Skip to content

Commit

Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
restrict iam:*
Browse files Browse the repository at this point in the history
Rohitrajak1807 committed Sep 26, 2024
1 parent 30f3812 commit 55f412a
Showing 2 changed files with 31 additions and 12 deletions.
30 changes: 20 additions & 10 deletions emp/emp_role_cftemplate.yaml
Original file line number Diff line number Diff line change
@@ -205,11 +205,12 @@ Resources:
Effect: Allow
Resource:
- arn:*:iam::*:role/aws-service-role/spot.amazonaws.com/AWSServiceRoleForEC2Spot
- Action:
- iam:PassRole
Effect: Allow
Resource:
- arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io
# this isn't needed, we pass the role we create instead
# - Action:
# - iam:PassRole
# Effect: Allow
# Resource:
# - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io
- Action:
- secretsmanager:CreateSecret
- secretsmanager:DeleteSecret
@@ -284,17 +285,26 @@ Resources:
Resource:
- '*'
Effect: Allow
- Action:
- iam:GetPolicy
- iam:GetPolicyVersion
Resource:
- 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy'
- 'arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'
- 'arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy'
- 'arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy'
- !Ref AWSIAMManagedPolicyCloudProviderNodes
- !Ref AWSIAMManagedPolicyControllers
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/${RoleName}-emp-policy'
Effect: Allow
- Action:
- iam:GetRole
- iam:GetRolePolicy
- iam:ListAttachedRolePolicies
- iam:ListRolePolicies
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:SimulateCustomPolicy
Resource:
- '*'
Effect: Allow
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:role/${EKSRole}'
- Action:
- iam:PassRole
Resource:
13 changes: 11 additions & 2 deletions emp/emp_user_cftemplate.yaml
Original file line number Diff line number Diff line change
@@ -305,11 +305,20 @@ Resources:
- iam:GetUserPolicy
- iam:ListAttachedUserPolicies
- iam:ListUserPolicies
Resource:
- !Sub 'arn:aws:iam::${AWS::AccountId}:user/${IAMUserName}'
Effect: Allow
- Action:
- iam:GetPolicy
- iam:GetPolicyVersion
- iam:SimulateCustomPolicy
Resource:
- '*'
- 'arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy'
- 'arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy'
- 'arn:aws:iam::aws:policy/service-role/AmazonEFSCSIDriverPolicy'
- 'arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy'
- !Ref AWSIAMManagedPolicyCloudProviderNodes
- !Ref AWSIAMManagedPolicyControllers
- !Sub 'arn:aws:iam::${AWS::AccountId}:policy/${IAMUserName}-emp-policy'
Effect: Allow
- Action:
# read-only

0 comments on commit 55f412a

Please sign in to comment.