From 178160b129a716dbbfc694948987018cd917e6ee Mon Sep 17 00:00:00 2001 From: Rohit Rajak <39493074+Rohitrajak1807@users.noreply.github.com> Date: Mon, 7 Oct 2024 16:17:10 +0530 Subject: [PATCH] EMP-2627, add ssm and ssmmessages explainer, comment s3:GetEncryptionConfiguration (#57) * add ssm and ssmmessages explainer, comment s3:GetEncryptionConfiguration. * changes to user template * more explainer comments --- emp/emp_role_cftemplate.yaml | 8 ++++++-- emp/emp_user_cftemplate.yaml | 11 ++++++++--- 2 files changed, 14 insertions(+), 5 deletions(-) diff --git a/emp/emp_role_cftemplate.yaml b/emp/emp_role_cftemplate.yaml index 6a49dad..5225b1e 100644 --- a/emp/emp_role_cftemplate.yaml +++ b/emp/emp_role_cftemplate.yaml @@ -43,13 +43,14 @@ Resources: - Action: # they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html # these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this. + # additionally, these permissions allow us to get a shell to the baremetal instance without ssh using AWS Systems manager. + # This is a useful diagnostic tool in case of an emergency. - ssm:UpdateInstanceInformation - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - # discuss why this is needed - - s3:GetEncryptionConfiguration +# - s3:GetEncryptionConfiguration Effect: Allow Resource: - '*' @@ -212,6 +213,7 @@ Resources: # Effect: Allow # Resource: # - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io + # capa controllers delete the secret once it's no longer needed. This is also needed. - Action: - secretsmanager:CreateSecret - secretsmanager:DeleteSecret @@ -286,6 +288,8 @@ Resources: Resource: - '*' Effect: Allow + # read-only access to IAM resources attached to the role we create. This is needed for an upcoming rework + # where we check if the IAM role or the user has sufficient permissions or not. - Action: - iam:GetPolicy - iam:GetPolicyVersion diff --git a/emp/emp_user_cftemplate.yaml b/emp/emp_user_cftemplate.yaml index 70fe861..095836e 100644 --- a/emp/emp_user_cftemplate.yaml +++ b/emp/emp_user_cftemplate.yaml @@ -47,14 +47,16 @@ Resources: Resource: - arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/* - Action: - # they are related to some heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html + # they are related to heartbeat sent by systems manager see: https://docs.aws.amazon.com/systems-manager/latest/userguide/systems-manager-setting-up-messageAPIs.html + # these permissions are needed by the ec2 instance itself. AWS docs don't disclose a resource type for this. + # additionally, these permissions allow us to get a shell to the baremetal instance without ssh using AWS Systems manager. + # This is a useful diagnostic tool in case of an emergency. - ssm:UpdateInstanceInformation - ssmmessages:CreateControlChannel - ssmmessages:CreateDataChannel - ssmmessages:OpenControlChannel - ssmmessages:OpenDataChannel - # discuss why this is needed - - s3:GetEncryptionConfiguration +# - s3:GetEncryptionConfiguration Effect: Allow Resource: - '*' @@ -218,6 +220,7 @@ Resources: Effect: Allow Resource: - arn:*:iam::*:role/*.cluster-api-provider-aws.sigs.k8s.io + # capa controllers delete the secret once it's no longer needed. This is also needed. - Action: - secretsmanager:CreateSecret - secretsmanager:DeleteSecret @@ -300,6 +303,8 @@ Resources: Resource: - '*' Effect: Allow + # read-only access to IAM resources attached to the role we create. This is needed for an upcoming rework + # where we check if the IAM role or the user has sufficient permissions or not. - Action: - iam:GetUser - iam:GetUserPolicy