Eksctl: Document minimum IAM requirements
It would be nice to have a documentation listing the minimum IAM permissions to run eksctl.
I'm trying to set this up with a minimum service account, and now I have to add dependencies one by one.
If they were documented as a YAML that would be the best!
NunoPinheiro
All 37 comments
@NunoPinheiro I'd recommend creating a cluster with an admin account, and looking and all resources that get created and use those as a basis to define a restricted policy.
Please note that we have #122. The code already accommodates for separating out IAM resources, all the resources are defined here:
It should be fairly doable to implement what's being discussed in #122.
errordeveloper
on 11 Sep 2018
I believe @mhausenblas was looking into this also.
errordeveloper
on 30 Oct 2018
Here are the minimum AWS IAM permissions to create and delete clusters via eksctl
I verified them by running eksctl create cluster about 30 times adding permissions one by one.
CloudFormation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "eksCtlCloudFormation",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
}
]
}
EKS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}
AutoScaling
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations"
],
"Resource": "*"
}
]
}
IAM
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::<AWS Acct Id>:instance-profile/eksctl-*",
"arn:aws:iam::<AWS Acct Id>:role/eksctl-*"
]
}
]
}
Networking
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EksInternetGateway",
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Sid": "EksNetworking",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
dougireton
on 28 Dec 2018
@dougireton thank you so much!!
errordeveloper
on 28 Dec 2018
@dougireton @mhausenblas how do you think it would be best to document this? I worry if we just add this to the readme, it will get out of date too soon. Ideally, we should be able to generate this. The code already knows of this, but it's a little indirect.
errordeveloper
on 28 Dec 2018
I tried to create a custom IAM policy out of the above and after a couple of failed attempts (some actions were misssing, ie. ec2:DescribeVpcs and ec2:DescribeAddresses and autoscaling:DescribeScalingActivities), I managed to create a working custom IAM policy:
1. Create a custom IAM policy out of this JSON
Note that you need to replace <AWS Acct Id> with your AWS account ID. To get it:
- Click My Account
- Your 12-digit account ID is listed under Account Settings
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::<AWS Acct Id>:instance-profile/eksctl-*",
"arn:aws:iam::<AWS Acct Id>:role/eksctl-*"
]
},
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
2. Create a new IAM service role for CloudFormation and attach the above policy
3. Run eksctl create cluster
and it should work!
I'll be happy to create a Pull Request out of this, if you want me to.
VojtechVitek
on 29 Dec 2018
Thanks everyone for sharing so well-documented steps!
errordeveloper
on 29 Dec 2018
Why is DeleteInternetGateway in the perms twice, once for resource * and once for resource "arn:aws:ec2:*:*:internet-gateway/*"? Shouldn't the former include the latter @VojtechVitek ?
bensussman
on 5 Mar 2019
@bensussman The above is not an official list of IAM policies; I compiled it while playing with eksctl and we don't really use it in production. Feel free to improve as you want.
VojtechVitek
on 5 Mar 2019
💔 @VojtechVitek bummer. Is the idea that users of eksctl are required to figure out the set of perms themselves? i used the set of perms listed in https://github.com/weaveworks/eksctl/issues/204#issuecomment-450450945 and it did not work for me:
$ eksctl create cluster -n $CLUSTER_NAME -r us-west-2 --version 1.11 --nodegroup-name $NODEGROUP_NAME -t m5.large --nodes-min $MIN_NODES --nodes-max $MAX_NODES --node-volume-size 50 --ssh-access --ssh-public-key shared-key --asg-access --profile EksctlCreator
[ℹ] using region us-west-2
[✖] getting availability zones: getting availability zones for us-west-2: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 8ca46cb5-e89e-...
I added ec2:DescribeAvailabilityZones and it let me move on to the next one, looks like it's unable to find the ami-0c28139856aaf9c3b. I wonder how any of these IAM policies were made, or has eksctl just changed a bunch in the 2 months since they were written (i doubt that)?
bensussman
on 5 Mar 2019
Benjamin, I don't think there were any changes that would affect these. If
you need more help, please do connect on Slack and we can discuss in real
time. As I pointed out, I am keen to do what would need to be done to close
this issue, but some form of help would be appreciated. At present all of
my focus is on things related to cluster upgrades.
On Tue, 5 Mar 2019, 10:21 pm Benjamin Sussman, notifications@github.com
wrote:
I added ec2:DescribeAvailabilityZones and it let me move on to the next
one, looks like it's unable to find the ami-0c28139856aaf9c3b. I wonder
how any of these IAM policies were made, or has eksctl just changed a
bunch in the 2 months since they were written (i doubt that)?—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub
https://github.com/weaveworks/eksctl/issues/204#issuecomment-469881746,
or mute the thread
https://github.com/notifications/unsubscribe-auth/AAPWS6OEXk-cE7kHDp6gRTso874ZWCqiks5vTu3MgaJpZM4WjUhl
.
errordeveloper
on 5 Mar 2019
I got it working by giving it all ec2 permissions ec2:*. It's not a great fix, better to have the exact minimum set of perms, but I wanted to get to working on other stuff.
I would advise someone get the minimum set of perms (not sure if this list above has anything extraneous, but it's certainly missing a few things like DescribeAvailabilityZones, DescribeImage, a bunch of VPC related perms, etc.) and put it in a json file inside the repo so that users can easily grab it and create the appropriate policy for their aws account. For now, i would advise any reader to just use ec2:* in addition to any non-ec2 perms listed above.
bensussman
on 6 Mar 2019
We should really automate this!
To begin with we can add a command that creates the policy, and use it as
part of the integration test suite. Any takers?
errordeveloper
on 6 Mar 2019
I added some missing permissions to the sample policy. Following IAM permissions should be enough to launch EKS cluster with worker nodes in a new VPC using eksctl.
~~~~{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::
"arn:aws:iam::
]
},
{
"Effect": "Allow",
"Action": "cloudformation:",
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"eks:"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:::internet-gateway/"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:RunInstances",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*"
}
]
}
mailjunze
on 11 Jun 2019
These are missing
I added some missing permissions to the sample policy. Following IAM permissions should be enough to launch EKS cluster with worker nodes in a new VPC using eksctl.
```
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:CreateServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam:::instance-profile/eksctl-",
"arn:aws:iam:::role/eksctl- "
]
},
jonin
on 26 Jun 2019
And if you need to delete a stack as well:
{ "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:CreateNatGateway", "ec2:CreateVpc", "ec2:AttachInternetGateway", "ec2:DescribeVpcAttribute", "ec2:DeleteRouteTable", "ec2:AssociateRouteTable", "ec2:DescribeInternetGateways", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:RevokeSecurityGroupEgress", "ec2:CreateSecurityGroup", "ec2:ModifyVpcAttribute", "ec2:DeleteInternetGateway", "ec2:DescribeRouteTables", "ec2:ReleaseAddress", "ec2:AuthorizeSecurityGroupEgress", "ec2:DescribeTags", "ec2:CreateTags", "ec2:DeleteRoute", "ec2:CreateRouteTable", "ec2:DetachInternetGateway", "ec2:DescribeNatGateways", "ec2:DisassociateRouteTable", "ec2:AllocateAddress", "ec2:DescribeSecurityGroups", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:DeleteNatGateway", "ec2:DeleteVpc", "ec2:CreateSubnet", "ec2:DescribeSubnets", "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:describeAddresses", "ec2:DescribeVpcs", "ec2:CreateLaunchTemplate", "ec2:DescribeLaunchTemplates", "ec2:RunInstances","ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*"
}
(And for decoding the authorization error message that you will get in the console without that: sts:DecodeAuthorizationMessage.)
jonin
on 27 Jun 2019
Lets document these complete in wiki page or somewhere first, so many people are dwelling for same stuffs.
thapakazi
on 27 Jun 2019
And probably some additional permissions are required for SSH access. Trying to enable it results in:
[X] searching for SSH public key "eksctl-{cluster-name}-nodegroup-{nodegroup-name}-{fingerprint}" in EC2: UnauthorizedOperation:
You are not authorized to perform this operation.
status code: 403, request id: {request-id}
jonin
on 27 Jun 2019
Here is the policy that worked for me. Fixes SSH import key and describe key:
Three permissions were missing:
"ec2:DescribeImageAttribute",
"ec2:DescribeKeyPairs",
"ec2:ImportKeyPair"
So here we have the full policy with @jonin contributions and mine:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:CreateServiceLinkedRole"
],
"Resource": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:instance-profile/eksctl-*",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/eksctl-*"
]
},
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:RunInstances",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeImageAttribute",
"ec2:DescribeKeyPairs",
"ec2:ImportKeyPair"
],
"Resource": "*"
}
]
}
gmagella-ca
on 4 Jul 2019
FWIW I had to add the following Resource to the iam-statement from the policy above in order to get this to work:
{ "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateInstanceProfile",
[...]
"iam:CreateServiceLinkedRole" ], "Resource": [
"arn:aws:iam::
"arn:aws:iam::<AWS_ACCOUNT_ID>:instance-profile/eksctl-*", "arn:aws:iam::<AWS_ACCOUNT_ID>:role/eksctl-*" ] } ] }
OscarAyoy
on 31 Jul 2019
I have all of these permissions in the IAM role I'm using to try to use eksctl create cluster. I have verified using sts that the IAM role expected is the one executing the command. I still get errors saying that I am "not authorized to perform this operation" on eksctl referencing operations I have the permissions to perform in the policy I can directly see. - example:AWS::EC2::InternetGateway/InternetGateway: CREATE_FAILED – "API: ec2:CreateInternetGateway You are not authorized to perform this operation."
yet the policy contains:"ec2:CreateInternetGateway", on Resource "*" - and the IAM user has Administrative Access to the account...
I have run exactly the same command with exactly the same permissions in another account exactly the same way and it works. I cannot find any difference in the accounts other than the non-working one has MFA.. but it only errors out on 3 commands.
mutabletao
on 2 Aug 2019
I tried to create a cluster under the policies mentioned in https://github.com/weaveworks/eksctl/issues/204#issuecomment-450450945 , but failed. It said that
AWS::AutoScaling::AutoScalingGroup/NodeGroup: CREATE_FAILED – "API: autoscaling:CreateAutoScalingGroup You are not authorized to use launch template: eksctl-cafe-eks-28-nodegroup-standard-workers"
Then I found the document https://docs.aws.amazon.com/autoscaling/ec2/userguide/control-access-using-iam.html, which said that
Users must have additional permissions from Amazon EC2 and IAM to perform certain actions. You specify the following actions in the Action element of an IAM policy statement.
Create an Auto Scaling group using a launch template
autoscaling:CreateAutoScalingGroup
iam:CreateServiceLinkedRole
ec2:RunInstances
I added the following policies, and it worked (^â–½^)
- iam:CreateServiceLinkedRole
- ec2:RunInstances
LinLshare
on 7 Aug 2019
I have
autoscaling:CreateAutoScalingGroup
iam:CreateServiceLinkedRole
ec2:RunInstances
in the policy and eksctl still doesn't work.
I think it's related to MFA vs non-MFA accounts.. but if anyone has any ideas.. I've had to resort to trying to work through the console and give up on eksctl since I can't get it to work....
mutabletao
on 8 Aug 2019
@mutabletao are you using a MFA user? If so, I believe you need to set up a session token to ensure proper connectivity between running CLI commands and your user.
E-r1ck
on 16 Aug 2019
Hello, same here. I'm using the latest compiled set of permissions for the EKS service role and still not able to have the node-group created:
AWS::AutoScaling::AutoScalingGroup/NodeGroup: CREATE_FAILED – "API: autoscaling:CreateAutoScalingGroup You are not authorized to use launch template: eksctl-dev-k8s-us-east-1-nodegroup-dev-k8s-us-east-1-standard"
I'm launching eksctl with an admin user which is not an MFA enabled user
eksctl create cluster -f cluster-config.yaml
alexmarica
on 22 Aug 2019
This is ridiculous, is not there any exact list of permissions / roles to enable to try this stuff out?
smiklosovic
on 12 Sep 2019
Under IAM -> Groups -> Permissions, click Attach Policy worked for me, using the above json from @mailjunze and steps from @VojtechVitek.
KNCal
on 7 Oct 2019
If you use eksctl create cluster --managed, this will work.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": [
"arn:aws:iam::<AWS_ACCOUNT_ID>:instance-profile/eksctl-*",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/eksctl-*",
"arn:aws:iam::<AWS_ACCOUNT_ID>:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
]
},
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs"
],
"Resource": "*"
}
]
}
iam:ListAttachedRolePolicies and arn:aws:iam::<AWS Acct Id>:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup are needed.
uny
on 24 Nov 2019
@uny You might want to make sure you remove your AWS Account ID from the above comment.
JulienDefrance
on 9 Jan 2020
@JulienDefrance
Thank you, I replaced them.
uny
on 10 Jan 2020
CloudFormation template example for EKSctl manged cluster policy
ref: https://github.com/weaveworks/eksctl/issues/204#issuecomment-557849919
---
Description: Eksctl provisioner policy for manged cluster
Resources:
EksctlProvisionerManagedPolicy:
Type: AWS::IAM::ManagedPolicy
Properties:
ManagedPolicyName: eksctl-provisioner-managed
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: AllowSomeIamActions
Action:
- 'iam:AddRoleToInstanceProfile'
- 'iam:AttachRolePolicy'
- 'iam:CreateInstanceProfile'
- 'iam:CreateRole'
- 'iam:GetRole'
- 'iam:CreateServiceLinkedRole'
- 'iam:DeleteInstanceProfile'
- 'iam:DeleteRole'
- 'iam:DeleteRolePolicy'
- 'iam:DeleteServiceLinkedRole'
- 'iam:DetachRolePolicy'
- 'iam:GetInstanceProfile'
- 'iam:GetRole'
- 'iam:GetRolePolicy'
- 'iam:ListAttachedRolePolicies'
- 'iam:ListInstanceProfiles'
- 'iam:ListInstanceProfilesForRole'
- 'iam:PassRole'
- 'iam:PutRolePolicy'
- 'iam:RemoveRoleFromInstanceProfile'
- 'iam:GetOpenIDConnectProvider'
Effect: Allow
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:instance-profile/eksctl-*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/eksctl-*'
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup'
- !Sub 'arn:aws:iam::${AWS::AccountId}:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/id/*'
- Sid: AllowCloudforamtionAction
Action:
- 'cloudformation:*'
Effect: Allow
Resource: '*'
- Sid: AllowEksAction
Action:
- 'eks:*'
Effect: Allow
Resource: '*'
- Sid: AllowIGWAction
Action:
- 'ec2:DeleteInternetGateway'
Effect: Allow
Resource: 'arn:aws:ec2:*:*:internet-gateway/*'
- Sid: AllowEc2Action
Action:
- 'ec2:AuthorizeSecurityGroupIngress'
- 'ec2:DeleteSubnet'
- 'ec2:DeleteTags'
- 'ec2:CreateNatGateway'
- 'ec2:CreateVpc'
- 'ec2:AttachInternetGateway'
- 'ec2:DescribeVpcAttribute'
- 'ec2:DeleteRouteTable'
- 'ec2:AssociateRouteTable'
- 'ec2:DescribeInternetGateways'
- 'ec2:CreateRoute'
- 'ec2:CreateInternetGateway'
- 'ec2:RevokeSecurityGroupEgress'
- 'ec2:CreateSecurityGroup'
- 'ec2:ModifyVpcAttribute'
- 'ec2:DeleteInternetGateway'
- 'ec2:DescribeRouteTables'
- 'ec2:ReleaseAddress'
- 'ec2:AuthorizeSecurityGroupEgress'
- 'ec2:DescribeTags'
- 'ec2:CreateTags'
- 'ec2:DeleteRoute'
- 'ec2:CreateRouteTable'
- 'ec2:DetachInternetGateway'
- 'ec2:DescribeNatGateways'
- 'ec2:DisassociateRouteTable'
- 'ec2:AllocateAddress'
- 'ec2:DescribeSecurityGroups'
- 'ec2:RevokeSecurityGroupIngress'
- 'ec2:DeleteSecurityGroup'
- 'ec2:DeleteNatGateway'
- 'ec2:DeleteVpc'
- 'ec2:CreateSubnet'
- 'ec2:DescribeSubnets'
- 'ec2:DescribeAvailabilityZones'
- 'ec2:DescribeImages'
- 'ec2:describeAddresses'
- 'ec2:DescribeVpcs'
Effect: Allow
Resource: '*'
caleno
on 27 Feb 2020
The above policy didn't allow to create unmanaged Node Group and delete a cluster. Added additional permissions to the policy. Please find the updated one..
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"eks:DescribeFargateProfile",
"eks:ListTagsForResource",
"eks:UpdateClusterConfig",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"eks:DescribeNodegroup",
"ssm:DescribeParameters",
"autoscaling:DescribeAutoScalingGroups",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"autoscaling:UpdateAutoScalingGroup",
"ec2:DeleteInternetGateway",
"ec2:DescribeKeyPairs",
"ec2:DescribeRouteTables",
"eks:ListNodegroups",
"ec2:ImportKeyPair",
"ec2:DescribeLaunchTemplates",
"ec2:CreateTags",
"ec2:CreateRouteTable",
"cloudformation:",
"ec2:RunInstances",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable",
"eks:DeleteCluster",
"ec2:RevokeSecurityGroupIngress",
"eks:DeleteNodegroup",
"ec2:DescribeImageAttribute",
"eks:UpdateNodegroupConfig",
"ec2:DeleteNatGateway",
"eks:DescribeCluster",
"eks:ListClusters",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"autoscaling:CreateAutoScalingGroup",
"eks:UpdateClusterVersion",
"ec2:DescribeAddresses",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"autoscaling:DescribeLaunchConfigurations",
"ec2:CreateVpc",
"ec2:DescribeVpcAttribute",
"eks:UpdateNodegroupVersion",
"autoscaling:DescribeScalingActivities",
"ec2:DescribeAvailabilityZones",
"eks:ListUpdates",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"eks:CreateCluster",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DeleteLaunchTemplate",
"eks:UntagResource",
"ec2:DescribeTags",
"ec2:DeleteRoute",
"ec2:DescribeLaunchTemplateVersions",
"eks:CreateNodegroup",
"ec2:DescribeNatGateways",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"autoscaling:CreateLaunchConfiguration",
"ec2:DescribeImages",
"eks:ListFargateProfiles",
"ec2:CreateLaunchTemplate",
"autoscaling:DeleteLaunchConfiguration",
"eks:DescribeUpdate",
"ec2:DescribeVpcs",
"eks:TagResource",
"ec2:DeleteSecurityGroup"
],
"Resource": ""
},
{
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"ec2:DeleteInternetGateway",
"iam:DeleteServiceLinkedRole",
"iam:GetOpenIDConnectProvider",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:ec2:::internet-gateway/",
"arn:aws:iam:::oidc-provider/",
"arn:aws:iam:::instance-profile/",
"arn:aws:iam:::role/"
]
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm:::parameter/"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameters",
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:::parameter/*"
}
]
}
sreejithcts
on 12 Apr 2020
Please @sreejithcts comment the difference between your and above, otherwise is hard to see what you add, thanks
alanoberto
on 20 Apr 2020
I ran "eksctl create cluster" with this policy and it works for me
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"ec2:DeleteInternetGateway",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::<AccountID>:instance-profile/eksctl-*",
"arn:aws:iam::<AccountID>:role/eksctl-*",
"arn:aws:ec2:*:*:internet-gateway/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ssm:SendCommand",
"ssm:CancelCommand",
"ec2:AuthorizeSecurityGroupIngress",
"ssm:SendAutomationSignal",
"ssm:CreateActivation",
"ec2:AttachInternetGateway",
"ssm:UpdateAssociation",
"ssm:CreateOpsItem",
"ssm:UpdateAssociationStatus",
"ssm:StartSession",
"ec2:DeleteRouteTable",
"ssm:RegisterPatchBaselineForPatchGroup",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:DeleteInternetGateway",
"ssm:UpdateDocument",
"ec2:DescribeKeyPairs",
"ssm:UpdateManagedInstanceRole",
"ssm:UpdatePatchBaseline",
"ssm:RegisterTaskWithMaintenanceWindow",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"ec2:RunInstances",
"ec2:DisassociateRouteTable",
"ssm:CreateDocument",
"ec2:RevokeSecurityGroupIngress",
"ssm:UpdateMaintenanceWindow",
"ssm:StartAutomationExecution",
"ssm:CancelMaintenanceWindowExecution",
"ssm:CreateAssociation",
"ec2:DescribeImageAttribute",
"ec2:DeleteNatGateway",
"autoscaling:DeleteAutoScalingGroup",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ssm:UpdateMaintenanceWindowTask",
"ec2:DescribeVpcAttribute",
"ssm:CreatePatchBaseline",
"ssm:ResetServiceSetting",
"ssm:DeleteInventory",
"ec2:DescribeAvailabilityZones",
"autoscaling:DescribeScalingActivities",
"ssm:CreateResourceDataSync",
"ssm:CreateMaintenanceWindow",
"ec2:ReleaseAddress",
"ec2:DeleteLaunchTemplate",
"ssm:DeregisterPatchBaselineForPatchGroup",
"ssm:StopAutomationExecution",
"ec2:DescribeSecurityGroups",
"ssm:UpdateOpsItem",
"ssm:UpdateServiceSetting",
"autoscaling:CreateLaunchConfiguration",
"ec2:CreateLaunchTemplate",
"ssm:CreateAssociationBatch",
"ssm:ModifyDocumentPermission",
"ec2:DescribeVpcs",
"ssm:RegisterDefaultPatchBaseline",
"ssm:UpdateInstanceAssociationStatus",
"ssm:LabelParameterVersion",
"ec2:DeleteSubnet",
"ssm:DeregisterTargetFromMaintenanceWindow",
"ssm:ResumeSession",
"ssm:UpdateDocumentDefaultVersion",
"ssm:UpdateMaintenanceWindowTarget",
"ssm:GetParameter",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ssm:DeleteActivation",
"ssm:DeleteParameter",
"ssm:StartAssociationsOnce",
"ssm:UpdateInstanceInformation",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:UpdateAutoScalingGroup",
"ssm:PutComplianceItems",
"ec2:DescribeRouteTables",
"ec2:DescribeLaunchTemplates",
"ec2:CreateRouteTable",
"ssm:RegisterTargetWithMaintenanceWindow",
"cloudformation:*",
"ssm:GetParameters",
"ec2:DetachInternetGateway",
"ssm:DeleteParameters",
"ssm:PutParameter",
"ssm:UpdateResourceDataSync",
"ec2:DeleteVpc",
"eks:*",
"autoscaling:CreateAutoScalingGroup",
"ec2:DescribeAddresses",
"ec2:DeleteTags",
"autoscaling:DescribeLaunchConfigurations",
"ssm:TerminateSession",
"ssm:DeletePatchBaseline",
"ssm:DeleteResourceDataSync",
"ec2:CreateSecurityGroup",
"ssm:DeregisterTaskFromMaintenanceWindow",
"ec2:ModifyVpcAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:DeleteRoute",
"ec2:DescribeLaunchTemplateVersions",
"ssm:DeleteMaintenanceWindow",
"ec2:DescribeNatGateways",
"ssm:DeleteAssociation",
"ssm:DescribeParameters",
"ssm:DeregisterManagedInstance",
"ec2:AllocateAddress",
"ec2:DescribeImages",
"ssm:PutInventory",
"autoscaling:DeleteLaunchConfiguration",
"ec2:DeleteSecurityGroup",
"ssm:DeleteDocument"
],
"Resource": "*"
},
{
"Action": [
"ssm:GetParameter"
],
"Resource": "arn:aws:ssm:<region>:redacted:parameter/*",
"Effect": "Allow"
}
]
}
yoadshirancnvrg
on 14 May 2020
Ran the following command: eksctl create cluster --name prod-test-8 --version 1.15 --region us-east-1 --nodegroup-name standard-workers --node-type t2.small --nodes 2 --nodes-min 1 --nodes-max 4
With the following policy:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:DeleteInstanceProfile",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateServiceLinkedRole",
"iam:ListRoleTags"
],
"Resource": [
"arn:aws:iam::account-id:instance-profile/eksctl-*",
"arn:aws:iam::account-id:role/eksctl-*",
"arn:aws:iam::account-id:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
]
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:DescribeParameters"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ssm:GetParameter",
"Resource": "arn:aws:ssm::::parameter/"
},
{
"Effect": "Allow",
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Resource": "arn:aws:ssm::::parameter/*"
},
{
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeScalingActivities"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:ModifySubnetAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:describeAddresses",
"ec2:DescribeVpcs",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions",
"ec2:RunInstances"
],
"Resource": "*"
}
]
}
Replaced account-id with my actual AWS account id to get it to run. This policy is based off of the work done above but cleaned up so it's better understood.
cdmadrigal
on 20 May 2020
I just want to thank everyone for this thread. I came here after running into several issues. With special thanks to @dougireton , @mailjunze ,@jonin , and @OscarAyoy , I was able to get it done.
paulmiller3000
on 10 Aug 2020
Related issues
KevinMonk
·
3Comments
danielchalef
·
3Comments
jcleal
·
4Comments
sabhizer
·
3Comments
bartcant
·
4Comments
Most helpful comment
Here are the minimum AWS IAM permissions to create and delete clusters via
eksctlI verified them by running
eksctl create clusterabout 30 times adding permissions one by one.CloudFormation
EKS
AutoScaling
IAM
Networking