{ "Version": "2012-10-17", "Statement": [ { "Sid": "AllowScopedEC2InstanceActions", "Effect": "Allow", "Resource": [ "arn:${AWS_PARTITION}:ec2:${AWS_REGION}::image/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}::snapshot/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:spot-instances-request/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:security-group/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:subnet/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" ], "Action": [ "ec2:RunInstances", "ec2:CreateFleet" ] }, { "Sid": "AllowScopedEC2InstanceActionsWithTags", "Effect": "Allow", "Resource": [ "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" ], "Action": [ "ec2:RunInstances", "ec2:CreateFleet", "ec2:CreateLaunchTemplate" ], "Condition": { "StringEquals": { "aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned" }, "StringLike": { "aws:RequestTag/karpenter.sh/nodepool": "*" } } }, { "Sid": "AllowScopedResourceCreationTagging", "Effect": "Allow", "Resource": [ "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:fleet/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:volume/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:network-interface/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" ], "Action": "ec2:CreateTags", "Condition": { "StringEquals": { "aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned", "ec2:CreateAction": [ "RunInstances", "CreateFleet", "CreateLaunchTemplate" ] }, "StringLike": { "aws:RequestTag/karpenter.sh/nodepool": "*" } } }, { "Sid": "AllowScopedResourceTagging", "Effect": "Allow", "Resource": "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", "Action": "ec2:CreateTags", "Condition": { "StringEquals": { "aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned" }, "StringLike": { "aws:ResourceTag/karpenter.sh/nodepool": "*" }, "ForAllValues:StringEquals": { "aws:TagKeys": [ "karpenter.sh/nodeclaim", "Name" ] } } }, { "Sid": "AllowScopedDeletion", "Effect": "Allow", "Resource": [ "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:instance/*", "arn:${AWS_PARTITION}:ec2:${AWS_REGION}:*:launch-template/*" ], "Action": [ "ec2:TerminateInstances", "ec2:DeleteLaunchTemplate" ], "Condition": { "StringEquals": { "aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned" }, "StringLike": { "aws:ResourceTag/karpenter.sh/nodepool": "*" } } }, { "Sid": "AllowRegionalReadActions", "Effect": "Allow", "Resource": "*", "Action": [ "ec2:DescribeAvailabilityZones", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypeOfferings", "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplates", "ec2:DescribeSecurityGroups", "ec2:DescribeSpotPriceHistory", "ec2:DescribeSubnets" ], "Condition": { "StringEquals": { "aws:RequestedRegion": "${AWS_REGION}" } } }, { "Sid": "AllowSSMReadActions", "Effect": "Allow", "Resource": "arn:${AWS_PARTITION}:ssm:${AWS_REGION}::parameter/aws/service/*", "Action": "ssm:GetParameter" }, { "Sid": "AllowPricingReadActions", "Effect": "Allow", "Resource": "*", "Action": "pricing:GetProducts" }, { "Sid": "AllowInterruptionQueueActions", "Effect": "Allow", "Resource": "arn:aws:sqs:${AWS_REGION}:${AWS_ACCOUNT_ID}:${CLUSTER_NAME}", "Action": [ "sqs:DeleteMessage", "sqs:GetQueueAttributes", "sqs:GetQueueUrl", "sqs:ReceiveMessage" ] }, { "Sid": "AllowPassingInstanceRole", "Effect": "Allow", "Resource": "arn:${AWS_PARTITION}:iam::${AWS_ACCOUNT_ID}:role/KarpenterNodeRole-${CLUSTER_NAME}", "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "ec2.amazonaws.com" } } }, { "Sid": "AllowScopedInstanceProfileCreationActions", "Effect": "Allow", "Resource": "*", "Action": "iam:CreateInstanceProfile", "Condition": { "StringEquals": { "aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned", "aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}" }, "StringLike": { "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*" } } }, { "Sid": "AllowScopedInstanceProfileTagActions", "Effect": "Allow", "Resource": "*", "Action": "iam:TagInstanceProfile", "Condition": { "StringEquals": { "aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned", "aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}", "aws:RequestTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned", "aws:RequestTag/topology.kubernetes.io/region": "${AWS_REGION}" }, "StringLike": { "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*", "aws:RequestTag/karpenter.k8s.aws/ec2nodeclass": "*" } } }, { "Sid": "AllowScopedInstanceProfileActions", "Effect": "Allow", "Resource": "*", "Action": [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile" ], "Condition": { "StringEquals": { "aws:ResourceTag/kubernetes.io/cluster/${CLUSTER_NAME}": "owned", "aws:ResourceTag/topology.kubernetes.io/region": "${AWS_REGION}" }, "StringLike": { "aws:ResourceTag/karpenter.k8s.aws/ec2nodeclass": "*" } } }, { "Sid": "AllowInstanceProfileReadActions", "Effect": "Allow", "Resource": "*", "Action": "iam:GetInstanceProfile" }, { "Sid": "AllowAPIServerEndpointDiscovery", "Effect": "Allow", "Resource": "arn:${AWS_PARTITION}:eks:${AWS_REGION}:${AWS_ACCOUNT_ID}:cluster/${CLUSTER_NAME}", "Action": "eks:DescribeCluster" } ] }