创建 AWS IAM 角色

GKE on AWS 使用 AWS IAM 角色来创建和管理集群和节点池。本页面介绍如何创建以下默认角色:

GKE Multi-Cloud API 服务代理角色
GKE Multi-Cloud API 使用此 AWS IAM 角色来通过 AWS API 管理资源。此角色由服务代理使用。
控制层面 AWS IAM 角色
您的集群控制平面使用此角色来控制节点池。
节点池 AWS IAM 角色
控制层面使用此角色来创建节点池虚拟机。

本页面介绍了如何针对以下情况创建角色:

  • 一组默认权限,可用于测试
  • 可以对具有某些 AWS 标记的资源执行操作

您可以选择其中一个选项以满足组织的安全政策。如需详细了解标记,请参阅标记 AWS 资源

或者,您可以限制 GKE on AWS 用于满足组织要求的 AWS IAM 角色的权限范围。如需了解详情,请参阅 AWS IAM 角色

准备工作

如果您选择创建可对具有特定标记的资源执行操作的权限,则必须选择标记和值。然后,您可以使用这些值标记集群中的资源以限制对它们的访问权限。

创建 GKE Multi-Cloud API 服务代理角色

如需创建 GKE Multi-Cloud API 服务代理角色,请使用以下命令检索 Google Cloud 项目编号并使用它来创建角色。

PROJECT_ID="$(gcloud config get-value project)"
PROJECT_NUMBER=$(gcloud projects describe "$PROJECT_ID" \
    --format "value(projectNumber)")

aws iam create-role --role-name API_ROLE \
    --assume-role-policy-document '{
    "Version": "2012-10-17",
    "Statement": [
        {
        "Sid": "",
        "Effect": "Allow",
        "Principal": {
            "Federated": "accounts.google.com"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
            "StringEquals": {
            "accounts.google.com:sub": "service-'$PROJECT_NUMBER'@gcp-sa-gkemulticloud.iam.gserviceaccount.com"
            }
      }
    }
  ]
}'

API_ROLE 替换为此角色的名称。

保存此命令生成的 Amazon 资源名称 (ARN) 以备以后使用。

创建有范围的权限

如果要为具有默认权限的 GKE Multi-Cloud API 服务代理角色创建政策,或者创建范围限定为带有特定标记的资源,请在下方选择。然后运行以下命令:

默认

aws iam create-policy --policy-name API_POLICY \
  --policy-document '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:CreateLaunchTemplate",
        "ec2:CreateNetworkInterface",
        "ec2:CreateSecurityGroup",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:DeleteLaunchTemplate",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteTags",
        "ec2:DeleteVolume",
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:GetConsoleOutput",
        "ec2:ModifyInstanceAttribute",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:RunInstances",
        "iam:AWSServiceName",
        "iam:CreateServiceLinkedRole",
        "iam:GetInstanceProfile",
        "iam:PassRole",
        "autoscaling:CreateAutoScalingGroup",
        "autoscaling:CreateOrUpdateTags",
        "autoscaling:DeleteAutoScalingGroup",
        "autoscaling:DeleteTags",
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DisableMetricsCollection",
        "autoscaling:EnableMetricsCollection",
        "autoscaling:TerminateInstanceInAutoScalingGroup",
        "autoscaling:UpdateAutoScalingGroup",
        "elasticloadbalancing:AddTags",
        "elasticloadbalancing:CreateListener",
        "elasticloadbalancing:CreateLoadBalancer",
        "elasticloadbalancing:CreateTargetGroup",
        "elasticloadbalancing:DeleteListener",
        "elasticloadbalancing:DeleteLoadBalancer",
        "elasticloadbalancing:DeleteTargetGroup",
        "elasticloadbalancing:DescribeListeners",
        "elasticloadbalancing:DescribeLoadBalancers",
        "elasticloadbalancing:DescribeTargetGroups",
        "elasticloadbalancing:DescribeTargetHealth",
        "elasticloadbalancing:ModifyTargetGroupAttributes",
        "elasticloadbalancing:RemoveTags",
        "kms:DescribeKey",
        "kms:Encrypt",
        "kms:GenerateDataKeyWithoutPlaintext"
      ],
      "Resource": "*"
    }
  ]
}'

API_POLICY 替换为 GKE Multi-Cloud API AWS IAM 政策的名称。

(可选)您可以将 Resource 的值设置为 arn:aws:iam::ACCOUNT_ID:*,并将 ACCOUNT_ID 替换为您的 AWS 账号 ID,以限制此政策应用于特定账号的资源。

范围限定于标记

aws iam create-policy --policy-name API_POLICY_ec2 \
  --policy-document '{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeAccountAttributes",
        "ec2:DescribeInstances",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSubnets",
        "ec2:DescribeVpcs",
        "ec2:GetConsoleOutput"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:CreateSecurityGroup"],
      "Resource": ["arn:aws:ec2:*:*:security-group/*"],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:CreateSecurityGroup"],
      "Resource": ["arn:aws:ec2:*:*:vpc/*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress",
        "ec2:DeleteSecurityGroup",
        "ec2:RevokeSecurityGroupEgress",
        "ec2:RevokeSecurityGroupIngress"
      ],
      "Resource": ["arn:aws:ec2:*:*:security-group/*"],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:AuthorizeSecurityGroupEgress",
        "ec2:AuthorizeSecurityGroupIngress"
      ],
      "Resource": ["arn:aws:ec2:*:*:security-group-rule/*"],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:CreateLaunchTemplate"],
      "Resource": ["arn:aws:ec2:*:*:launch-template/*"],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteLaunchTemplate"
      ],
      "Resource": ["arn:aws:ec2:*:*:launch-template/*"],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:RunInstances"],
      "Resource": ["arn:aws:ec2:*:*:image/ami-*"],
      "Condition": {
        "StringEquals": {
          "ec2:Owner": ["099720109477", "amazon"]
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:RunInstances"],
      "Resource": [
        "arn:aws:ec2:*:*:subnet/*"
      ],
      "Condition": {
        "ArnLike": {
          "ec2:LaunchTemplate": "arn:aws:ec2:*:*:launch-template/*"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:RunInstances"],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:key-pair/*",
        "arn:aws:ec2:*:*:launch-template/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "Bool": {
          "ec2:IsLaunchTemplateResource": "true"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateVolume"
      ],
      "Resource": ["arn:aws:ec2:*:*:volume/*"],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteVolume"
      ],
      "Resource": ["arn:aws:ec2:*:*:volume/*"],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:CreateNetworkInterface"
      ],
      "Resource": ["arn:aws:ec2:*:*:network-interface/*"],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:CreateNetworkInterface"],
      "Resource": ["arn:aws:ec2:*:*:security-group/*"],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": ["ec2:CreateNetworkInterface"],
      "Resource": ["arn:aws:ec2:*:*:subnet/*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DeleteNetworkInterface",
        "ec2:ModifyNetworkInterfaceAttribute"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:security-group/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Action": [
        "ec2:CreateTags"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:*:*:launch-template/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:security-group-rule/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Action": [
        "ec2:CreateTags"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*"
      ],
      "Condition": {
         "StringEquals": {
          "ec2:CreateAction" : "RunInstances"
        }
      }
    },
    {
      "Action": [
        "ec2:CreateTags",
        "ec2:DeleteTags"
      ],
      "Effect": "Allow",
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:launch-template/*",
        "arn:aws:ec2:*:*:network-interface/*",
        "arn:aws:ec2:*:*:security-group/*",
        "arn:aws:ec2:*:*:security-group-rule/*",
        "arn:aws:ec2:*:*:volume/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    },
    {
      "Effect": "Allow",
      "Action": [
        "ec2:ModifyInstanceAttribute"
      ],
      "Resource": [
        "arn:aws:ec2:*:*:instance/*",
        "arn:aws:ec2:*:*:security-group/*"
      ],
      "Condition": {
        "StringEquals": {
          "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
        }
      }
    }
  ]
}'

请替换以下内容:

  • API_POLICY:GKE Multi-Cloud API AWS IAM 政策的前缀。
  • ACCESS_CONTROL_TAG_KEY:适用于此政策的标记键
  • ACCESS_CONTROL_TAG_VALUE:适用于此政策的标记值

(可选)您可以进一步将此政策限制为 AWS 区域和账号 ID。如需将政策限制为区域和账号 ID,请将 arn:aws:ec2:*:*:security-group/* 等资源值替换为 arn:aws:ec2:AWS_REGION:ACCOUNT_ID:security-group/*

复制为此政策创建的 ARN,以用于以下命令。

创建有关使用标记的其他政策

如果您使用标记来限制访问权限,请按照以下步骤创建其他政策。如果您使用的是默认政策,请跳至将政策附加到 GKE Multi-Cloud API 角色

  1. 创建政策以使用以下命令控制对 AWS IAM 的访问权限:

    aws iam create-policy --policy-name API_POLICY_iam \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["iam:CreateServiceLinkedRole"],
          "Resource": [
            "arn:aws:iam::*:role/aws-service-role/autoscaling.amazonaws.com/AWSServiceRoleForAutoScaling"
          ],
          "Condition": {
            "StringEquals": {
              "iam:AWSServiceName": "autoscaling.amazonaws.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": ["iam:CreateServiceLinkedRole"],
          "Resource": [
            "arn:aws:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
          ],
          "Condition": {
            "StringEquals": {
              "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": ["iam:PassRole"],
          "Resource": ["arn:aws:iam::*:role/*"],
          "Condition": {
            "StringEquals": {
              "iam:PassedToService": "ec2.amazonaws.com"
            }
          }
        }
        ,
        {
          "Effect": "Allow",
          "Action": ["iam:GetInstanceProfile"],
          "Resource": ["arn:aws:iam::*:instance-profile/*"]
        }
      ]
    }'
    
  2. 创建政策以控制对 AWS EC2 自动扩缩资源的访问权限:

    aws iam create-policy --policy-name API_POLICY_autoscaling \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["autoscaling:DescribeAutoScalingGroups"],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:CreateAutoScalingGroup",
            "autoscaling:CreateOrUpdateTags"
          ],
          "Resource": [
            "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:CreateOrUpdateTags",
            "autoscaling:DeleteAutoScalingGroup",
            "autoscaling:DeleteTags",
            "autoscaling:DisableMetricsCollection",
            "autoscaling:EnableMetricsCollection",
            "autoscaling:TerminateInstanceInAutoScalingGroup",
            "autoscaling:UpdateAutoScalingGroup"
          ],
          "Resource": [
            "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
            }
          }
        }
      ]
    }'
    

    保存此命令生成的 ARN 供日后使用。

  3. 创建政策以控制对 AWS Elastic 负载均衡器资源的访问权限。

    aws iam create-policy --policy-name API_POLICY_elasticloadbalancing \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:DescribeListeners",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeTargetGroups",
            "elasticloadbalancing:DescribeTargetHealth"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:CreateTargetGroup",
            "elasticloadbalancing:AddTags"
          ],
          "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"],
          "Condition": {
            "StringEquals": {
              "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:AddTags",
            "elasticloadbalancing:DeleteTargetGroup",
            "elasticloadbalancing:ModifyTargetGroupAttributes",
            "elasticloadbalancing:RemoveTags"
          ],
          "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/gke-*"],
          "Condition": {
            "StringEquals": {
              "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:CreateListener",
            "elasticloadbalancing:CreateLoadBalancer",
            "elasticloadbalancing:AddTags"
          ],
          "Resource": [
            "arn:aws:elasticloadbalancing:*:*:listener/net/gke-*",
            "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:RequestTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
            }
          }
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:AddTags",
            "elasticloadbalancing:DeleteListener",
            "elasticloadbalancing:DeleteLoadBalancer",
            "elasticloadbalancing:RemoveTags"
          ],
          "Resource": [
            "arn:aws:elasticloadbalancing:*:*:listener/net/gke-*",
            "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
            }
          }
        }
      ]
    }'
    

    保存此命令生成的 ARN 供日后使用。

  4. 创建政策以控制对 AWS 密钥管理服务资源的访问权限。

    如需详细了解每个密钥的权限,请参阅创建具有特定权限的 KMS 密钥

    aws iam create-policy --policy-name API_POLICY_kms \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["kms:DescribeKey"],
          "Resource": ["arn:aws:kms:*:*:key/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["kms:Encrypt"],
          "Resource": CONTROL_PLANE_CONFIG_KMS_KEY_ARN
        },
        {
          "Effect": "Allow",
          "Action": ["kms:Encrypt"],
          "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN
        },
        {
          "Effect": "Allow",
          "Action": ["kms:GenerateDataKeyWithoutPlaintext"],
          "Resource": CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN
        }
      ]
    }'
    

    请替换以下内容:

    保存此命令生成的 ARN 供日后使用。

将政策附加到 GKE Multi-Cloud API 角色

对于您在前面步骤中创建的每个政策,请运行以下命令,将该政策附加到 GKE Multi-Cloud API 角色:

aws iam attach-role-policy \
    --policy-arn API_POLICY_ARN \
    --role-name API_ROLE

替换

  • API_POLICY_ARN 替换为您之前创建的每个政策的 API 政策 ARN
  • API_ROLE 替换为 GKE Multi-Cloud API 服务代理角色名称

创建集群或节点池

如果您创建范围限定为标记资源的角色和政策,则必须在创建集群或节点池时指定标记。您可以使用集群和节点池创建命令的 --tags 参数来执行此操作。

创建集群

如需创建集群,请按照说明创建集群并添加 --tags 参数,如下所示:

gcloud container aws clusters create CLUSTER_NAME \
...
    --tags="ACCESS_CONTROL_TAG_KEY=ACCESS_CONTROL_TAG_VALUE"

请替换以下内容:

  • ACCESS_CONTROL_TAG_KEY:适用于此政策的标记键
  • ACCESS_CONTROL_TAG_VALUE:适用于此政策的标记值

创建节点池

如需创建节点池,请按照说明创建节点池并添加 --tags 参数,如下所示:

gcloud container aws node-pools create NODE_POOL_NAME \
...
    --tags "ACCESS_CONTROL_TAG_KEY=ACCESS_CONTROL_TAG_VALUE"

请替换以下内容:

  • ACCESS_CONTROL_TAG_KEY:适用于此政策的标记键
  • ACCESS_CONTROL_TAG_VALUE:适用于此政策的标记值

创建控制平面角色

如需创建具有默认权限的控制层面角色,请按以下步骤操作:

  1. 如需创建此角色,请运行以下命令:

    aws iam create-role --role-name CONTROL_PLANE_ROLE \
        --assume-role-policy-document '{
        "Version": "2012-10-17",
        "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                 "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
      ]
    }'
    

    CONTROL_PLANE_ROLE 替换为控制平面角色的名称。

  2. 为此角色创建 IAM 政策。如果您为数据库和配置加密创建了多个 KMS 密钥,请以英文逗号分隔列表的形式添加其所有 ARN。

    选择您是要直接连接到控制层面,还是直接连接到控制层面并使用标记。

    直接连接

    aws iam create-policy --policy-name CONTROL_PLANE_POLICY \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Sid": "",
          "Effect": "Allow",
          "Action": [
            "ec2:AttachNetworkInterface",
            "ec2:AttachVolume",
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:CreateRoute",
            "ec2:CreateSecurityGroup",
            "ec2:CreateSnapshot",
            "ec2:CreateTags",
            "ec2:CreateVolume",
            "ec2:DeleteRoute",
            "ec2:DeleteSecurityGroup",
            "ec2:DeleteSnapshot",
            "ec2:DeleteTags",
            "ec2:DeleteVolume",
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceTypes",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:DescribeRegions",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSnapshots",
            "ec2:DescribeSubnets",
            "ec2:DescribeTags",
            "ec2:DescribeVolumes",
            "ec2:DescribeVolumesModifications",
            "ec2:DescribeVpcs",
            "ec2:DetachVolume",
            "ec2:ModifyInstanceAttribute",
            "ec2:ModifyVolume",
            "ec2:RevokeSecurityGroupIngress",
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribeAutoScalingInstances",
            "autoscaling:DescribeLaunchConfigurations",
            "autoscaling:DescribeTags",
            "autoscaling:SetDesiredCapacity",
            "autoscaling:TerminateInstanceInAutoScalingGroup",
            "elasticloadbalancing:AddTags",
            "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
            "elasticloadbalancing:AttachLoadBalancerToSubnets",
            "elasticloadbalancing:ConfigureHealthCheck",
            "elasticloadbalancing:CreateListener",
            "elasticloadbalancing:CreateLoadBalancer",
            "elasticloadbalancing:CreateLoadBalancerListeners",
            "elasticloadbalancing:CreateLoadBalancerPolicy",
            "elasticloadbalancing:CreateTargetGroup",
            "elasticloadbalancing:DeleteListener",
            "elasticloadbalancing:DeleteLoadBalancer",
            "elasticloadbalancing:DeleteLoadBalancerListeners",
            "elasticloadbalancing:DeleteTargetGroup",
            "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
            "elasticloadbalancing:DeregisterTargets",
            "elasticloadbalancing:DescribeListeners",
            "elasticloadbalancing:DescribeLoadBalancerAttributes",
            "elasticloadbalancing:DescribeLoadBalancerPolicies",
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeTargetGroups",
            "elasticloadbalancing:DescribeTargetHealth",
            "elasticloadbalancing:DetachLoadBalancerFromSubnets",
            "elasticloadbalancing:ModifyListener",
            "elasticloadbalancing:ModifyLoadBalancerAttributes",
            "elasticloadbalancing:ModifyTargetGroup",
            "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
            "elasticloadbalancing:RegisterTargets",
            "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
            "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
            "elasticfilesystem:CreateAccessPoint",
            "elasticfilesystem:DeleteAccessPoint",
            "elasticfilesystem:DescribeAccessPoints",
            "elasticfilesystem:DescribeFileSystems",
            "elasticfilesystem:DescribeMountTargets",
            "kms:CreateGrant",
            "kms:Decrypt",
            "kms:Encrypt",
            "kms:GrantIsForAWSResource"
          ],
          "Resource": "*"
        }
      ]
    }'
    

    请替换以下内容:

    • CONTROL_PLANE_POLICY 替换为控制平面政策的名称

    直接连接并使用标记

    aws iam create-policy --policy-name CONTROL_PLANE_POLICY_autoscaling \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:DescribeAutoScalingGroups",
            "autoscaling:DescribeAutoScalingInstances",
            "autoscaling:DescribeLaunchConfigurations",
            "autoscaling:DescribeTags"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "autoscaling:SetDesiredCapacity",
            "autoscaling:TerminateInstanceInAutoScalingGroup"
          ],
          "Resource": [
            "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/gke-*"
          ],
          "Condition": {
            "StringEquals": {
              "aws:ResourceTag/ACCESS_CONTROL_TAG_KEY": "ACCESS_CONTROL_TAG_VALUE"
            }
          }
        }
      ]
    }'
    
    aws iam create-policy --policy-name CONTROL_PLANE_POLICY_ec2 \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ec2:DescribeAccountAttributes",
            "ec2:DescribeAvailabilityZones",
            "ec2:DescribeDhcpOptions",
            "ec2:DescribeInstances",
            "ec2:DescribeInstanceTypes",
            "ec2:DescribeInternetGateways",
            "ec2:DescribeLaunchTemplateVersions",
            "ec2:DescribeRegions",
            "ec2:DescribeRouteTables",
            "ec2:DescribeSecurityGroups",
            "ec2:DescribeSnapshots",
            "ec2:DescribeSubnets",
            "ec2:DescribeTags",
            "ec2:DescribeVolumes",
            "ec2:DescribeVolumesModifications",
            "ec2:DescribeVpcs"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:AttachNetworkInterface"],
          "Resource": [
            "arn:aws:ec2:*:*:instance/*",
            "arn:aws:ec2:*:*:network-interface/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:CreateVolume",
            "ec2:CreateTags",
            "ec2:AttachVolume",
            "ec2:DeleteVolume",
            "ec2:DetachVolume",
            "ec2:ModifyVolume"
          ],
          "Resource": ["arn:aws:ec2:*:*:volume/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:AttachVolume", "ec2:DetachVolume"],
          "Resource": ["arn:aws:ec2:*:*:instance/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:CreateSecurityGroup", "ec2:CreateTags"],
          "Resource": ["arn:aws:ec2:*:*:security-group/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:CreateSecurityGroup"],
          "Resource": ["arn:aws:ec2:*:*:vpc/*"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "ec2:AuthorizeSecurityGroupIngress",
            "ec2:DeleteSecurityGroup",
            "ec2:RevokeSecurityGroupIngress"
          ],
          "Resource": ["arn:aws:ec2:*:*:security-group/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:CreateSnapshot", "ec2:CreateTags", "ec2:DeleteSnapshot"],
          "Resource": ["arn:aws:ec2:*:*:snapshot/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:CreateSnapshot"],
          "Resource": ["arn:aws:ec2:*:*:volume/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:CreateRoute", "ec2:DeleteRoute"],
          "Resource": ["arn:aws:ec2:*:*:route-table/*"]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:ModifyInstanceAttribute"],
          "Resource": [
            "arn:aws:ec2:*:*:instance/*",
            "arn:aws:ec2:*:*:security-group/*",
            "arn:aws:ec2:*:*:volume/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": ["ec2:DeleteTags"],
          "Resource": [
            "arn:aws:ec2:*:*:security-group/*",
            "arn:aws:ec2:*:*:snapshot/*",
            "arn:aws:ec2:*:*:volume/*"
          ]
        }
      ]
    }'
    
    aws iam create-policy --policy-name CONTROL_PLANE_POLICY_elasticloadbalancing \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:DescribeLoadBalancers",
            "elasticloadbalancing:DescribeLoadBalancerAttributes",
            "elasticloadbalancing:DescribeListeners",
            "elasticloadbalancing:DescribeLoadBalancerPolicies",
            "elasticloadbalancing:DescribeTargetGroups",
            "elasticloadbalancing:DescribeTargetHealth"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:AddTags",
            "elasticloadbalancing:AttachLoadBalancerToSubnets",
            "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
            "elasticloadbalancing:CreateListener",
            "elasticloadbalancing:CreateLoadBalancer",
            "elasticloadbalancing:CreateLoadBalancerPolicy",
            "elasticloadbalancing:CreateLoadBalancerListeners",
            "elasticloadbalancing:ConfigureHealthCheck",
            "elasticloadbalancing:DeleteLoadBalancer",
            "elasticloadbalancing:DeleteLoadBalancerListeners",
            "elasticloadbalancing:DetachLoadBalancerFromSubnets",
            "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
            "elasticloadbalancing:ModifyLoadBalancerAttributes",
            "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
            "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
            "elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
          ],
          "Resource": ["arn:aws:elasticloadbalancing:*:*:loadbalancer/*"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:AddTags",
            "elasticloadbalancing:CreateTargetGroup",
            "elasticloadbalancing:DeleteTargetGroup",
            "elasticloadbalancing:DeregisterTargets",
            "elasticloadbalancing:ModifyTargetGroup",
            "elasticloadbalancing:RegisterTargets"
          ],
          "Resource": ["arn:aws:elasticloadbalancing:*:*:targetgroup/*"]
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticloadbalancing:DeleteListener",
            "elasticloadbalancing:ModifyListener"
          ],
          "Resource": ["arn:aws:elasticloadbalancing:*:*:listener/*"]
        }
      ]
    }'
    
    aws iam create-policy --policy-name CONTROL_PLANE_POLICY_elasticfilesystem \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "elasticfilesystem:DescribeAccessPoints",
            "elasticfilesystem:DescribeFileSystems",
            "elasticfilesystem:DescribeMountTargets"
          ],
          "Resource": "*"
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticfilesystem:CreateAccessPoint"
          ],
          "Resource": [
            "arn:aws:elasticfilesystem:*:*:file-system/*"
          ]
        },
        {
          "Effect": "Allow",
          "Action": [
            "elasticfilesystem:DeleteAccessPoint"
          ],
          "Resource": [
            "arn:aws:elasticfilesystem:*:*:access-point/*"
          ]
        }
      ]
    }'
    
    aws iam create-policy --policy-name CONTROL_PLANE_POLICY_kms \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["kms:Decrypt", "kms:Encrypt"],
          "Resource": DATABASE_KMS_KEY_ARN
        },
        {
          "Effect": "Allow",
          "Action": ["kms:Decrypt"],
          "Resource": CONTROL_PLANE_CONFIG_KMS_KEY_ARN
        },
        {
          "Effect": "Allow",
          "Action": ["kms:CreateGrant"],
          "Resource": CONTROL_PLANE_MAIN_VOLUME_KMS_KEY_ARN,
          "Condition": {
            "Bool": {
              "kms:GrantIsForAWSResource": "true"
            }
          }
        }
      ]
    }'
    

    请替换以下内容:

    复制每个 Policy.Arn 的值以在下面的命令中使用。

  3. 如果您使用 HTTP 代理,请为 AWS Secrets Manager 创建额外的政策。

    aws iam create-policy --policy-name CONTROL_PLANE_POLICY_secretsmanager \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "secretsmanager:GetSecretValue"
          ],
          "Resource": PROXY_CONFIG_ARN
        }
      ]
    }'
    

    请替换以下内容:

    复制每个 Policy.Arn 的值以在下一个命令中使用。

  4. 将新政策附加到相应角色。

    aws iam attach-role-policy \
        --policy-arn CONTROL_PLANE_POLICY_ARN \
        --role-name CONTROL_PLANE_ROLE
    

    请替换以下内容:

    • CONTROL_PLANE_ROLE
    • CONTROL_PLANE_POLICY_ARN 替换为上一个命令中的 Policy.Arn
  5. 如需创建 IAM 实例配置文件,请运行以下命令。

    aws iam create-instance-profile \
        --instance-profile-name CONTROL_PLANE_PROFILE
    

    CONTROL_PLANE_PROFILE 替换为 GKE 多云控制平面配置文件的名称。

  6. 最后,将新角色添加到您刚创建的实例配置文件中。

    aws iam add-role-to-instance-profile \
        --instance-profile-name CONTROL_PLANE_PROFILE \
        --role-name CONTROL_PLANE_ROLE
    

    请替换以下内容:

    • CONTROL_PLANE_PROFILE
    • CONTROL_PLANE_ROLE

    您稍后将在创建集群期间使用此处选择的实例配置文件名称。

创建节点池角色

如需创建具有默认权限的节点池角色,请按以下步骤操作:

  1. 为要使用的节点池中的虚拟机创建角色。

    aws iam create-role --role-name NODE_POOL_ROLE \
        --assume-role-policy-document '{
        "Version": "2012-10-17",
        "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
            "Service": "ec2.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
        }
      ]
    }'
    

    NODE_POOL_ROLE 替换为您的节点池角色的名称。

  2. 使用节点池虚拟机所需的权限创建政策。选择您是要直接连接到控制平面还是使用 HTTP 代理

    直接

    aws iam create-policy --policy-name NODE_POOL_POLICY_kms \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["kms:Decrypt"],
          "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN
        }
      ]
    }'
    

    请替换以下内容:

    HTTP 代理

    aws iam create-policy --policy-name NODE_POOL_POLICY_kms \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": ["kms:Decrypt"],
          "Resource": NODE_POOL_CONFIG_KMS_KEY_ARN
        }
      ]
    }'
    
    aws iam create-policy --policy-name NODE_POOL_POLICY_secretsmanager \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "secretsmanager:GetSecretValue"
          ],
          "Resource": PROXY_CONFIG_ARN
        }
      ]
    }'
    

    请替换以下内容:

    • KMS_KEY_ARN:您的节点池的 KMS 密钥。
    • NODE_POOL_POLICY:您的节点池政策的名称。
    • PROXY_CONFIG_ARN:代理配置的 ARN。如需了解详情,请参阅创建代理配置

    复制每个 Policy.Arn 的值以在下一个命令中使用。

  3. 将该角色关联到其政策。

    aws iam attach-role-policy --role-name NODE_POOL_ROLE \
        --policy-arn "NODE_POOL_POLICY_ARN"
    

    请替换以下内容:

    • NODE_POOL_ROLE:节点池角色的名称。
    • NODE_POOL_POLICY_ARN:上一个命令中的 Policy.Arn 值。
  4. 如果您的工作负载需要使用 ECR 容器注册表,请附加以下政策以获取 ECR 访问权限:

    公共注册表

    创建具有以下权限的政策:

      aws iam create-policy --policy-name NODE_POOL_POLICY_ecr \
      --policy-document '{
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Action": [
            "ecr-public:GetAuthorizationToken",
            "sts:GetServiceBearerToken"
          ],
          "Resource": "*"
        }
      ]
    }'
    

    Policy.Arn 的值复制为 NODE_POOL_ECR_POLICY_ARN

    将其附加到您创建的节点池角色。

    aws iam attach-role-policy --role-name NODE_POOL_ROLE \
        --policy-arn "NODE_POOL_ECR_POLICY_ARN"
    

    请替换以下内容:

    • NODE_POOL_ROLE:节点池角色的名称。
    • NODE_POOL_ECR_POLICY_ARN:上一个命令中的 Policy.Arn 值。

    私有注册表

    AmazonEC2ContainerRegistryReadOnly 附加到节点池角色,以获得私有注册表访问权限:

    aws iam attach-role-policy --role-name NODE_POOL_ROLE \
        --policy-arn arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
    

    NODE_POOL_ROLE 替换为您的节点池角色的名称。

  5. 为此角色创建实例配置文件。

    aws iam create-instance-profile \
        --instance-profile-name NODE_POOL_PROFILE
    

    NODE_POOL_PROFILE 替换为您的节点池配置文件的名称。

  6. 将新角色添加到实例配置文件中。

    aws iam add-role-to-instance-profile \
        --instance-profile-name NODE_POOL_PROFILE \
        --role-name NODE_POOL_ROLE
    

    请替换以下内容:

    • NODE_POOL_PROFILE:节点池配置文件的名称。
    • NODE_POOL_ROLE:节点池角色的名称。

后续步骤