Skip to content

Commit

Permalink
fix(eks): missing required permission for fargate profile
Browse files Browse the repository at this point in the history 
Creating fargate profile without specifying `subnetSelection` will require extra iam policy to allow the iam role to describe subnets and route tables to select private subnets.  This PR adds the required `ec2:DescribeRouteTables` for the cluster creation role.

Closes #7614
  • Loading branch information
@pahud
pahud committed May 3, 2020
1 parent fbb8ff3 commit 723813f
Show file tree
Hide file tree
Showing 3 changed files with 16 additions and 4 deletions.
5 changes: 4 additions & 1 deletion packages/@aws-cdk/aws-eks/lib/cluster-resource.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -73,7 +73,10 @@ export class ClusterResource extends Construct {
});

this.creationRole.addToPolicy(new iam.PolicyStatement({
actions: [ 'ec2:DescribeSubnets' ],
actions: [
'ec2:DescribeSubnets',
'ec2:DescribeRouteTables',
],
resources: [ '*' ],
}));

Expand Down
5 changes: 4 additions & 1 deletion packages/@aws-cdk/aws-eks/test/integ.eks-cluster.expected.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -782,7 +782,10 @@
}
},
{
"Action": "ec2:DescribeSubnets",
"Action": [
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables"
],
"Effect": "Allow",
"Resource": "*"
},
Expand Down
10 changes: 8 additions & 2 deletions packages/@aws-cdk/aws-eks/test/test.cluster.ts
View file
Original file line number Diff line number Diff line change
Expand Up @@ -866,7 +866,10 @@ export = {
},
},
{
Action: 'ec2:DescribeSubnets',
Action: [
'ec2:DescribeSubnets',
'ec2:DescribeRouteTables',
],
Effect: 'Allow',
Resource: '*',
},
Expand Down Expand Up @@ -977,7 +980,10 @@ export = {
},
},
{
Action: 'ec2:DescribeSubnets',
Action: [
'ec2:DescribeSubnets',
'ec2:DescribeRouteTables',
],
Effect: 'Allow',
Resource: '*',
},
Expand Down

0 comments on commit 723813f

Please sign in to comment.