diff --git a/docs/iam_policies/aws-loadbalancer-controller.json b/docs/iam_policies/aws-loadbalancer-controller.json index 781c65c1..c11ff943 100644 --- a/docs/iam_policies/aws-loadbalancer-controller.json +++ b/docs/iam_policies/aws-loadbalancer-controller.json @@ -2,84 +2,204 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "", "Effect": "Allow", "Action": [ - "wafv2:GetWebACLForResource", - "wafv2:GetWebACL", - "wafv2:DisassociateWebACL", - "wafv2:AssociateWebACL", - "waf:GetWebACL", - "waf-regional:GetWebACLForResource", - "waf-regional:GetWebACL", - "waf-regional:DisassociateWebACL", - "waf-regional:AssociateWebACL", - "tag:TagResources", - "tag:GetResources", - "shield:ListProtections", - "shield:GetSubscriptionState", - "shield:DescribeSubscription", - "shield:DescribeProtection", - "shield:DeleteProtection", - "shield:CreateProtection", - "iam:ListServerCertificates", - "iam:GetServerCertificate", "iam:CreateServiceLinkedRole", - "elasticloadbalancing:SetWebACL", - "elasticloadbalancing:SetSubnets", - "elasticloadbalancing:SetSecurityGroups", - "elasticloadbalancing:SetIpAddressType", - "elasticloadbalancing:RemoveTags", - "elasticloadbalancing:RemoveListenerCertificates", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyRule", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeRules", + "ec2:DescribeAccountAttributes", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeInstances", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags", + "ec2:GetCoipPoolUsage", + "ec2:DescribeCoipPools", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeleteRule", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DescribeSSLPolicies", + "elasticloadbalancing:DescribeRules", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:DescribeTargetHealth", + "elasticloadbalancing:DescribeTags" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "cognito-idp:DescribeUserPoolClient", + "acm:ListCertificates", + "acm:DescribeCertificate", + "iam:ListServerCertificates", + "iam:GetServerCertificate", + "waf-regional:GetWebACL", + "waf-regional:GetWebACLForResource", + "waf-regional:AssociateWebACL", + "waf-regional:DisassociateWebACL", + "wafv2:GetWebACL", + "wafv2:GetWebACLForResource", + "wafv2:AssociateWebACL", + "wafv2:DisassociateWebACL", + "shield:GetSubscriptionState", + "shield:DescribeProtection", + "shield:CreateProtection", + "shield:DeleteProtection" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateSecurityGroup" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "StringEquals": { + "ec2:CreateAction": "CreateSecurityGroup" + }, + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:*:*:security-group/*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:CreateRule", + "elasticloadbalancing:DeleteRule" + ], + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*", + "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/elbv2.k8s.aws/cluster": "true", + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*", + "arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*" + ] + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:SetIpAddressType", + "elasticloadbalancing:SetSecurityGroups", + "elasticloadbalancing:SetSubnets", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ModifyTargetGroup", + "elasticloadbalancing:ModifyTargetGroupAttributes", + "elasticloadbalancing:DeleteTargetGroup" + ], + "Resource": "*", + "Condition": { + "Null": { + "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" + } + } + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DeregisterTargets" + ], + "Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*" + }, + { + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:SetWebAcl", + "elasticloadbalancing:ModifyListener", "elasticloadbalancing:AddListenerCertificates", - "ec2:RevokeSecurityGroupIngress", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ModifyInstanceAttribute", - "ec2:DescribeVpcs", - "ec2:DescribeTags", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeInternetGateways", - "ec2:DescribeInstances", - "ec2:DescribeInstanceStatus", - "ec2:DescribeAddresses", - "ec2:DescribeAccountAttributes", - "ec2:DeleteTags", - "ec2:DeleteSecurityGroup", - "ec2:CreateTags", - "ec2:CreateSecurityGroup", - "ec2:AuthorizeSecurityGroupIngress", - "cognito-idp:DescribeUserPoolClient", - "acm:ListCertificates", - "acm:GetCertificate", - "acm:DescribeCertificate" + "elasticloadbalancing:RemoveListenerCertificates", + "elasticloadbalancing:ModifyRule" ], "Resource": "*" }