diff --git a/emp/emp_role_cftemplate.yaml b/emp/emp_role_cftemplate.yaml index b29a2f4..6a49dad 100644 --- a/emp/emp_role_cftemplate.yaml +++ b/emp/emp_role_cftemplate.yaml @@ -42,6 +42,7 @@ Resources: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* - Action: # they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html + # these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this. - ssm:UpdateInstanceInformation - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel @@ -324,9 +325,6 @@ Resources: Condition: StringEquals: aws:RequestTag/emp.pf9.io: owned - StringLike: - aws:RequestTag/emp.pf9.io/baremetalpool: '*' - aws:RequestTag/emp.pf9.io/namespace: '*' - Action: - elasticfilesystem:DescribeFileSystems - elasticfilesystem:CreateMountTarget @@ -338,9 +336,6 @@ Resources: Condition: StringEquals: aws:ResourceTag/emp.pf9.io: owned - StringLike: - aws:ResourceTag/emp.pf9.io/namespace: '*' - aws:ResourceTag/emp.pf9.io/baremetalpool: '*' - Action: - elasticfilesystem:TagResource Effect: Allow diff --git a/emp/emp_user_cftemplate.yaml b/emp/emp_user_cftemplate.yaml index 8700f60..70fe861 100644 --- a/emp/emp_user_cftemplate.yaml +++ b/emp/emp_user_cftemplate.yaml @@ -334,9 +334,6 @@ Resources: Condition: StringEquals: aws:RequestTag/emp.pf9.io: owned - StringLike: - aws:RequestTag/emp.pf9.io/baremetalpool: '*' - aws:RequestTag/emp.pf9.io/namespace: '*' - Action: - elasticfilesystem:DescribeFileSystems - elasticfilesystem:CreateMountTarget @@ -348,9 +345,6 @@ Resources: Condition: StringEquals: aws:ResourceTag/emp.pf9.io: owned - StringLike: - aws:ResourceTag/emp.pf9.io/namespace: '*' - aws:ResourceTag/emp.pf9.io/baremetalpool: '*' - Action: - elasticfilesystem:TagResource Effect: Allow