The following image shows how the cluster operator policy might appear in the AWS Management Console:
The JSON document below is a template for the cluster operator role policy. Permissions that are not mandatory are flagged as OPTIONAL.
Be sure to remove the 'OPTIONAL' text from any lines that you are keeping.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:GetLifecycleConfiguration",
"s3:GetBucketTagging",
"s3:GetBucketWebsite",
"s3:GetBucketLogging",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketVersioning",
"s3:GetReplicationConfiguration",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetEncryptionConfiguration",
"s3:PutBucketTagging",
"s3:GetBucketRequestPayment",
"s3:GetBucketCORS",
"s3:GetObjectTagging",
"s3:PutObjectTagging",
"s3:GetBucketLocation",
"s3:GetObjectVersion",
"s3:DeleteObjectTagging",
"s3:DeleteObjectVersion",
"s3:DeleteObject"
],
"Resource": [
"arn:aws:s3:::dev",
"arn:aws:s3:::dev/Staging/",
"arn:aws:s3:::dev/Staging/*",
"arn:aws:s3:::dev/Logging/",
"arn:aws:s3:::dev/Logging/*",
"arn:aws:s3:::dev/InitScript/",
"arn:aws:s3:::dev/InitScript/*"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"ec2:DescribeAccountAttributes",
"ec2:DescribeInternetGateways",
"ec2:AttachInternetGateway", OPTIONAL
"ec2:CreateInternetGateway", OPTIONAL
"ec2:DetachInternetGateway", OPTIONAL
"ec2:DeleteInternetGateway", OPTIONAL
"ec2:CreateKeyPair",
"ec2:ImportKeyPair",
"ec2:DescribeKeyPairs",
"ec2:DeleteKeyPair",
"ec2:CreateRoute", OPTIONAL
"ec2:DeleteRoute", OPTIONAL
"ec2:DescribeRouteTables",
"ec2:CreateRouteTable", OPTIONAL
"ec2:ReplaceRouteTableAssociation", OPTIONAL
"ec2:AssociateRouteTable", OPTIONAL
"ec2:DisassociateRouteTable", OPTIONAL
"ec2:DeleteRouteTable", OPTIONAL
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeVpcs",
"ec2:CreateVpc", OPTIONAL
"ec2:DeleteVpc", OPTIONAL
"ec2:ModifyVpcAttribute", OPTIONAL
"ec2:DescribeSubnets",
"ec2:CreateSubnet", OPTIONAL
"ec2:DeleteSubnet", OPTIONAL
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup", OPTIONAL
"ec2:AuthorizeSecurityGroupIngress", OPTIONAL
"ec2:RevokeSecurityGroupIngress", OPTIONAL
"ec2:AuthorizeSecurityGroupEgress", OPTIONAL
"ec2:RevokeSecurityGroupEgress", OPTIONAL
"ec2:DeleteSecurityGroup", OPTIONAL
"ec2:CreateTags",
"ec2:DescribeTags",
"ec2:DeleteTags",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:DeleteVolume",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:DescribeInstanceTypes",
"ec2:TerminateInstances",
"ec2:DescribeRegions",
"ec2:DescribeAvailabilityZones",
"ec2:CreateLaunchTemplate",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"ec2:DeleteLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DeleteLaunchTemplateVersions",
"autoscaling:AttachLoadBalancers",
"autoscaling:DescribeTags",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeScalingActivities",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:TerminateInstanceInAutoScalingGroup",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"pricing:GetProducts", OPTIONAL
"iam:GetInstanceProfile",
"iam:GetContextKeysForPrincipalPolicy",
"iam:ListInstanceProfiles",
"iam:SimulatePrincipalPolicy",
"iam:CreateInstanceProfile", OPTIONAL
"iam:DeleteInstanceProfile", OPTIONAL
"iam:CreateRole", OPTIONAL
"iam:GetRole",
"iam:ListRoles",
"iam:PassRole",
"iam:ListRolePolicies",
"iam:CreateServiceLinkedRole",
"iam:DeleteRole", OPTIONAL
"iam:TagRole", OPTIONAL
"iam:GetRolePolicy",
"iam:AddRoleToInstanceProfile", OPTIONAL
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:PutRolePolicy", OPTIONAL
"iam:AttachRolePolicy", OPTIONAL
"iam:DetachRolePolicy", OPTIONAL
"iam:DeleteRolePolicy", OPTIONAL
"iam:GetUser",
"kms:DescribeKey", OPTIONAL
"kms:Get*",
"sts:AssumeRole", OPTIONAL
"sts:DecodeAuthorizationMessage" OPTIONAL
],
"Resource": "*"
}
]
}
Add permissions to the template based on your organizational requirements. For information about each permission, see
IAM policy reference .
The cluster operator role also requires the following permissions for public Informatica-managed Kubernetes clusters:
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:GetLaunchTemplateData",
"ec2:ModifyLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "arn:aws:ec2:*:543463116864:launch-template/*.k8s.local"
}
The actions on Amazon S3 must be specified for all staging, log, and initialization script locations that you provide in
advanced configurations
.
For example, if you use staging location
dev/Staging/
, log location
dev/Logging/
, and initialization script location
dev/InitScript/
, the policy must list the following resources for actions on Amazon S3:
"Resource": [
"arn:aws:s3:::dev",
"arn:aws:s3:::dev/Staging/",
"arn:aws:s3:::dev/Staging/*",
"arn:aws:s3:::dev/Logging/",
"arn:aws:s3:::dev/Logging/*",
"arn:aws:s3:::dev/InitScript/",
"arn:aws:s3:::dev/InitScript/*"
]
If you use a different set of staging, log, and initialization script locations in another
advanced configuration
, you must add those locations as resources to the same policy.
To accommodate S3 locations that change frequently, you can use wildcards. For more information, refer to the AWS documentation.
