetGroupAttributes",
+        "elasticloadbalancing:CreateTargetGroup",
+        "elasticloadbalancing:DescribeListeners",
+        "elasticloadbalancing:CreateListener",
+        "elasticloadbalancing:DescribeTargetHealth",
+        "elasticloadbalancing:RegisterTargets",
+        "elasticloadbalancing:DeleteListener",
+        "autoscaling:DescribeAutoScalingGroups",
+        "autoscaling:DescribeInstanceRefreshes",
+        "ec2:CreateLaunchTemplate",
+        "ec2:CreateLaunchTemplateVersion",
+        "ec2:DescribeLaunchTemplates",
+        "ec2:DescribeLaunchTemplateVersions",
+        "ec2:DeleteLaunchTemplate",
+        "ec2:DeleteLaunchTemplateVersions",
+        "ec2:DescribeKeyPairs",
+        "aws-marketplace:MeterUsage",
+        "ec2:DescribeAvailabilityZones",
+        "ec2:DescribeRegions",
+        "eks:DescribeNodegroup",
+        "eks:DescribeCluster",
+        "eks:ListClusters",
+        "eks:DescribeClusterVersions",
+        "sts:GetCallerIdentity",
+        "servicequotas:ListServiceQuotas",
+        "iam:ListRoles"
+      ],
+      "Resource": "*",
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "eks:*"
+      ],
+      "Resource": [
+        "arn:aws:eks:*:*:cluster/*",
+        "arn:aws:eks:*:*:nodegroup/*",
+        "arn:aws:eks:*:*:addon/*",
+        "arn:aws:eks:*:*:fargateprofile/*",
+        "arn:aws:eks:*:*:identityproviderconfig/*",
+        "arn:aws:eks:*:*:eks-anywhere-subscription/*",
+        "arn:aws:eks:*:*:podidentityassociation/*",
+        "arn:aws:eks:*:*:access-entry/*",
+        "arn:aws:eks:*:aws:cluster-access-policy/*"
+      ],
+      "Effect": "Allow"
+    },
+    {
+      "Action": [
+        "iam:ListOpenIDConnectProviderTags",
+        "iam:GetOpenIDConnectProvider",
+        "iam:CreateOpenIDConnectProvider",
+        "iam:DeleteOpenIDConnectProvider",
+        "iam:TagOpenIDConnectProvider",
+        "iam:UntagOpenIDConnectProvider",
+        "iam:UpdateOpenIDConnectProviderThumbprint"
+      ],
+      "Resource": [
+        "arn:*:iam::*:oidc-provider/oidc.eks*"
+      ],
+      "Effect": "Allow"
+    }
+  ]
+}
