IAM Permissions

The CloudOps for Kubernetes Infrastructure-as-Code asset deploys, configures and updates many AWS cloud resources and services. Cluster-level configuration processes performed on the operations workstation obtain their AWS access and authority via an IAM access key. Jenkins jobs obtain their AWS access and authority from an IAM policy that is bound to a Kubernetes service account.

Identity Access Management (IAM) User and Permissions

The CloudOps for Kubernetes setup and configuration tasks that you perform on the operations workstation obtain the necessary AWS access and authority from an IAM access key and associated IAM user. When you run the docker-compose up command on the operations workstation to perform CloudOps for Kubernetes tasks, the Docker container that performs the tasks obtains its AWS access from the keys specified in the docker-compose.override.yml file parameters TF_VAR_aws_access_key_id and TF_VAR_aws_secret_access_key.

Ensure Sufficient Access

You must ensure that the IAM User who owns the specified access key is assigned the necessary permissions to create and modify the various AWS resources that CloudOps for Kubernetes requires.

note

You might assign the user IAM Administrator permission.

Alternatively, you might reduce the scope of the user permissions by using an IAM policy and attaching it to the IAM user. The following IAM policy example defines the minimal access that a user requires to complete the CloudOps for Kubernetes bootstrap process:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "elasticfilesystem:*",
                "s3:*",
                "logs:*",
                "sts:*",
                "cloudformation:*",
                "dynamodb:*",
                "elasticloadbalancing:*",
                "autoscaling:*",
                "iam:*",
                "route53:*",
                "ecr:*",
                "ec2:*",
                "eks:*",
                "acm:*",
                "tag:*"
            ],
            "Resource": "*"
        }
    ]
}

For more information, see the AWS Create access key documentation.

IAM Service Account Policy

The Jenkins jobs that you run to deploy and manage Elastic Path environments obtain the necessary AWS access and authority from an IAM policy that is bound to a Kubernetes service account. The AWSServiceAccountRolePolicy IAM policy defines a minimal set of AWS permissions required to create and manage Elastic Path environments in the AWS account. This policy and its defined permissions arerequired for the proper operation of CloudOps for Kubernetes.

Similarly, the nodes in the Elastic Kubernetes Service cluster use NodeGroupPolicy for the proper operation of CloudOps for Kubernetes.

The bootstrap process creates these IAM policies using Terraform, and Terraform defines and manages the policies. Manual changes to the policies may be overwritten by future updates to CloudOps for Kubernetes. To customize the policy for the service account, update the IAM policy Terraform resource that defines the policy and re-running the bootstrap process in setup mode.

warning

Ensure that you take caution if you modify the IAM AWSServiceAccountRolePolicy policy. If you remove any AWS permissions from the policy, any CloudOps for Kubernetes Jenkins jobs will fail.