IAM Requirements for EKS - SUSE/scf GitHub Wiki
Taken together, these IAM policies provide sufficient access to use EKS.
Unscoped Operations
Some of these permissions are very broad. They are difficult to scope effectively, in part because many resources are created (and named) dynamically when deploying an EKS Cluster using CloudFormation. There may be some value in enforcing certain naming conventions, such as prefixing cluster names with ${aws:username}, which would allow pattern-matching in Conditions. However, this requires special consideration beyond the EKS deployment guide, and should be evaluated in the broader context of organizational IAM policies.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnscopedOperations",
"Effect": "Allow",
"Action": [
"cloudformation:CreateUploadBucket",
"cloudformation:EstimateTemplateCost",
"cloudformation:ListExports",
"cloudformation:ListStacks",
"cloudformation:ListImports",
"cloudformation:DescribeAccountLimits",
"eks:ListClusters",
"cloudformation:ValidateTemplate",
"cloudformation:GetTemplateSummary",
"eks:CreateCluster"
],
"Resource": "*"
},
{
"Sid": "EffectivelyUnscopedOperations",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"cloudformation:*",
"iam:CreateRole",
"iam:DeleteRole",
"eks:*"
],
"Resource": [
"arn:aws:eks:*:*:cluster/*",
"arn:aws:cloudformation:*:*:stack/*/*",
"arn:aws:cloudformation:*:*:stackset/*:*",
"arn:aws:iam::*:instance-profile/*",
"arn:aws:iam::*:role/*"
]
}
]
}
Scoped Operations
These policies deal with particularly sensitive access controls, such as passing roles and attaching/detaching policies from roles.
This policy as written will allow unrestricted use of only customer-managed policies, and not Amazon-managed policies. This prevents things like attaching the IAMFullAccess policy to a role. If you are using roles in a way that would be undermined by this, you should strongly consider integrating a Permissions Boundary before using this policy.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UseCustomPoliciesWithCustomRoles",
"Effect": "Allow",
"Action": [
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": [
"arn:aws:iam::<YOUR_ACCOUNT_ID>:role/*",
"arn:aws:iam::<YOUR_ACCOUNT_ID>:policy/*"
],
"Condition": {
"ForAllValues:ArnNotLike": {
"iam:PolicyARN": "arn:aws:iam::aws:policy/*"
}
}
},
{
"Sid": "AllowPassingRoles",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/*"
},
{
"Sid": "AddCustomRolesToInstanceProfiles",
"Effect": "Allow",
"Action": "iam:AddRoleToInstanceProfile",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:instance-profile/*"
},
{
"Sid": "AssumeServiceRoleForEKS",
"Effect": "Allow",
"Action": "sts:AssumeRole",
"Resource": "arn:aws:iam::<YOUR_ACCOUNT_ID>:role/<EKS_SERVICE_ROLE_NAME>"
},
{
"Sid": "DenyUsingAmazonManagedPoliciesUnlessNeededForEKS",
"Effect": "Deny",
"Action": "iam:*",
"Resource": "arn:aws:iam::aws:policy/*",
"Condition": {
"ArnNotEquals": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
]
}
}
},
{
"Sid": "AllowAttachingSpecificAmazonManagedPoliciesForEKS",
"Effect": "Allow",
"Action": [
"iam:DetachRolePolicy",
"iam:AttachRolePolicy"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"iam:PolicyARN": [
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
"arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
"arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",
"arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
]
}
}
}
]
}