You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Is your request related to a new offering from AWS?
No
Is your request related to a problem? Please describe.
It seems that AWS consider clusters should be created using a dedicated IAM role. That role is expected not to be used to perform any actions on the clusters what can be easily satisfied with enable_cluster_creator_admin_permissions param.
The reason is obviously to have a back door in the case when your access configuration is corrupted and clusters become inaccessible.
Describe the solution you'd like.
Considering that the module is not only creating the cluster but also many different things around KMS, IAM, EC2 etc. you could perhaps incorporate that by making the aws_eks_cluster use another provider set up with such a dedicated IAM role, and also allowing overriding the trust policy for such a role so it could be hardened i.e. one could specify principals that are allowed to assume it while it could default to any principal in the current account with enough permissions.
In terms of permissions that role, if I'm not mistaken, could be limited to:
ec2:Describe*
eks:List*
eks:Describe*
eks:CreateCluster
on [*], plus:
iam:PassRole
on the cluster IAM role, and:
eks:*
on the cluster to be created.
Describe alternatives you've considered.
I have considered using a dedicated provider for the entire module but I don't like the idea of granting that IAM role too many permissions across many AWS services, especially when keeping them narrowed down wouldn't be easiest + they would have to be kept updated with time.
Additional context
Happy to hear your thoughts / recommendations :)
The text was updated successfully, but these errors were encountered:
Is your request related to a new offering from AWS?
No
Is your request related to a problem? Please describe.
It seems that AWS consider clusters should be created using a dedicated IAM role. That role is expected not to be used to perform any actions on the clusters what can be easily satisfied with
enable_cluster_creator_admin_permissionsparam.The reason is obviously to have a back door in the case when your access configuration is corrupted and clusters become inaccessible.
Describe the solution you'd like.
Considering that the module is not only creating the cluster but also many different things around KMS, IAM, EC2 etc. you could perhaps incorporate that by making the aws_eks_cluster use another provider set up with such a dedicated IAM role, and also allowing overriding the trust policy for such a role so it could be hardened i.e. one could specify principals that are allowed to assume it while it could default to any principal in the current account with enough permissions.
In terms of permissions that role, if I'm not mistaken, could be limited to:
on [*], plus:
on the cluster IAM role, and:
on the cluster to be created.
Describe alternatives you've considered.
I have considered using a dedicated provider for the entire module but I don't like the idea of granting that IAM role too many permissions across many AWS services, especially when keeping them narrowed down wouldn't be easiest + they would have to be kept updated with time.
Additional context
Happy to hear your thoughts / recommendations :)
The text was updated successfully, but these errors were encountered: