The tables on this page list all of the permissions used in creating the default AWS IAM roles. To create these policies with default permissions, see Create AWS IAM roles.
- GKE Multi-Cloud API service agent role
- The GKE Multi-Cloud API uses this AWS IAM role to manage resources using AWS APIs. This role is used by a Google-managed service account known as a service agent.
- Control plane AWS IAM role
- Your cluster control plane uses this role to control node pools.
- Node pool AWS IAM role
- The control plane uses this role to create node pool VMs.
Depending upon your organization's requirements, you can choose to create custom AWS IAM policies for GKE on AWS to manage your clusters. These policies will replace the default versions. You then apply these policies to AWS IAM roles and provide them when you create a cluster.
For more information on the purpose of each role, see AWS IAM roles for GKE on AWS.
To create these policies, choose the level that you wish to restrict your resources at. For example, you can restrict a policy to a particular AWS VPC using the VPC's Amazon Resource Name (ARN). For more information, see Controlling access to AWS resources using policies.
IAM policies for GKE Multi-Cloud service agents
Resource Type | ARN | Permission Required | Purpose | Reference |
---|---|---|---|---|
Security Group | arn:aws:ec2:*:*:security-group/sg-* |
ec2:DescribeSecurityGroups (Create, Update, Delete)ec2:CreateSecurityGroup (Create)ec2:CreateTags (Create)ec2:RevokeSecurityGroupEgress (Create)ec2:DeleteSecurityGroup (Delete) |
Control plane security group | |
Security Group | Node pool security group | |||
Security Group Rule | arn:aws:ec2:*:*:security-group-rule/sgr-* |
ec2:AuthorizeSecurityGroupEgress (Create)ec2:RevokeSecurityGroupEgress (Delete)ec2:CreateTags (Create) |
Control plane egress security group rule | |
Security Group Rule | ec2:AuthorizeSecurityGroupIngress (Create)ec2:RevokeSecurityGroupIngress (Delete)ec2:CreateTags (Create) |
Control plane ingress security group rule | ||
Security Group Rule | ec2:AuthorizeSecurityGroupEgress (Create)ec2:RevokeSecurityGroupEgress (Delete)ec2:CreateTags (Create) |
Control plane egress security group rule | ||
Security Group Rule | ec2:AuthorizeSecurityGroupIngress (Create)ec2:RevokeSecurityGroupIngress (Delete)ec2:CreateTags (Create) |
Control plane ingress security group rule | ||
Network Load Balancer | arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-* |
elasticloadbalancing:DescribeLoadBalancers (Create, Delete) elasticloadbalancing:CreateLoadBalancer (Create)ec2:CreateSecurityGroup (Create)ec2:DescribeAccountAttributes (Create)ec2:DescribeInternetGateways (Create)ec2:DescribeSecurityGroups (Create)ec2:DescribeSubnets (Create)ec2:DescribeVpcs (Create)iam:CreateServiceLinkedRole (Create)elasticloadbalancing:DeleteLoadBalancer (Delete) |
Kubernetes api-server load balancer | Elastic Load Balancing API permissions |
Target Group | arn:aws:elasticloadbalancing:*:*:targetgroup/gke-* |
elasticloadbalancing:DescribeTargetGroups (Create, Update, Delete)elasticloadbalancing:DescribeTargetHealth (Create, Update)elasticloadbalancing:CreateTargetGroup (Create)elasticloadbalancing:ModifyTargetGroupAttributes (Create)ec2:DescribeInternetGateways (Create)ec2:DescribeVpcs (Create)elasticloadbalancing:DeleteTargetGroup (Delete) |
Target group for https | Elastic Load Balancing API permissions |
Target Group | Target group for https for konnectivity agent | |||
Listener | arn:aws:elasticloadbalancing:*:*:listener/net/gke-* |
elasticloadbalancing:CreateListener (Create)elasticloadbalancing:DeleteListener (Delete)
elasticloadbalancing:DescribeListeners (Delete)elasticloadbalancing:DeleteListener (Delete) |
Listener for https | |
Listener | Listener for https for konnectivity agent | |||
Volume | arn:aws:ec2:*:*:volume/vol-* |
ec2:CreateVolume (Create)ec2:CreateTags (Create)ec2:DeleteVolume (Delete) |
etcd volumes | |
Network Interface | arn:aws:ec2:*:*:network-interface/eni-* |
ec2:DescribeNetworkInterfaces Updateec2:CreateNetworkInterface (Create)ec2:CreateTags (Create)ec2:ModifyNetworkInterfaceAttribute (Update)ec2:DeleteNetworkInterface (Delete) |
etcd NICs | |
Launch Template | arn:aws:ec2:*:*:launch-template/lt-* |
ec2:CreateLaunchTemplate (Create, Update)ec2:CreateTags (Create, Update)ec2:DeleteLaunchTemplate (Delete) |
Launch template for control plane instances | |
Launch Template | Launch template for node pool instances | |||
Auto Scaling Group | arn:aws:autoscaling:*:*:autoScalingGroup:*: |
autoscaling:DescribeAutoScalingGroups (Create, Update, Delete)autoscaling:CreateAutoScalingGroup (Create)autoscaling:CreateOrUpdateTags (Update)autoscaling:UpdateAutoScalingGroup (Update, Delete)autoscaling:TerminateInstanceInAutoScalingGroup (Update)autoscaling:DeleteTags Update, (Delete)autoscaling:DeleteAutoScalingGroup (Delete)iam:CreateServiceLinkedRole (Create)ec2:RunInstances (Create)iam:PassRole (Create) |
auto scaling groups for control plane instances | Required API permissions for Amazon EC2 Auto Scaling |
Auto Scaling Group | arn:aws:autoscaling:*:*:autoScalingGroup:*: |
auto scaling groups for node pool instances | Required permissions to create a service-linked role | |
EC2 key pairs | ec2:DescribeKeyPairs (Create) |
To ensure the EC2 key pair used to login into cluster machines exists. | ||
Subnets | ec2:DescribeSubnets (Create) |
Access to additional subnets in your VPC | ||
VPC | ec2:DescribeVpcs (Create) |
Information on your AWS VPC | ||
EC2 Console output | ec2:GetConsoleOutput (Create, Update) |
Check console logs for errors | ||
KMS Key | For more information on KMS key policies for GKE on AWS
Creating KMS keys with specific permissions
|
IAM policy for control plane role
Purpose | Permission Required | Reference |
---|---|---|
cluster autoscaler | autoscaling:DescribeAutoScalingGroups (Create, Update)autoscaling:DescribeAutoScalingInstances (Create, Update)autoscaling:DescribeLaunchConfigurations (Create, Update)autoscaling:DescribeTags (Create, Update)ec2:DescribeInstanceTypes (Create, Update)ec2:DescribeLaunchTemplateVersions (Create, Update)autoscaling:SetDesiredCapacity autoscaling:TerminateInstanceInAutoScalingGroup |
https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md |
cloud-provider-aws | autoscaling:DescribeAutoScalingGroups autoscaling:DescribeLaunchConfigurations autoscaling:DescribeTags (Create)ec2:DescribeInstances (Create)ec2:DescribeRegions ec2:DescribeRouteTables ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVolumes ec2:CreateSecurityGroup ec2:CreateTags ec2:CreateVolume ec2:ModifyInstanceAttribute ec2:ModifyVolume ec2:AttachVolume (Create)ec2:AuthorizeSecurityGroupIngress ec2:CreateRoute ec2:DeleteRoute ec2:DeleteSecurityGroup ec2:DeleteVolume ec2:DetachVolume ec2:RevokeSecurityGroupIngress ec2:DescribeVpcs elasticloadbalancing:AddTags elasticloadbalancing:AttachLoadBalancerToSubnets elasticloadbalancing:ApplySecurityGroupsToLoadBalancer elasticloadbalancing:CreateLoadBalancer elasticloadbalancing:CreateLoadBalancerPolicy elasticloadbalancing:CreateLoadBalancerListeners elasticloadbalancing:ConfigureHealthCheck elasticloadbalancing:DeleteLoadBalancer elasticloadbalancing:DeleteLoadBalancerListeners elasticloadbalancing:DescribeLoadBalancers elasticloadbalancing:DescribeLoadBalancerAttributes elasticloadbalancing:DetachLoadBalancerFromSubnets elasticloadbalancing:DeregisterInstancesFromLoadBalancer elasticloadbalancing:ModifyLoadBalancerAttributes elasticloadbalancing:RegisterInstancesWithLoadBalancer elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer elasticloadbalancing:AddTags elasticloadbalancing:CreateListener elasticloadbalancing:CreateTargetGroup elasticloadbalancing:DeleteListener elasticloadbalancing:DeleteTargetGroup elasticloadbalancing:DescribeListeners elasticloadbalancing:DescribeLoadBalancerPolicies elasticloadbalancing:DescribeTargetGroups elasticloadbalancing:DescribeTargetHealth elasticloadbalancing:ModifyListener elasticloadbalancing:ModifyTargetGroup elasticloadbalancing:RegisterTargets elasticloadbalancing:DeregisterTargets elasticloadbalancing:SetLoadBalancerPoliciesOfListener iam:CreateServiceLinkedRole kms:DescribeKey |
https://github.com/kubernetes/cloud-provider-aws/blob/master/docs/prerequisites.md |
Create load balancers | elasticloadbalancing:CreateLoadBalancer ec2:DescribeAccountAttributes ec2:DescribeInternetGateways ec2:DescribeSecurityGroups ec2:DescribeSubnets ec2:DescribeVpcs |
https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-api-permissions.html |
aws-ebs-csi-driver | ec2:DescribeVolumesModifications
ec2:DescribeAvailabilityZones |
https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/docs#set-up-driver-permission |
gke-aws-controller-manager | ec2:DescribeDhcpOptions ec2:DescribeInstances ec2:DescribeVpcs |
|
elasticloadbalancing:ModifyTargetGroupAttributes |
||
ec2:DescribeSnapshots ec2:CreateSnapshot ec2:DeleteSnapshot |
CSI snapshotter | Kubernetes external snapshotter |
GKE on AWS node agent Attach NIC to etcd |
ec2:AttachNetworkInterface (Create, Update) |
|
Read proxy configuration from Secrets Manager | secretsmanager:GetSecretValue (Create, Update) |
|
Interact with KMS keys | kms:Encrypt (Create, Update)kms:Decrypt (Create, Update)kms:CreateGrant (Create, Update) |
IAM policy for node pool role
Purpose | Permission Required | Reference |
---|---|---|
Read proxy configuration from secrets manager | secretsmanager:GetSecretValue (Create, Update) |
|
KMS key to decrypt node pool configuration encryption | kms:Decrypt (Create, Update) |
Create an AWS KMS key |