The tables on this page list all of the permissions used in creating the default AWS IAM roles. To create these policies with default permissions, see Create AWS IAM roles.
- GKE Multi-Cloud API service agent role
- The GKE Multi-Cloud API uses this AWS IAM role to manage resources using AWS APIs. This role is used by a Google-managed service account known as a service agent.
- Control plane AWS IAM role
- Your cluster control plane uses this role to control node pools.
- Node pool AWS IAM role
- The control plane uses this role to create node pool VMs.
Depending upon your organization's requirements, you can choose to create custom AWS IAM policies for GKE on AWS to manage your clusters. These policies will replace the default versions. You then apply these policies to AWS IAM roles and provide them when you create a cluster.
For more information on the purpose of each role, see AWS IAM roles for GKE on AWS.
To create these policies, choose the level that you wish to restrict your resources at. For example, you can restrict a policy to a particular AWS VPC using the VPC's Amazon Resource Name (ARN). For more information, see Controlling access to AWS resources using policies.
IAM policies for GKE Multi-Cloud service agents
| Resource Type | ARN | Permission Required | Purpose | Reference |
|---|---|---|---|---|
| Security Group | arn:aws:ec2:*:*:security-group/sg-* |
ec2:DescribeSecurityGroups (Create, Update, Delete)ec2:CreateSecurityGroup (Create)ec2:CreateTags (Create)ec2:RevokeSecurityGroupEgress (Create)ec2:DeleteSecurityGroup (Delete) |
Control plane security group | |
| Security Group | Node pool security group | |||
| Security Group Rule | arn:aws:ec2:*:*:security-group-rule/sgr-* |
ec2:AuthorizeSecurityGroupEgress (Create)ec2:RevokeSecurityGroupEgress (Delete)ec2:CreateTags (Create) |
Control plane egress security group rule | |
| Security Group Rule | ec2:AuthorizeSecurityGroupIngress (Create)ec2:RevokeSecurityGroupIngress (Delete)ec2:CreateTags (Create) |
Control plane ingress security group rule | ||
| Security Group Rule | ec2:AuthorizeSecurityGroupEgress (Create)ec2:RevokeSecurityGroupEgress (Delete)ec2:CreateTags (Create) |
Control plane egress security group rule | ||
| Security Group Rule | ec2:AuthorizeSecurityGroupIngress (Create)ec2:RevokeSecurityGroupIngress (Delete)ec2:CreateTags (Create) |
Control plane ingress security group rule | ||
| Network Load Balancer | arn:aws:elasticloadbalancing:*:*:loadbalancer/net/gke-* |
elasticloadbalancing:DescribeLoadBalancers (Create, Delete) elasticloadbalancing:CreateLoadBalancer (Create)ec2:CreateSecurityGroup (Create)ec2:DescribeAccountAttributes (Create)ec2:DescribeInternetGateways (Create)ec2:DescribeSecurityGroups (Create)ec2:DescribeSubnets (Create)ec2:DescribeVpcs (Create)iam:CreateServiceLinkedRole (Create)elasticloadbalancing:DeleteLoadBalancer (Delete) |
Kubernetes api-server load balancer | Elastic Load Balancing API permissions |
| Target Group | arn:aws:elasticloadbalancing:*:*:targetgroup/gke-* |
elasticloadbalancing:DescribeTargetGroups (Create, Update, Delete)elasticloadbalancing:DescribeTargetHealth (Create, Update)elasticloadbalancing:CreateTargetGroup (Create)elasticloadbalancing:ModifyTargetGroupAttributes (Create)ec2:DescribeInternetGateways (Create)ec2:DescribeVpcs (Create)elasticloadbalancing:DeleteTargetGroup (Delete) |
Target group for https | Elastic Load Balancing API permissions |
| Target Group | Target group for https for konnectivity agent | |||
| Listener | arn:aws:elasticloadbalancing:*:*:listener/net/gke-* |
elasticloadbalancing:CreateListener (Create)elasticloadbalancing:DeleteListener (Delete)
elasticloadbalancing:DescribeListeners (Delete)elasticloadbalancing:DeleteListener (Delete) |
Listener for https | |
| Listener | Listener for https for konnectivity agent | |||
| Volume | arn:aws:ec2:*:*:volume/vol-* |
ec2:CreateVolume (Create)ec2:CreateTags (Create)ec2:DeleteVolume (Delete) |
etcd volumes | |
| Network Interface | arn:aws:ec2:*:*:network-interface/eni-* |
ec2:DescribeNetworkInterfaces Updateec2:CreateNetworkInterface (Create)ec2:CreateTags (Create)ec2:ModifyNetworkInterfaceAttribute (Update)ec2:DeleteNetworkInterface (Delete) |
etcd NICs | |
| Launch Template | arn:aws:ec2:*:*:launch-template/lt-* |
ec2:CreateLaunchTemplate (Create, Update)ec2:CreateTags (Create, Update)ec2:DeleteLaunchTemplate (Delete) |
Launch template for control plane instances | |
| Launch Template | Launch template for node pool instances | |||
| Auto Scaling Group | arn:aws:autoscaling:*:*:autoScalingGroup:*: |
autoscaling:DescribeAutoScalingGroups (Create, Update, Delete)autoscaling:CreateAutoScalingGroup (Create)autoscaling:CreateOrUpdateTags (Update)autoscaling:UpdateAutoScalingGroup (Update, Delete)autoscaling:TerminateInstanceInAutoScalingGroup (Update)autoscaling:DeleteTags Update, (Delete)autoscaling:DeleteAutoScalingGroup (Delete)iam:CreateServiceLinkedRole (Create)ec2:RunInstances (Create)iam:PassRole (Create) |
auto scaling groups for control plane instances | Required API permissions for Amazon EC2 Auto Scaling |
| Auto Scaling Group | arn:aws:autoscaling:*:*:autoScalingGroup:*: |
auto scaling groups for node pool instances | Required permissions to create a service-linked role | |
| EC2 key pairs | ec2:DescribeKeyPairs (Create) |
To ensure the EC2 key pair used to login into cluster machines exists. | ||
| Subnets | ec2:DescribeSubnets (Create) |
Access to additional subnets in your VPC | ||
| VPC | ec2:DescribeVpcs (Create) |
Information on your AWS VPC | ||
| EC2 Console output | ec2:GetConsoleOutput (Create, Update) |
Check console logs for errors | ||
| KMS Key | For more information on KMS key policies for GKE on AWS
Creating KMS keys with specific permissions
|
IAM policy for control plane role
| Purpose | Permission Required | Reference |
|---|---|---|
| cluster autoscaler | autoscaling:DescribeAutoScalingGroups (Create, Update)autoscaling:DescribeAutoScalingInstances (Create, Update)autoscaling:DescribeLaunchConfigurations (Create, Update)autoscaling:DescribeTags (Create, Update)ec2:DescribeInstanceTypes (Create, Update)ec2:DescribeLaunchTemplateVersions (Create, Update)autoscaling:SetDesiredCapacityautoscaling:TerminateInstanceInAutoScalingGroup |
https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md |
| cloud-provider-aws | autoscaling:DescribeAutoScalingGroupsautoscaling:DescribeLaunchConfigurationsautoscaling:DescribeTags (Create)ec2:DescribeInstances (Create)ec2:DescribeRegionsec2:DescribeRouteTablesec2:DescribeSecurityGroupsec2:DescribeSubnetsec2:DescribeVolumesec2:CreateSecurityGroupec2:CreateTagsec2:CreateVolumeec2:ModifyInstanceAttributeec2:ModifyVolumeec2:AttachVolume (Create)ec2:AuthorizeSecurityGroupIngressec2:CreateRouteec2:DeleteRouteec2:DeleteSecurityGroupec2:DeleteVolumeec2:DetachVolumeec2:RevokeSecurityGroupIngressec2:DescribeVpcselasticloadbalancing:AddTagselasticloadbalancing:AttachLoadBalancerToSubnetselasticloadbalancing:ApplySecurityGroupsToLoadBalancerelasticloadbalancing:CreateLoadBalancerelasticloadbalancing:CreateLoadBalancerPolicyelasticloadbalancing:CreateLoadBalancerListenerselasticloadbalancing:ConfigureHealthCheckelasticloadbalancing:DeleteLoadBalancerelasticloadbalancing:DeleteLoadBalancerListenerselasticloadbalancing:DescribeLoadBalancerselasticloadbalancing:DescribeLoadBalancerAttributeselasticloadbalancing:DetachLoadBalancerFromSubnetselasticloadbalancing:DeregisterInstancesFromLoadBalancerelasticloadbalancing:ModifyLoadBalancerAttributeselasticloadbalancing:RegisterInstancesWithLoadBalancerelasticloadbalancing:SetLoadBalancerPoliciesForBackendServerelasticloadbalancing:AddTagselasticloadbalancing:CreateListenerelasticloadbalancing:CreateTargetGroupelasticloadbalancing:DeleteListenerelasticloadbalancing:DeleteTargetGroupelasticloadbalancing:DescribeListenerselasticloadbalancing:DescribeLoadBalancerPolicieselasticloadbalancing:DescribeTargetGroupselasticloadbalancing:DescribeTargetHealthelasticloadbalancing:ModifyListenerelasticloadbalancing:ModifyTargetGroupelasticloadbalancing:RegisterTargetselasticloadbalancing:DeregisterTargetselasticloadbalancing:SetLoadBalancerPoliciesOfListeneriam:CreateServiceLinkedRolekms:DescribeKey |
https://github.com/kubernetes/cloud-provider-aws/blob/master/docs/prerequisites.md |
| Create load balancers | elasticloadbalancing:CreateLoadBalancerec2:DescribeAccountAttributesec2:DescribeInternetGatewaysec2:DescribeSecurityGroupsec2:DescribeSubnetsec2:DescribeVpcs |
https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-api-permissions.html |
| aws-ebs-csi-driver | ec2:DescribeVolumesModifications
ec2:DescribeAvailabilityZones |
https://github.com/kubernetes-sigs/aws-ebs-csi-driver/tree/master/docs#set-up-driver-permission |
| gke-aws-controller-manager | ec2:DescribeDhcpOptionsec2:DescribeInstancesec2:DescribeVpcs |
|
elasticloadbalancing:ModifyTargetGroupAttributes |
||
ec2:DescribeSnapshotsec2:CreateSnapshotec2:DeleteSnapshot |
CSI snapshotter | Kubernetes external snapshotter |
| GKE on AWS node agent Attach NIC to etcd |
ec2:AttachNetworkInterface (Create, Update) |
|
| Read proxy configuration from Secrets Manager | secretsmanager:GetSecretValue (Create, Update) |
|
| Interact with KMS keys | kms:Encrypt (Create, Update)kms:Decrypt (Create, Update)kms:CreateGrant (Create, Update) |
IAM policy for node pool role
| Purpose | Permission Required | Reference |
|---|---|---|
| Read proxy configuration from secrets manager | secretsmanager:GetSecretValue (Create, Update) |
|
| KMS key to decrypt node pool configuration encryption | kms:Decrypt (Create, Update) |
Create an AWS KMS key |