Creating and Assigning IAM Policies

There are two custom Identity and Access Management (IAM) policies that need to be created in AWS to grant the necessary permissions to the following two types of EKS users:

  1. The first type of user is the user who accesses AWS services to set up the K8s infrastructure, i.e., the user who configures, creates, and maintains the EKS cluster and node groups. This policy is called the EKS Cluster Admin.
  2. The second type of user is the user who connects to the EKS cluster and deploys the dynamic Anzo applications. Typically this user is Anzo. Since Anzo communicates to the K8s services that provision the applications, the Anzo service account needs to be granted certain privileges. This user role is called the EKS Cluster Developer.

    The enterprise-level Anzo service account is a requirement for the Anzo installation and is typically in place before Anzo is installed. For more information, see Platform Service User Account Requirements.

This topic provides instructions for creating the two policies and gives guidance on attaching the policies to the appropriate users or roles.

Create and Assign the EKS Cluster Admin Policy

The following IAM policy applies the minimum permissions needed for an EKS cluster administrator who will create and manage the cluster and node groups. Follow the steps below to create the policy and attach it to the appropriate principal.

  1. Refer to Creating IAM Policies in the AWS documentation to create the following policy using your preferred method. You can save the contents below as a JSON file on your workstation and use the AWS CLI to create the policy, or you can paste the contents on the JSON tab if you use the IAM console.
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "IAMPermissions",
          "Effect": "Allow",
          "Action": [
            "iam:GetInstanceProfile",
            "iam:CreateInstanceProfile",
            "iam:AddRoleToInstanceProfile",
            "iam:RemoveRoleFromInstanceProfile",
            "iam:DeleteInstanceProfile",
            "iam:GetRole",
            "iam:CreateRole",
            "iam:TagRole",
            "iam:PassRole",
            "iam:GetRolePolicy",
            "iam:AttachRolePolicy",
            "iam:PutRolePolicy",
            "iam:DetachRolePolicy",
            "iam:DeleteRolePolicy",
            "iam:UntagRole",
            "iam:DeleteRole"
          ],
          "Resource": "*"
        },
        {
          "Sid": "ComputeAndEKS",
          "Effect": "Allow",
          "Action": [
            "autoscaling:*",
            "cloudformation:*",
            "elasticloadbalancing:*",
            "ec2:*",
            "eks:*"
          ],
          "Resource": "*"
        },
        {
          "Sid": "ECRPushPull",
          "Effect": "Allow",
          "Action": [
            "ecr:CompleteLayerUpload",
            "ecr:DescribeImages",
            "ecr:GetAuthorizationToken",
            "ecr:DescribeRepositories",
            "ecr:UploadLayerPart",
            "ecr:InitiateLayerUpload",
            "ecr:BatchCheckLayerAvailability",
            "ecr:PutImage"
          ],
          "Resource": "*"
        }
      ]
    }
  2. Once the policy has been created, attach the policy to any principal that will be used to configure, create, and maintain the EKS cluster and node groups. For instructions on attaching policies, see Adding and removing IAM identity permissions in the AWS Identity and Access Management User Guide.

Create and Assign the EKS Cluster Developer Policy

The following IAM policy applies the minimum permissions needed for an EKS cluster developer. Follow the steps below to create the policy and attach it to the Anzo service account.

  1. Refer to Creating IAM Policies in the AWS Identity and Access Management User Guide to create the following policy using your preferred method. You can save the contents below as a JSON file on your workstation and use the AWS CLI to create the policy, or you can paste the contents on the JSON tab if you use the IAM console.
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "Compute",
          "Effect": "Allow",
          "Action": [
            "ec2:*",
            "elasticloadbalancing:*",
            "autoscaling:*"
          ],
          "Resource": "*"
        },
        {
          "Sid": "Pricing",
          "Effect": "Allow",
          "Action": [
            "pricing:GetProducts"
          ],
          "Resource": "*"
        },
        {
          "Sid": "EKSListAndDescribe",
          "Effect": "Allow",
          "Action": [
            "eks:ListUpdates",
            "eks:DescribeCluster",
            "eks:DescribeNodegroup", //Needed for GovCloud only
            "eks:ListClusters",
            "eks:ListNodegroups", //Needed for GovCloud only
            "eks:ListTagsForResource" //Needed for GovCloud only
          ],
          "Resource": "arn:aws:eks:*:*:cluster/*"
        },
        {
          "Sid": "ECRPull",
          "Effect": "Allow",
          "Action": [
            "ecr:GetDownloadUrlForLayer",
            "ecr:GetAuthorizationToken",
            "ecr:BatchGetImage",
            "ecr:BatchCheckLayerAvailability"
          ],
          "Resource": "*"
        }
      ]
    }
  2. Once the policy has been created, attach the policy to the Anzo service user so that Anzo has permission to connect to the EKS services and deploy application pods. For instructions on attaching policies, see Adding and removing IAM identity permissions in the AWS Identity and Access Management User Guide.

Once the IAM policies are in place and attached to principals, proceed to Creating the EKS Cluster for instructions on configuring and creating the cluster.