Skip to content

Latest commit

 

History

History
105 lines (71 loc) · 6.41 KB

File metadata and controls

105 lines (71 loc) · 6.41 KB

Minimal IAM Permission Map

This doc maps each manifest in samples to the minimal IAM permissions needed to create and run the test and resources.

The policies can be created using the aws iam create-policy command and attached to a role using aws iam attach-role-policy.

Without iam:CreateRole Permission

These policies do not include the iam:CreateRole permission.

In order for the resources and tests to be created as desired, the ARN of an existing role should be provided instead.

  • For ECS clusters, this can be accomplished by adding a field iamInstanceProfileName to the ECS cluster config, the value of which is the ARN of a role with at least these permissions: ecs-iam-instance-profile.json.

  • For EKS clusters, this can be accomplished by replacing the clusterName, region, and version fields with an encodedConfig field in the EKS cluster config. This field's value should be a string representing a base64-encoded EKS cluster config, an example of which can be found here. This config should contain the ARNs of an existing service role and an existing node instance role with at least these permissions: eks-service-role.json and eks-node-instance-role.json.

ECS Test

ECS Migration Test

ECS Workload Test

Sonobuoy Test

Sonobuoy Migration Test

K8S Workload Test

With iam:CreateRole Permission

Some of these policies include the iam:CreateRole permission.

Note: This is considered dangerous because there is no limit to the permissions and policies that can be assigned to the role created this way, so this new role could end up with Administrator privileges.

ECS Test

ECS Migration Test

ECS Workload Test

Sonobuoy Test

Sonobuoy Migration Test

K8S Workload Test