Skip to content

Instantly share code, notes, and snippets.

@sjenning

sjenning/minimum-iam-privileges.md

Last active October 28, 2020 07:55
Show Gist options

  • Select an option

    Learn more about clone URLs
  • Save sjenning/f0a6eb84475839cf81f601553532304a to your computer and use it in GitHub Desktop.

Select an option

Learn more about clone URLs
Save sjenning/f0a6eb84475839cf81f601553532304a to your computer and use it in GitHub Desktop.
Download ZIP
Minimum AWS IAM Privileges for OCP4
Raw
minimum-iam-privileges.md

Permissions needed for install (IPI)

https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go#L32-L214

Below is documented what is required to operate for the UPI case (untested and not verified)

image-registry user

needed for integrated registry

  • s3:CreateBucket
  • s3:DeleteBucket
  • s3:PutBucketTagging
  • s3:GetBucketTagging
  • s3:PutBucketPublicAccessBlock
  • s3:GetBucketPublicAccessBlock
  • s3:PutEncryptionConfiguration
  • s3:GetEncryptionConfiguration
  • s3:PutLifecycleConfiguration
  • s3:GetLifecycleConfiguration
  • s3:GetBucketLocation
  • s3:ListBucket
  • s3:HeadBucket
  • s3:GetObject
  • s3:PutObject
  • s3:DeleteObject
  • s3:ListBucketMultipartUploads
  • s3:AbortMultipartUpload

machine-api user

needed for cluster autoscaling

  • ec2:CreateTags
  • ec2:DescribeAvailabilityZones
  • ec2:DescribeImages
  • ec2:DescribeInstances
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeVpcs
  • ec2:RunInstances
  • ec2:TerminateInstances
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:RegisterInstancesWithLoadBalancer
  • elasticloadbalancing:RegisterTargets
  • iam:PassRole

openshift-ingress user

needed for Route integration

  • elasticloadbalancing:DescribeLoadBalancers
  • route53:ListHostedZones
  • route53:ChangeResourceRecordSets
  • tag:GetResources

master role

kube-controller-manager

https://blog.scottlowe.org/2018/09/28/setting-up-the-kubernetes-aws-cloud-provider/

Service Controller (pkg/controller/service)

needed for Service type LoadBalancer

  • ec2:AuthorizeSecurityGroupIngress
  • ec2:CreateSecurityGroup
  • ec2:CreateTags
  • ec2:DeleteTags
  • ec2:DeleteSecurityGroup
  • ec2:DescribeAccountAttributes
  • ec2:DescribeAddresses
  • ec2:DescribeInstances
  • ec2:DescribeInstanceStatus
  • ec2:DescribeInternetGateways
  • ec2:DescribeNetworkInterfaces
  • ec2:DescribeSecurityGroups
  • ec2:DescribeSubnets
  • ec2:DescribeTags
  • ec2:DescribeVpcs
  • ec2:ModifyInstanceAttribute
  • ec2:ModifyNetworkInterfaceAttribute
  • ec2:RevokeSecurityGroupIngress
  • elasticloadbalancing:CreateLoadBalancer
  • elasticloadbalancing:DeleteLoadBalancer
  • elasticloadbalancing:DescribeLoadBalancers
  • elasticloadbalancing:AddTags
  • elasticloadbalancing:RegisterInstancesWithLoadBalancer
  • elasticloadbalancing:DeregisterInstancesFromLoadBalancer
  • elasticloadbalancing:CreateLoadBalancerPolicy
  • elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
  • elasticloadbalancing:SetLoadBalancerPoliciesOfListener
  • elasticloadbalancing:DescribeLoadBalancerPolicies
  • elasticloadbalancing:DetachLoadBalancerFromSubnets
  • elasticloadbalancing:AttachLoadBalancerToSubnets
  • elasticloadbalancing:CreateLoadBalancerListeners
  • elasticloadbalancing:DeleteLoadBalancerListeners
  • elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
  • elasticloadbalancing:ConfigureHealthCheck
  • elasticloadbalancing:DescribeLoadBalancerAttributes
  • elasticloadbalancing:ModifyLoadBalancerAttributes
  • elasticloadbalancing:CreateTargetGroup
  • elasticloadbalancing:DescribeTargetGroups
  • elasticloadbalancing:ModifyTargetGroup
  • elasticloadbalancing:DeleteTargetGroup
  • elasticloadbalancing:DescribeTargetHealth
  • elasticloadbalancing:DescribeTargetGroupAttributes
  • elasticloadbalancing:ModifyTargetGroupAttributes
  • elasticloadbalancing:RegisterTargets
  • elasticloadbalancing:DeregisterTargets
  • elasticloadbalancing:CreateListener
  • elasticloadbalancing:DescribeListeners
  • elasticloadbalancing:DeleteListener
  • elasticloadbalancing:ModifyListener

also see https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-api-permissions.html

Route Controller (pkg/controller/route)

not used for AWS. GCP only where pod network is managed by the cloud provider.

  • ec2:DescribeRouteTables
  • ec2:CreateRoute
  • ec2:DeleteRoute

EBS Dynamic Provisioning Controller (pkg/volume/awsebs)

needed for dymanic EBS provisioning StorageClass

  • ec2:DescribeVolumes
  • ec2:CreateVolume
  • ec2:DeleteVolume

AttachDetach controller (pkg/controller/volume/attachdetach)

needed to automatically attach and detach EBS volumes from instances

  • ec2:DescribeInstances
  • ec2:AttachVolume
  • ec2:DetachVolume

Nodelifecycle controller (pkg/controller/nodelifecycle)

needed to detect new nodes and remove nodes that have been removed in the cloud provider

  • ec2:DescribeInstances

worker Instance Role

needed for the kubelet to populate AWS information about itself in the Node resource

  • ec2:DescribeInstances
@AndreaFerraresi
Copy link

AndreaFerraresi commented Oct 28, 2020

We are currently testing this at customer side, For the installation we are still using a privileged account though, will give further feedbacks as soon as i have them

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment