Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

What are the minimum permissions/actions required for creating, modifying and deleting EKS clusters?

0

My objectives are--

  • Create an EKS cluster using eksctl.
  • Manage the cluster using kubectl.
  • Delete the Kubernetes resources using kubectl and the AWS resources for the cluster using eksctl.

Below is a working setup that I achieved with administrator access--

  • Create EKS cluster using eksctl.
  • Update the kubectl config/context using aws eks --region <CLUSTER_REGION> update-kubeconfig --name <CLUSTER_NAME>.
  • Update or apply changes made in Kubernetes YAML files using kubectl apply -f yaml-files-dir/.
  • To delete the cluster, first delete the Kubernetes resources using kubectl delete -f yaml-files-dir/, then delete the cluster using eksctl delete cluster --name <CLUSTER_NAME> --region <CLUSTER_REGION>

I want to secure these cluster actions by creating an IAM user that has only the necessary permissions for creating, modifying and deleting the clusters. As such, I want an exhaustive list of actions that the account needs to be allowed to do, so that I can create a policy for it.

I know that there are some pre-existing policies that cover all the permission, and I've seen suggestions about using the following policies--

  • AmazonEC2FullAccess
  • AWSCloudFormationFullAccess
  • AmazonVPCFullAccess
  • IAMFullAccess

Or, create custom policies for IAM and EKS replacing/supplementing the above to limit the access. However, I think these allow too much and I would like to limit it to just what's required.

Topics
Security, Identity, & ComplianceContainers
Tags
AWS Identity and Access ManagementIAM PoliciesAmazon Elastic Kubernetes Service
Language
English
asked a month ago72 views
2 Answers
0
Accepted Answer

I found the minimum permissions required for eksctl operations:

  • AmazonEC2FullAccess policy.
  • AWSCloudFormationFullAccess policy.
  • Two custom policies for EKS and IAM access.

They're all mentioned in the Eksctl documentation. Should've just checked the docs first.

answered a month ago
0

You can try this minimal policy.

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "eks:CreateCluster",
        "eks:DeleteCluster",
        "eks:DescribeCluster",
        "eks:UpdateClusterConfig",
        "eks:UpdateClusterVersion"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "iam:PassRole",
        "iam:GetRole"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:Describe*"
      ],
      "Resource": "*"
    }
  ]
}
EXPERT
answered a month ago
  • Sonal
    a month ago

    I ran these permissions got the error about missing eks:DescribeClusterVersions permission. Besides, I don't think that only those will satisfy because eksctl creates VPC and Cloud Formation stack, so I think permissions about those are required too.

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content