IAM Policy
The IAM Policy JSON required for auto provisioning upstream Kubernetes (Rafay MKS) clusters on Amazon AWS EC2 infrastructure. The same policy applies for both IAM Role and IAM User based Cloud Credentials.
Important
As Rafay adds new functionality, we will periodically update the IAM Policy. Ensure that you are using the latest version. The version below was updated on 7 Jun, 2020 as part of the v1.2.5 release.
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:CreateKeyPair",
"ec2:AllocateAddress",
"ec2:CreateVpc",
"ec2:ModifyVpcAttribute",
"ec2:CreateTags",
"ec2:CreateInternetGateway",
"ec2:CreateSubnet",
"ec2:CreateSecurityGroup",
"ec2:CreateRouteTable",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:ModifySubnetAttribute",
"ec2:AttachInternetGateway",
"ec2:CreateNatGateway",
"ec2:AssociateRouteTable",
"ec2:CreateRoute",
"ec2:RunInstances",
"ec2:AssociateAddress",
"ec2:DeleteKeyPair",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteRoute",
"ec2:DisassociateRouteTable",
"ec2:DisassociateAddress",
"ec2:DeleteRouteTable",
"ec2:DetachInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteSubnet",
"ec2:TerminateInstances",
"ec2:ReleaseAddress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteInternetGateway",
"ec2:DeleteVpc",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeInstances",
"ec2:DescribeHosts",
"ec2:DescribeVolumes",
"ec2:DescribeVolumeStatus",
"ec2:DescribePlacementGroups",
"ec2:DescribeInstanceStatus",
"ec2:DescribeAccountAttributes",
"ec2:DescribeSnapshots",
"ec2:DescribeIdFormat",
"ec2:DescribeAddresses",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeVpcs",
"ec2:DescribeInternetGateways",
"ec2:DescribeRouteTables",
"ec2:DescribeNatGateways"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteRolePolicy",
"iam:DeleteRole",
"iam:GetRolePolicy",
"iam:ListPolicies",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:ListAttachedRolePolicies"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"cloudformation:DeleteStack",
"cloudformation:SignalResource",
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:ListStackResources",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:DescribeStackResource"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DescribeScalingActivities",
"autoscaling:SetDesiredCapacity",
"autoscaling:TerminateInstanceInAutoScalingGroup"
],
"Resource": [
"*"
]
}
]
}