changes to user template

platform9 · Oct 7, 2024 · d6542fb · d6542fb
1 parent 50fc70b
commit d6542fb
Showing 1 changed file with 5 additions and 3 deletions.
diff --git a/emp/emp_user_cftemplate.yaml b/emp/emp_user_cftemplate.yaml
@@ -47,14 +47,16 @@ Resources:
             Resource:
               - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*
           - Action:
-              # they are related to some heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              # they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
+              # these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this.
+              # additionally, these permissions allow us to get a shell to the baremetal instance without ssh using AWS Systems manager.
+              # This is a useful diagnostic tool in case of an emergency.
               - ssm:UpdateInstanceInformation
               - ssmmessages:CreateControlChannel
               - ssmmessages:CreateDataChannel
               - ssmmessages:OpenControlChannel
               - ssmmessages:OpenDataChannel
-              # discuss why this is needed
-              - s3:GetEncryptionConfiguration
+#              - s3:GetEncryptionConfiguration
             Effect: Allow
             Resource:
               - '*'