Product DocumentationAppearance
AWS Installation Permissions
The following permissions are required to run the Deployer on AWS:
json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AutoscalingList",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups"
],
"Resource": "*"
},
{
"Sid": "AutoscalingWrite",
"Effect": "Allow",
"Action": [
"autoscaling:CreateOrUpdateTags"
],
"Resource": "*"
},
{
"Sid": "EC2List",
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAddressTransfers",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeHosts",
"ec2:DescribeImages",
"ec2:DescribeInstanceConnectEndpoints",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribeRegions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshots",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways"
],
"Resource": "*"
},
{
"Sid": "EC2TagOnWrite",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"AllocateAddress",
"CreateInternetGateway",
"CreateLaunchTemplate",
"CreateNatGateway",
"CreatePlacementGroup",
"CreateRouteTable",
"CreateSubnet",
"CreateVpc",
"CreateVpcEndpoint",
"RunInstances"
]
}
}
},
{
"Sid": "EC2Write",
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": "*"
},
{
"Sid": "EC2WriteWithTags",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:CreateInternetGateway",
"ec2:CreateLaunchTemplate",
"ec2:CreateNatGateway",
"ec2:CreatePlacementGroup",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"StringEquals": {
"aws:RequestTag/cluster_yellowbrick_io_creator": "${aws:PrincipalTag/cluster_yellowbrick_io_creator}",
"aws:RequestTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "EC2WriteTaggedResource",
"Effect": "Allow",
"Action": [
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:CreateLaunchTemplateVersion",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateVpcEndpoint",
"ec2:DeleteInternetGateway",
"ec2:DeleteLaunchTemplate",
"ec2:DeleteNatGateway",
"ec2:DeletePlacementGroup",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:RunInstances"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_creator": "${aws:PrincipalTag/cluster_yellowbrick_io_creator}",
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "ECRRead",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories"
],
"Resource": "arn:*:ecr:*:*:repository/*"
},
{
"Sid": "ECRReadTaggedResource",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:DescribeRepositories",
"ecr:GetDownloadUrlForLayer",
"ecr:ListTagsForResource"
],
"Resource": "arn:*:ecr:*:*:repository/yb-*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "ECRToken",
"Effect": "Allow",
"Action": [
"ecr:GetAuthorizationToken"
],
"Resource": "*"
},
{
"Sid": "ECRWriteTaggedResource",
"Effect": "Allow",
"Action": [
"ecr:CompleteLayerUpload",
"ecr:DeleteRepository",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart"
],
"Resource": "arn:*:ecr:*:*:repository/yb-*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "ECRWriteWithTags",
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:TagResource"
],
"Resource": "arn:*:ecr:*:*:repository/yb-*",
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"StringEquals": {
"aws:RequestTag/cluster_yellowbrick_io_creator": "${aws:PrincipalTag/cluster_yellowbrick_io_creator}",
"aws:RequestTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "EKSList",
"Effect": "Allow",
"Action": [
"eks:DeleteAccessEntry",
"eks:DescribeAccessEntry",
"eks:DescribeCluster",
"eks:ListAssociatedAccessPolicies",
"eks:ListClusters"
],
"Resource": "*"
},
{
"Sid": "EKSReadTaggedResource",
"Effect": "Allow",
"Action": [
"eks:DescribeAddon",
"eks:DescribeUpdate",
"eks:ListNodegroups"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "EKSDescribeNodegroup",
"Effect": "Allow",
"Action": [
"eks:DescribeNodegroup"
],
"Resource": "*",
"Condition": {}
},
{
"Sid": "EKSWriteWithNodegroupRole",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"arn:*:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup"
]
},
{
"Sid": "EKSWriteWithNodegroupRun",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "EKSWriteTaggedResource",
"Effect": "Allow",
"Action": [
"eks:AssociateAccessPolicy",
"eks:CreateAccessEntry",
"eks:CreateAddon",
"eks:CreateNodegroup",
"eks:DeleteCluster",
"eks:DeleteNodegroup",
"eks:DisassociateAccessPolicy",
"eks:TagResource",
"eks:UpdateAddon",
"eks:UpdateClusterConfig"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "EKSWriteWithTags",
"Effect": "Allow",
"Action": [
"eks:CreateAccessEntry",
"eks:CreateAddon",
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:TagResource"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"StringEquals": {
"aws:RequestTag/cluster_yellowbrick_io_creator": "${aws:PrincipalTag/cluster_yellowbrick_io_creator}",
"aws:RequestTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "ELBList",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTags"
],
"Resource": "*"
},
{
"Sid": "IAMPassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:*:iam::*:role/*",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"autoscaling.amazonaws.com",
"ec2.amazonaws.com",
"eks.amazonaws.com"
]
}
}
},
{
"Sid": "IAMReadTaggedResource",
"Effect": "Allow",
"Action": [
"iam:GetOpenIDConnectProvider",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies"
],
"Resource": [
"arn:*:iam::*:oidc-provider/*",
"arn:*:iam::*:role/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "IAMWriteTaggedResource",
"Effect": "Allow",
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteOpenIDConnectProvider",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DetachRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:PutRolePolicy",
"iam:RemoveRoleFromInstanceProfile",
"iam:TagOpenIDConnectProvider",
"iam:TagRole",
"iam:UpdateAssumeRolePolicy"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "IAMWriteWithTags",
"Effect": "Allow",
"Action": [
"iam:CreateOpenIDConnectProvider",
"iam:CreateRole",
"iam:TagOpenIDConnectProvider",
"iam:TagRole"
],
"Resource": "*",
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"StringEquals": {
"aws:RequestTag/cluster_yellowbrick_io_creator": "${aws:PrincipalTag/cluster_yellowbrick_io_creator}",
"aws:RequestTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "S3List",
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Sid": "S3Read",
"Effect": "Allow",
"Action": [
"s3:GetBucketLocation",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketOwnershipControls",
"s3:GetBucketPolicy",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:ListBucket",
"s3:ListBucketVersions"
],
"Resource": "arn:*:s3:::yb-*"
},
{
"Sid": "S3Write",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:PutBucketTagging",
"s3:DeleteObject"
],
"Resource": "arn:*:s3:::yb-*"
},
{
"Sid": "ServiceLinkedRoleRead",
"Effect": "Allow",
"Action": [
"iam:GetRole"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": [
"autoscaling.amazonaws.com",
"eks-nodegroup.amazonaws.com",
"eks.amazonaws.com",
"elasticloadbalancing.amazonaws.com"
]
}
}
},
{
"Sid": "SSMReadTaggedResource",
"Effect": "Allow",
"Action": [
"ssm:GetParameters"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/cluster_yellowbrick_io_owner": "${aws:PrincipalTag/cluster_yellowbrick_io_owner}"
}
}
},
{
"Sid": "STSRead",
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity"
],
"Resource": "*"
}
]
}