AWSTemplateFormatVersion: 2010-09-09 Resources: AWSIAMInstanceProfileControlPlane: Properties: InstanceProfileName: control-plane.cluster-api-provider-aws.sigs.k8s.io Roles: - Ref: AWSIAMRoleControlPlane Type: AWS::IAM::InstanceProfile AWSIAMInstanceProfileControllers: Properties: InstanceProfileName: controllers.cluster-api-provider-aws.sigs.k8s.io Roles: - Ref: AWSIAMRoleControllers Type: AWS::IAM::InstanceProfile AWSIAMInstanceProfileNodes: Properties: InstanceProfileName: nodes.cluster-api-provider-aws.sigs.k8s.io Roles: - Ref: AWSIAMRoleNodes Type: AWS::IAM::InstanceProfile AWSIAMManagedPolicyCloudProviderControlPlane: Properties: Description: For the Kubernetes Cloud Provider AWS Control Plane ManagedPolicyName: control-plane.cluster-api-provider-aws.sigs.k8s.io PolicyDocument: Statement: - Action: - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeLaunchConfigurations - autoscaling:DescribeTags - ec2:DescribeInstances - ec2:DescribeImages - ec2:DescribeRegions - ec2:DescribeRouteTables - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVolumes - ec2:CreateSecurityGroup - ec2:CreateTags - ec2:CreateVolume - ec2:ModifyInstanceAttribute - ec2:ModifyVolume - ec2:AttachVolume - ec2:AuthorizeSecurityGroupIngress - ec2:CreateRoute - ec2:DeleteRoute - ec2:DeleteSecurityGroup - ec2:DeleteVolume - ec2:DetachVolume - ec2:RevokeSecurityGroupIngress - ec2:DescribeVpcs - elasticloadbalancing:AddTags - elasticloadbalancing:AttachLoadBalancerToSubnets - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateLoadBalancerListeners - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DeleteLoadBalancerListeners - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:DetachLoadBalancerFromSubnets - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer - elasticloadbalancing:CreateListener - elasticloadbalancing:CreateTargetGroup - elasticloadbalancing:DeleteListener - elasticloadbalancing:DeleteTargetGroup - elasticloadbalancing:DescribeListeners - elasticloadbalancing:DescribeLoadBalancerPolicies - elasticloadbalancing:DescribeTargetGroups - elasticloadbalancing:DescribeTargetHealth - elasticloadbalancing:ModifyListener - elasticloadbalancing:ModifyTargetGroup - elasticloadbalancing:RegisterTargets - elasticloadbalancing:SetLoadBalancerPoliciesOfListener - iam:CreateServiceLinkedRole - kms:DescribeKey Effect: Allow Resource: - '*' Version: 2012-10-17 Roles: - Ref: AWSIAMRoleControlPlane Type: AWS::IAM::ManagedPolicy AWSIAMManagedPolicyCloudProviderNodes: Properties: Description: For the Kubernetes Cloud Provider AWS nodes ManagedPolicyName: nodes.cluster-api-provider-aws.sigs.k8s.io PolicyDocument: Statement: - Action: - ec2:DescribeInstances - ec2:DescribeRegions - ecr:GetAuthorizationToken - ecr:BatchCheckLayerAvailability - ecr:GetDownloadUrlForLayer - ecr:GetRepositoryPolicy - ecr:DescribeRepositories - ecr:ListImages - ecr:BatchGetImage Effect: Allow Resource: - '*' - Action: - secretsmanager:DeleteSecret - secretsmanager:GetSecretValue Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* - Action: - ssm:UpdateInstanceInformation - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - s3:GetEncryptionConfiguration Effect: Allow Resource: - '*' Version: 2012-10-17 Roles: - Ref: AWSIAMRoleControlPlane - Ref: AWSIAMRoleNodes Type: AWS::IAM::ManagedPolicy AWSIAMManagedPolicyControllers: Properties: Description: For the Kubernetes Cluster API Provider AWS Controllers ManagedPolicyName: controllers.cluster-api-provider-aws.sigs.k8s.io PolicyDocument: Statement: - Action: - ec2:AllocateAddress - ec2:AssociateRouteTable - ec2:AttachInternetGateway - ec2:AuthorizeSecurityGroupIngress - ec2:CreateInternetGateway - ec2:CreateNatGateway - ec2:CreateRoute - ec2:CreateRouteTable - ec2:CreateSecurityGroup - ec2:CreateSubnet - ec2:CreateTags - ec2:CreateVpc - ec2:ModifyVpcAttribute - ec2:DeleteInternetGateway - ec2:DeleteNatGateway - ec2:DeleteRouteTable - ec2:DeleteSecurityGroup - ec2:DeleteSubnet - ec2:DeleteTags - ec2:DeleteVpc - ec2:DescribeAccountAttributes - ec2:DescribeAddresses - ec2:DescribeAvailabilityZones - ec2:DescribeInstances - ec2:DescribeInternetGateways - ec2:DescribeImages - ec2:DescribeNatGateways - ec2:DescribeNetworkInterfaces - ec2:DescribeNetworkInterfaceAttribute - ec2:DescribeRouteTables - ec2:DescribeSecurityGroups - ec2:DescribeSubnets - ec2:DescribeVpcs - ec2:DescribeVpcAttribute - ec2:DescribeVolumes - ec2:DetachInternetGateway - ec2:DisassociateRouteTable - ec2:DisassociateAddress - ec2:ModifyInstanceAttribute - ec2:ModifyNetworkInterfaceAttribute - ec2:ModifySubnetAttribute - ec2:ReleaseAddress - ec2:RevokeSecurityGroupIngress - ec2:RunInstances - ec2:TerminateInstances - tag:GetResources - elasticloadbalancing:AddTags - elasticloadbalancing:CreateLoadBalancer - elasticloadbalancing:ConfigureHealthCheck - elasticloadbalancing:DeleteLoadBalancer - elasticloadbalancing:DescribeLoadBalancers - elasticloadbalancing:DescribeLoadBalancerAttributes - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer - elasticloadbalancing:DescribeTags - elasticloadbalancing:ModifyLoadBalancerAttributes - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - elasticloadbalancing:RemoveTags - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeInstanceRefreshes - ec2:CreateLaunchTemplate - ec2:CreateLaunchTemplateVersion - ec2:DescribeLaunchTemplates - ec2:DescribeLaunchTemplateVersions - ec2:DeleteLaunchTemplate - ec2:DeleteLaunchTemplateVersions - ec2:DescribeKeyPairs Effect: Allow Resource: - '*' - Action: - autoscaling:CreateAutoScalingGroup - autoscaling:UpdateAutoScalingGroup - autoscaling:CreateOrUpdateTags - autoscaling:StartInstanceRefresh - autoscaling:DeleteAutoScalingGroup - autoscaling:DeleteTags Effect: Allow Resource: - arn:*:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/* - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: autoscaling.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: elasticloadbalancing.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: spot.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot - Action: - iam:PassRole Effect: Allow Resource: - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io - Action: - secretsmanager:CreateSecret - secretsmanager:DeleteSecret - secretsmanager:TagResource Effect: Allow Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* Version: 2012-10-17 Roles: - Ref: AWSIAMRoleControllers - Ref: AWSIAMRoleControlPlane Type: AWS::IAM::ManagedPolicy AWSIAMManagedPolicyControllersEKS: Properties: Description: For the Kubernetes Cluster API Provider AWS Controllers ManagedPolicyName: controllers-eks.cluster-api-provider-aws.sigs.k8s.io PolicyDocument: Statement: - Action: - ssm:GetParameter Effect: Allow Resource: - arn:*:ssm:*:*:parameter/aws/service/eks/optimized-ami/* - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: eks.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/eks.amazonaws.com/AWSServiceRoleForAmazonEKS - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: eks-nodegroup.amazonaws.com Effect: Allow Resource: - arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup - Action: - iam:CreateServiceLinkedRole Condition: StringLike: iam:AWSServiceName: eks-fargate.amazonaws.com Effect: Allow Resource: - arn:aws:iam::*:role/aws-service-role/eks-fargate-pods.amazonaws.com/AWSServiceRoleForAmazonEKSForFargate - Action: - iam:ListOpenIDConnectProviders - iam:CreateOpenIDConnectProvider - iam:AddClientIDToOpenIDConnectProvider - iam:UpdateOpenIDConnectProviderThumbprint - iam:DeleteOpenIDConnectProvider Effect: Allow Resource: - '*' - Action: - iam:GetRole - iam:ListAttachedRolePolicies - iam:DetachRolePolicy - iam:DeleteRole - iam:CreateRole - iam:TagRole - iam:AttachRolePolicy Effect: Allow Resource: - arn:*:iam::*:role/* - Action: - iam:GetPolicy Effect: Allow Resource: - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy - Action: - eks:DescribeCluster - eks:ListClusters - eks:CreateCluster - eks:TagResource - eks:UpdateClusterVersion - eks:DeleteCluster - eks:UpdateClusterConfig - eks:UntagResource - eks:UpdateNodegroupVersion - eks:DescribeNodegroup - eks:DeleteNodegroup - eks:UpdateNodegroupConfig - eks:CreateNodegroup - eks:AssociateEncryptionConfig - eks:ListIdentityProviderConfigs - eks:AssociateIdentityProviderConfig - eks:DescribeIdentityProviderConfig - eks:DisassociateIdentityProviderConfig Effect: Allow Resource: - arn:*:eks:*:*:cluster/* - arn:*:eks:*:*:nodegroup/*/*/* - Action: - ec2:AssociateVpcCidrBlock - ec2:DisassociateVpcCidrBlock - eks:ListAddons - eks:CreateAddon - eks:DescribeAddonVersions - eks:DescribeAddon - eks:DeleteAddon - eks:UpdateAddon - eks:TagResource - eks:DescribeFargateProfile - eks:CreateFargateProfile - eks:DeleteFargateProfile Effect: Allow Resource: - '*' - Action: - iam:PassRole Condition: StringEquals: iam:PassedToService: eks.amazonaws.com Effect: Allow Resource: - '*' - Action: - kms:CreateGrant - kms:DescribeKey Condition: ForAnyValue:StringLike: kms:ResourceAliases: alias/cluster-api-provider-aws-* Effect: Allow Resource: - '*' Version: 2012-10-17 Roles: - Ref: AWSIAMRoleControllers - Ref: AWSIAMRoleControlPlane Type: AWS::IAM::ManagedPolicy AWSIAMRoleControlPlane: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy RoleName: control-plane.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role AWSIAMRoleControllers: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com Version: 2012-10-17 Policies: - PolicyDocument: Statement: - Action: - iam:GetPolicy - ec2:DescribeRegions - route53:ListHostedZones Effect: Allow Resource: - '*' Version: 2012-10-17 PolicyName: cluster-api-provider-aws-sigs-k8s-io RoleName: controllers.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role AWSIAMRoleEKSControlPlane: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - eks.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy RoleName: eks-controlplane.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role AWSIAMRoleEKSNodegroup: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com - eks.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly RoleName: eks-nodegroup.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role AWSIAMRoleNodes: Properties: AssumeRolePolicyDocument: Statement: - Action: - sts:AssumeRole Effect: Allow Principal: Service: - ec2.amazonaws.com Version: 2012-10-17 ManagedPolicyArns: - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly RoleName: nodes.cluster-api-provider-aws.sigs.k8s.io Type: AWS::IAM::Role