Skip to content
By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post
About re:Post

What permissions to give to allow creating roles & EKS cluster?

0

I'd like to give a user/role somewhat narrow permissions to create & manage an EKS cluster. However, it seems like the permissions needed to do so are quite broad. Some needed so far:

  • ability to spin up EC2 instances (expected)
  • ability to tag resources
  • ability to create roles

The last one here is the most problematic - the ability to create roles. As if I give the user IAMFullAccess, then what's to stop them from giving their own role admin access, or creating another role with admin access & swapping to it?

From some googling I found this reddit post which linked to this blogpost about IAM permissions boundaries: https://aws.amazon.com/blogs/security/when-and-where-to-use-iam-permissions-boundaries/

But I don't really understand how this works yet & I'm guessing this is a fairly common problem. If someone has a sample policy json for creating EKS clusters that would be ideal.

Topics
ContainersSecurity, Identity, & Compliance
Tags
IAM PoliciesAmazon Elastic Kubernetes Service
Language
English
asked 5 months ago425 views
2 Answers
0

I agree, the IAM role is a big problem. You can implement permission boundary for IAM role that will help. The IAM permission boundary is an IAM policy that defines the maximum permission a role, user can have. In the permission boundary, you can, for example, have a policy that says Deny deleteVPC, etc. Even if your main role allows deleting VPC, it will not succeed. Now, how can you enforce the use permission boundary. You have to make sure the user or service role that's creating this policy must attach the permission boundary.

Here's an example

- Sid: IAMPermission
            Effect: Allow
            Action:
              - 'iam:*'
            Resource: 'arn:aws:iam::*:role/*'
            Condition:
              'ForAllValues:ArnEquals':
                'iam:PermissionsBoundary': 'arn:aws:iam::*:policy/MyPermissionBoundary'

In this example, the user or service role that has "IAMPermission" policy can only create an IAM role when the specified permission boundary is attached.

EXPERT
answered 5 months ago
-1

To create and manage an Amazon EKS cluster with narrower permissions, you need to address several permission requirements while maintaining security.

For creating an EKS cluster, you need:

  1. EKS-specific permissions: The user needs permissions to create and manage EKS clusters.

  2. IAM role creation permissions: This is necessary because EKS requires a cluster IAM role with the AmazonEKSClusterPolicy. When creating a cluster, you need to:

  • Create a role with EKS as the trusted entity
  • Attach the AmazonEKSClusterPolicy to this role

  1. EC2 permissions: For managing worker nodes and related resources.

  2. Tagging permissions: For resource organization and management.

Instead of granting IAMFullAccess (which is too broad), you can use permissions boundaries to limit what the user can do with their role creation abilities. A permissions boundary is an IAM policy that sets the maximum permissions an IAM entity can have, regardless of what permissions are granted to them.

Here's how to implement this approach:

  1. Create a permissions boundary policy that defines the maximum allowed permissions
  2. Allow the user to create roles, but only with this permissions boundary attached
  3. Ensure the boundary policy doesn't include permissions to modify boundaries or create admin-level access

This way, even if the user creates new roles, those roles cannot exceed the permissions defined in the boundary. The user won't be able to escalate privileges by creating roles with broader permissions than what you've allowed in the boundary policy.

For EKS specifically, you would:

  • Allow creation of the EKS cluster role with the specific trust relationship to eks.amazonaws.com
  • Allow attaching only the AmazonEKSClusterPolicy to this role
  • Use conditions in your IAM policies to restrict which services can be trusted by created roles

This approach provides the necessary permissions for EKS cluster creation while preventing privilege escalation through role creation.
Sources
Amazon EKS cluster IAM role - Amazon EKS
Using roles for Amazon EKS clusters - Amazon EKS
How to Give AWS EKS IAM user access....? | AWS re:Post

answered 5 months ago
  • zach
    5 months ago

    answer is ok but just not specific enough

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Relevant content