Skip to content

Commit

Permalink
EMP-2627, add ssm and ssmmessages explainer, comment s3:GetEncryption…
Browse files Browse the repository at this point in the history 
…Configuration (#57)

* add ssm and ssmmessages explainer, comment s3:GetEncryptionConfiguration.

* changes to user template

* more explainer comments
  • Loading branch information
@Rohitrajak1807
Rohitrajak1807 authored Oct 7, 2024
1 parent 0abcf01 commit 178160b
Show file tree
Hide file tree
Showing 2 changed files with 14 additions and 5 deletions.
8 changes: 6 additions & 2 deletions emp/emp_role_cftemplate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -43,13 +43,14 @@ Resources:
- Action:
# they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
# these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this.
# additionally, these permissions allow us to get a shell to the baremetal instance without ssh using AWS Systems manager.
# This is a useful diagnostic tool in case of an emergency.
- ssm:UpdateInstanceInformation
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
# discuss why this is needed
- s3:GetEncryptionConfiguration
# - s3:GetEncryptionConfiguration
Effect: Allow
Resource:
- '*'
Expand Down Expand Up @@ -212,6 +213,7 @@ Resources:
# Effect: Allow
# Resource:
# - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io
# capa controllers delete the secret once it's no longer needed. This is also needed.
- Action:
- secretsmanager:CreateSecret
- secretsmanager:DeleteSecret
Expand Down Expand Up @@ -286,6 +288,8 @@ Resources:
Resource:
- '*'
Effect: Allow
# read-only access to IAM resources attached to the role we create. This is needed for an upcoming rework
# where we check if the IAM role or the user has sufficient permissions or not.
- Action:
- iam:GetPolicy
- iam:GetPolicyVersion
Expand Down
11 changes: 8 additions & 3 deletions emp/emp_user_cftemplate.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -47,14 +47,16 @@ Resources:
Resource:
- arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*
- Action:
# they are related to some heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
# they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html
# these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this.
# additionally, these permissions allow us to get a shell to the baremetal instance without ssh using AWS Systems manager.
# This is a useful diagnostic tool in case of an emergency.
- ssm:UpdateInstanceInformation
- ssmmessages:CreateControlChannel
- ssmmessages:CreateDataChannel
- ssmmessages:OpenControlChannel
- ssmmessages:OpenDataChannel
# discuss why this is needed
- s3:GetEncryptionConfiguration
# - s3:GetEncryptionConfiguration
Effect: Allow
Resource:
- '*'
Expand Down Expand Up @@ -218,6 +220,7 @@ Resources:
Effect: Allow
Resource:
- arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io
# capa controllers delete the secret once it's no longer needed. This is also needed.
- Action:
- secretsmanager:CreateSecret
- secretsmanager:DeleteSecret
Expand Down Expand Up @@ -300,6 +303,8 @@ Resources:
Resource:
- '*'
Effect: Allow
# read-only access to IAM resources attached to the role we create. This is needed for an upcoming rework
# where we check if the IAM role or the user has sufficient permissions or not.
- Action:
- iam:GetUser
- iam:GetUserPolicy
Expand Down

0 comments on commit 178160b

Please sign in to comment.