Advanced Clusters > Setting up AWS > IAM policy reference

IAM policy reference

The cluster operator role, the master role, and the worker role require IAM policies to create and manage cloud resources in an advanced cluster. This section describes the actions that each role requires in the IAM policies.

Cluster operator role actions

Add actions to the IAM policy for the cluster operator role to allow the role to create and manage cloud resources.

The cluster operator role requires actions defined by the following services on AWS:

•Amazon EC2
•Amazon S3
•AWS Auto Scaling
•AWS Key Management Service
•AWS Security Token Service
•Elastic Load Balancing
•Identity and Access Management
•Pricing

Amazon EC2 actions

Amazon Elastic Compute Cloud (EC2) provides computing resources on the cloud. Amazon EC2 actions must apply to all AWS resources.

Internet gateway

The following table describes the actions for internet gateways:

Action	Description
ec2:CreateInternetGateway	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:AttachInternetGateway	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DescribeInternetGateway	Required. Describes the internet gateway.
ec2:DetachInternetGateway	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DeleteInternetGateway	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.

Key pair

The cluster operator creates AWS EC2 key pairs, which allows end users to connect to EC2 instances. The cluster operator role requires the following actions to manage key pairs:

ec2:CreateKeyPair
ec2:ImportKeyPair
ec2:DescribeKeyPair
ec2:DeleteKeyPair

Network

The cluster operator role requires the ec2:DescribeNetworkInterfaces action to describe network interfaces.

Route

The cluster operator role requires the following actions only when the Secure Agent creates a VPC and subnets for the cluster:

ec2:CreateRoute
ec2:DeleteRoute

The Secure Agent creates a VPC and subnets by default.

Route table

The following table describes the actions for route tables:

Action	Description
ec2:CreateRouteTable	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DescribeRouteTables	Required. Returns route table details.
ec2:ReplaceRouteTableAssociation	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:AssociateRouteTable	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DisassociateRouteTable	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DeleteRouteTable	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.

VPC

The following table describes the actions for VPCs:

Action	Description
ec2:CreateVpc	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DescribeVpcs	Required. Describes VPC details.
ec2:ModifyVpcAttribute	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DeleteVpc	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.

Subnet

The following table describes the actions for subnets:

Action	Description
ec2:CreateSubnet	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DescribeSubnet	Required. Describe subnet details.
ec2:DeleteSubnet	Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.

Security group

The following table describes the actions for security groups:

Action	Description
ec2:CreateSecurityGroup	Optional. Required only if you want to create and use user-defined Amazon EC2 security groups.
ec2:DescribeSecurityGroups	Required. Describes security group details.
ec2:AuthorizeSecurityGroupEgress	Optional. Required only if you want to create and use user-defined Amazon EC2 security groups.
ec2:AuthorizeSecurityGroupIngress	Optional. Required only if you want to create and use user-defined Amazon EC2 security groups.
ec2:RevokeSecurityGroupEgress	Optional. Required only if you want to create and use user-defined Amazon EC2 security groups.
ec2:RevokeSecurityGroupIngress	Optional. Required only if you want to create and use user-defined Amazon EC2 security groups.
ec2:DeleteSecurityGroup	Optional. Required only if you want to create and use user-defined Amazon EC2 security groups.

For more information about user-defined security groups, see Step 4. Create user-defined security groups for Amazon EC2.

Action	Description
ec2:CreateTags	Required. Adds tags for Kubernetes infrastructure, such as Amazon EC2. Kubernetes identifies resources through tags. Tags allow you to manage resources and add conditional statements.
ec2:DescribeTags	Required. Describes tags for Kubernetes infrastructure, such as Amazon EC2.
ec2:DeleteTags	Required. Deletes tags for Kubernetes infrastructure, such as Amazon EC2.

Volumes

The cluster operator manages etcd volumes directly. An advanced cluster uses etcd volumes to store metadata. The cluster operator role requires the following actions to manage etcd volumes:

ec2:CreateVolumes
ec2:DescribeVolumes
ec2:DeleteVolumes

Image

The cluster operator role requires the ec2:DescribeImages action to get the AMI (Amazon Machine Image) details from the Amazon EC2 instance.

Instances

The following table describes the actions for instances:

Action	Description
ec2:DescribeInstanceAttribute	Required. Gets details of the created Amazon EC2 instances.
ec2:ModifyInstanceAttribute	Required. Allows the cluster operator to manage and create Amazon EC2 instances.
ec2:RunInstances	Required. Allows the cluster operator to manage and create Amazon EC2 instances.
ec2:DescribeInstances ec2:DescribeInstanceType	Required. Gets details of the created Amazon EC2 instances.
ec2:TerminateInstances	Required. Terminates EC2 instances created by the cluster operator role.

Region

The following table describes the actions for regions:

Action	Description
ec2:DescribeRegions	Required. Describes the region you selected in the advanced configuration.
ec2:DescribeAvailabilityZones	Required. Describes details of availability zones.

Launch template

The cluster operator uses a launch template to launch EC2 instances. The cluster operator role requires the following actions to manage launch templates:

ec2:CreateLaunchTemplate
ec2:DescribeLaunchTemplates
ec2:DeleteLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:DescribeLaunchTemplateVersions
ec2:DeleteLaunchTemplateVersions
ec2:GetLaunchTemplateData
ec2:ModifyLaunchTemplate

Amazon S3 actions

The following table lists the Amazon S3 actions that the cluster operator role requires and the resources that each action must apply to:

Action	Resource
s3:GetBucketLocation	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>"
s3:GetEncryptionConfiguration	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>"
s3:ListBucket	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>"
s3:PutObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"
s3:GetObjectAcl	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"
s3:GetObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"
s3:DeleteObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"
s3:PutObjectAcl	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"

AWS Auto Scaling actions

The cluster operator uses an Auto Scaling group to manage advanced clusters.

The cluster operator role requires the following actions on all AWS resources for scalable cluster nodes and node recovery:

autoscaling:AttachLoadBalancers
autoscaling:CreateAutoScalingGroup
autoscaling:DescribeAutoScalingGroups
autoscaling:UpdateAutoScalingGroup
autoscaling:DeleteAutoScalingGroup
autoscaling:DescribeScalingActivities
autoscaling:DescribeTags
autoscaling:TerminateInstanceInAutoScalingGroup

AWS Key Management Service actions

The cluster operator role requires the kms:DescribeKey action when root volume encryption is enabled and the customer-managed key (CMK) is provided for the cluster operator role. This action applies to all AWS resources.

AWS Security Token Service actions

The following table describes the STS actions:

Action	Description
sts:AssumeRole	Required when you use the user-defined master role and worker role.
sts:DecodeAuthorizationMessage	Optional. Used to decode the encrypted message received from the AWS response.

Elastic Load Balancing actions

The cluster operator requires a load balancer for high availability, master node access control, and other features.

The cluster operator role requires the following Elastic Load Balancing actions on all AWS resources:

elasticloadbalancing:AddTags
elasticloadbalancing:DescribeTags
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
elasticloadbalancing:AttachLoadBalancerToSubnets
elasticloadbalancing:ConfigureHealthCheck
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:CreateLoadBalancerListeners
elasticloadbalancing:DescribeInstanceHealth
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:RegisterInstancesWithLoadBalancer

Identity and Access Management actions

The Identity and Access Management actions apply to all AWS resources.

Instance profiles

The following table describes the actions for instance profiles:

Action	Description
iam:AddRoleToInstanceProfile	Optional if you do not specify master and worker instance profiles.
iam:CreateInstanceProfile	Optional when you provide master and worker roles.
iam:DeleteInstanceProfile	Optional when you provide master and worker roles.
iam:GetContextKeysForPrincipalPolicy iam:SimulatePrincipalPolicy	Required. Allows permission validation, including advanced configuration validation and upgrade validation.
iam:GetInstanceProfile	Required. Retrieves information about the specified instance profile, including the instance profile path, GUID, ARN, and role.
iam:ListInstanceProfiles	Required. Lists the instance profiles that have the specified path prefix.

Roles

The following table describes the actions for IAM roles:

Action	Description
iam:CreateRole	Optional when you provide master and worker roles.
iam:CreateServiceLinkedRole	Required. Creates an IAM role that is linked to a specific AWS service.
iam:DeleteRole	Optional when you provide master and worker roles.
iam:GetRole	Required. Retrieves information about the specified role, including the role path.
iam:ListRolePolicies	Required. Retrieves information about the specified role, including the role path.
am:ListRoles	Required. Retrieves information about the specified role, including the role path.

Policies

The following table describes the actions for IAM policies:

Action	Description
iam:AttachRolePolicy iam:DeleteRolePolicy iam:DetachRolePolicy iam:PutRolePolicy	Optional when you provide master and worker roles.
iam:GetRolePolicy	Required. Retrieves the specified inline policy document that AWS embeds with the specified IAM role.
iam:ListAttachedRolePolicies	Required. Lists all managed policies that are attached to the specified IAM role.
iam:ListInstanceProfilesForRole	Required. Lists the instance profiles that have the associated IAM role.
iam:RemoveRoleFromInstanceProfile	Required. Removes the specified IAM role from the specified EC2 instance profile.

Users

The cluster operator role requires the iam:GetUser action to retrieve information about the specified IAM user, including the path, unique ID, and ARN.

Pricing actions

The cluster operator role requires pricing actions to access prices on AWS. The cluster operator role uses AWS prices to select Spot Instances and to calculate infrastructure cost savings for advanced clusters that use a CLAIRE-powered configuration.

The following table describes the pricing actions:

Action	Description
pricing:DescribeServices	Required if you use a CLAIRE-powered configuration. Gets AWS service products and pricing.
pricing:GetAttributeValues	Required if you use a CLAIRE-powered configuration. Gets AWS service products and pricing.
pricing:GetProducts	Required if you use Spot Instances or a CLAIRE-powered configuration. Gets AWS service products and pricing.

Master role actions

Add actions to the IAM policy for the master role to allow the role to access and manage cloud resources.

The master role requires actions defined by the following services on AWS:

•Amazon EC2
•Amazon S3
•AWS Auto Scaling
•AWS Key Management Service
•Elastic Load Balancing
•Identity and Access Management

Amazon EC2 actions

Amazon Elastic Compute Cloud (EC2) provides computing resources on the cloud. Amazon EC2 actions must apply to all AWS resources.

The following table describes the actions that the master role requires:

Action	Description
ec2:DescribeInstances	Required. Allows Kubernetes to describe instances.
ec2:DescribeRegions	Required. Allows Kubernetes to describe regions.
ec2:CreateRoute	Optional. Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:DescribeRouteTables	Required. Sets up Kubernetes infrastructure.
ec2:DeleteRoute	Optional. Required only when the Secure Agent creates a VPC and subnets for the cluster. The Secure Agent creates a VPC and subnets by default.
ec2:CreateSecurityGroup	Optional. Required only when you use the default security groups that the cluster operator role creates.
ec2:CreateSecurityGroup ec2:AuthorizeSecurityGroupIngress ec2:RevokeSecurityGroupIngress ec2:DeleteSecurityGroup	Optional. Required only when you use the default security groups that the cluster operator role creates.
ec2:DescribeSubnets	Required. Creates master node, for example, describes the details of subnets.
ec2:DescribeVpc	Required. Creates master node, for example, describes the details of a VPC.
ec2:CreateTags	Required. Adds tags for Kubernetes infrastructure such as EC2.
ec2:ModifyInstanceAttribute	Required. Modifies attributes of an instance.
ec2:CreateVolume	Required. Creates storage such as EBS volumes.
ec2:DescribeVolumes	Required. Gets details of created volumes for ED2 node.
ec2:DescribeVolumesModifications	Required. Describes the most recent volume modification request for the specified EBS volumes.
ec2:ModifyVolume	Required. Modifies the volumes.
ec2:AttachVolume	Required. Attaches the volumes.
ec2:DetachVolume	Required. Detaches the created volumes.
ec2:DeleteVolume	Required. Deletes the created volumes.

Amazon S3 actions

The following table describes the Amazon S3 actions that the master role requires and the resources that each action must apply to:

Action	Resource	Description
s3:GetBucketLocation	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>" "arn:aws:s3:::<cluster-init-script-bucket-name>"	Required. The action must apply to the initialization script location if you use an initialization script to start the cluster.
s3:GetEncryptionConfiguration	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>"	Required
s3:ListBucket	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>" "arn:aws:s3:::<cluster-init-script-bucket-name>"	Required. The action must apply to the initialization script location if you use an initialization script to start the cluster.
s3:PutObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required
s3:GetObjectAcl	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required
s3:GetObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/" "arn:aws:s3:::<cluster-init-script-dir>/*"	Required. The action must apply to the initialization script location if you use an initialization script to start the cluster.
s3:DeleteObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required
s3:PutObjectAcl	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required

AWS Auto Scaling actions

The master node manages the Auto Scaling group to enable scalable cluster nodes and node recovery.

The master role requires the following actions to manage the Auto Scaling group:

autoscaling:DescribeAutoScalingInstances
autoscaling:DescribeTags
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeScalingActivities
autoscaling:SetDesiredCapacity
autoscaling:TerminateInstanceInAutoScalingGroup
autoscaling:UpdateAutoScalingGroup

AWS Key Management Service actions

The master role requires the following actions on all AWS resources to manage access to master keys:

kms:Encrypt
kms:Decrypt
kms:ReEncrypt
kms:GenerateDataKey
kms:DescribeKey

Elastic Load Balancing actions

The master node manages load balancing rules for an advanced cluster.

The master role requires the following actions on all AWS resources:

elasticloadbalancing:AddTags
elasticloadbalancing:AttachLoadBalancerToSubnets
elasticloadbalancing:DetachLoadBalancerFromSubnets
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
elasticloadbalancing:ConfigureHealthCheck
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:DescribeListeners
elasticloadbalancing:ModifyListener
elasticloadbalancing:DeleteLoadBalancerListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:RegisterInstancesWithLoadBalancer
elasticloadbalancing:DeregisterInstancesFromLoadBalancer
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
elasticloadbalancing:DescribeListener
elasticloadbalancing:DeleteListener
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:ModifyTargetGroup
elasticloadbalancing:RegisterTargets
elasticloadbalancing:DescribeTargetHealth
elasticloadbalancing:DeleteTargetGroup
elasticloadbalancing:DeregisterTargets
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
elasticloadbalancing:DescribeLoadBalancerPolicies

Identity and Access Management actions

The Identity and Access Management actions apply to all AWS resources.

The following table describes the actions:

Action	Description
iam:ListServerCertificates	Required. Lists server certificates.
iam:GetServerCertificate	Required. Gets server certificates.

Worker role actions

Add actions to the IAM policy for the worker role to allow the role to access and manage cloud resources.

The worker role requires actions defined by the following services on AWS:

•Amazon EC2
•Amazon S3
•AWS Auto Scaling
•AWS Key Management Service

Amazon EC2 actions

Amazon Elastic Compute Cloud (EC2) provides computing resources on the cloud.

The following table describes the Amazon EC2 actions that the worker role requires:

Action	Resource	Description
ec2:DescribeInstances	All -- "*"	Required. Allows Kubernetes to describe instances.
ec2:DescribeRegions	All -- "*"	Required. Allows Kubernetes to describe regions.
ec2:CreateTags	All -- "*"	Required. Adds tags for Kubernetes infrastructure, for example EC2.
ec2:DescribeVolumes	All -- "*"	Required for storage scaling.
ec2:CreateVolume	All -- "*"	Required for storage scaling.
ec2:ModifyInstanceAttribute	All -- "*"	Required for storage scaling.
ec2:AttachVolume	"arn:aws:ec2:::volume/" "arn:aws:ec2:::instance/"	Required for storage scaling.

Amazon S3 actions

The following table describes the Amazon S3 actions that the worker role requires and the resources that each action must apply to:

Action	Resource	Description
s3:GetBucketLocation	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>" "arn:aws:s3:::<cluster-init-script-bucket-name>"	Required. The action must apply to the initialization script location if you use an initialization script to start the cluster.
s3:GetEncryptionConfiguration	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>"	Required.
s3:ListBucket	"arn:aws:s3:::<cluster-staging-bucket-name>" "arn:aws:s3:::<cluster-logging-bucket-name>" "arn:aws:s3:::<cluster-init-script-bucket-name>"	Required. The action must apply to the initialization script location if you use an initialization script to start the cluster.
s3:PutObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required.
s3:GetObjectAcl	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required.
s3:GetObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/" "arn:aws:s3:::<cluster-init-script-dir>/*"	Required. The action must apply to the initialization script location if you use an initialization script to start the cluster.
s3:DeleteObject	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required.
s3:PutObjectAcl	"arn:aws:s3:::<cluster-staging-dir>/" "arn:aws:s3:::<cluster-logging-dir>/"	Required.

AWS Auto Scaling actions

The worker role requires Auto Scaling actions on all AWS resources.

The following table describes the Auto Scaling actions:

Action	Description
autoscaling:DescribeAutoScalingInstances	Required. Allows Kubernetes to describe autoscaling instances.
autoscaling:DescribeTags	Required. Allows Kubernetes to describe tags.

AWS Key Management Service actions

The worker role requires the following actions on all AWS resources to manage access to master keys:

kms:Encrypt
kms:Decrypt
kms:ReEncrypt
kms:GenerateDataKey
kms:DescribeKey