List of IAM permissions

[ArchiFleKs]

Hi, it would be nice to have precise list of IAM permissions needed to be successfully deploy a cluster.

For example to delegate cluster creation to a non-admin IAM account.

[pieterlange]

The controller IAM permissions are here:
https://github.com/coreos/kube-aws/blob/master/config/templates/stack-template.json#L193

And directly continues with the IAM permissions for the worker here:
https://github.com/coreos/kube-aws/blob/master/config/templates/stack-template.json#L269

[ArchiFleKs]

@pieterlange thanks a lot ;) but these are the permissions that are set up for the IAM instance role right ? What about the minimum permissions needed for the IAM credentials used by a kube-aws operator when running kube-aws CMD ?

[pieterlange]

Oh, like that. I think that's going to be difficult, as you need to be able to create new IAM roles from the account that's used for kube-aws. And with those IAM resources you can assign yourself admin privileges.

Edit: If you find a decent workaround be sure to follow up, i'm sure more people here would like this. 😉

[pieterlange]

Related: https://aws.amazon.com/blogs/devops/aws-cloudformation-security-best-practices/

I don't have time to dive into this, but it's seems doable.

[gianrubio]

@ArchiFleKs currently there's no documentation for which type of permission you need. To found all the permission you can run the kube-aws up command, wait for finish, go to cloudtrail and parse all the logs.

[ArchiFleKs]

@gianrubio Thanks that a good ideas, i'll test it and report back here with a list if other find this information useful

[mumoshu]

Hi @ArchiFleKs, thanks for taking time on this!
Any chance you could find the list of IAM permissions required by kube-aws since then?
I'd greatly appreciate it if you could share your findings 🙇

[ArchiFleKs]

@mumoshu I completly forgot about it, thanks for reminding me :)

[fejta-bot]

Issues go stale after 90d of inactivity.
Mark the issue as fresh with /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle stale

[fejta-bot]

Stale issues rot after 30d of inactivity.
Mark the issue as fresh with /remove-lifecycle rotten.
Rotten issues close after an additional 30d of inactivity.

If this issue is safe to close now please do so with /close.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/lifecycle rotten

[fejta-bot]

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

[k8s-ci-robot]

@fejta-bot: Closing this issue.

In response to this:

Rotten issues close after 30d of inactivity.
Reopen the issue with /reopen.
Mark the issue as fresh with /remove-lifecycle rotten.

Send feedback to sig-testing, kubernetes/test-infra and/or fejta.
/close

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.