IAM roles for kops kubernetes installer

kops-iam-installer.txt

//All the resource "*" we can prune down to a
//"Resource": "arn:aws:iam::ACCOUNTNUMBER:role/ROLENAME"
// which is tied to a VPC
// This is a list of the permissions that our installer tools
// use.
// There are multiple modes that our installer uses, we
// will not need the perms for VPC creation as we
// will be using a pre installed VPC

// Will need all of these
autoscaling:AttachInstances
autoscaling:AttachLoadBalancers
autoscaling:CreateAutoScalingGroup
autoscaling:CreateLaunchConfiguration
autoscaling:CreateOrUpdateTags
autoscaling:DeleteAutoScalingGroup
autoscaling:DeleteLaunchConfiguration
autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeAutoScalingGroupsPages
autoscaling:DescribeLaunchConfigurationsPages
autoscaling:DescribeTagsPages
autoscaling:TerminateInstanceInAutoScalingGroup
autoscaling:UpdateAutoScalingGroup

// Will need these except for the
// create components on the VPC
// Will need the finders for VPC
// I have commented out most them
ec2:AllocateAddress
ec2:AssociateAddress
// ec2:AssociateDhcpOptions
ec2:AssociateRouteTable
// Optional with BYO VPC
ec2:AttachInternetGateway
ec2:AttachVolume
ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
// Optional with BYO VPC
ec2:CreateDhcpOptions
ec2:CreateInternetGateway
ec2:CreateNatGateway
// End optional
ec2:CreateRoute
// Optional with BYO VPC
ec2:CreateRouteTable
ec2:CreateSecurityGroup
// Optional with BYO VPC
ec2:CreateSubnet
ec2:CreateVolume
// ec2:CreateVpc
// ec2:DeleteDhcpOptions
// ec2:DeleteInternetGateway
ec2:DeleteKeyPair
ec2:DeleteNatGateway
ec2:DeleteRouteTable
ec2:DeleteSecurityGroup
// Optional with BYO VPC
ec2:DeleteSubnet
ec2:DeleteVolume
// Optional with BYO VPC
ec2:DeleteVpc
ec2:DescribeAddresses
ec2:DescribeDhcpOptions
ec2:DescribeInstanceAttribute
ec2:DescribeInstancesPages
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeNatGateways
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVolumesPages
ec2:DescribeVpc
ec2:DescribeVpcs
// Optional with BYO VPC
ec2:DetachInternetGateway
ec2:DetachVolume
// Optional with BYO VPC
ec2:DisassociateRouteTable
ec2:ModifyVpcAttribute
// end optional
ec2:ReleaseAddress
// Optional with BYO VPC
ec2:ReplaceRoute
ec2:RevokeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
ec2:RunInstances
ec2:StopInstances
ec2:TerminateInstances

// These are used to create an ASG for the masters
elasticloadbalancering:ConfigureHealthCheck
elasticloadbalancering:CreateLoadBalancer
elasticloadbalancering:CreateLoadBalancerListeners
elasticloadbalancering:ModifyLoadBalancerAttributes
elasticloadbalancering:RegisterInstancesWithLoadBalancer

// our installer creates the IAM profile for the masters
// and the nodes
iam:AddRoleToInstanceProfile
iam:CreateInstanceProfile
iam:CreateRole
iam:DeleteInstanceProfile
iam:DeleteRole
iam:DeleteRolePolicy
iam:ListInstanceProfilesPages
iam:ListRolePoliciesPages
iam:ListRolesPages
iam:PutRolePolicy
iam:RemoveRoleFromInstanceProfile
iam:UpdateAssumeRolePolicy

// Our installer uses either external
// or internal DNS zones for API DNS
route53:ChangeResourceRecordSets
route53:GetChange
route53:GetHostedZone
route53:ListHostedZones
route53:ListResourceRecordSets

// cluster state information is
// stored in a s3 bucket
s3:PutObject
s3:GetObject
s3:DeleteObject

// used for encrypted volumes
kms:Decrypt
kms:ReEncrypt*
kms:GenerateDataKey*
kms:DescribeKey
kms:CreateGrant
kms:ListGrants
kms:RevokeGrant