This is an AWS IAM Policy with all the minimum permissions to let Jenkins X Boot work on EKS
{ | |
"Version": "2012-10-17", | |
"Statement": [ | |
{ | |
"Sid": "VisualEditor0", | |
"Effect": "Allow", | |
"Action": [ | |
"dynamodb:CreateTable", | |
"s3:GetObject", | |
"cloudformation:ListStacks", | |
"cloudformation:DescribeStackEvents", | |
"dynamodb:DescribeTable", | |
"s3:CreateBucket", | |
"kms:CreateKey", | |
"s3:ListBucket", | |
"s3:PutBucketVersioning", | |
"cloudformation:DescribeStacks" | |
], | |
"Resource": "*" | |
}, | |
{ | |
"Sid": "VisualEditor1", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:GetRole", | |
"iam:GetPolicy", | |
"ecr:CreateRepository", | |
"iam:AttachUserPolicy", | |
"iam:CreateRole", | |
"iam:DeleteRole", | |
"iam:AttachRolePolicy", | |
"iam:CreateAccessKey", | |
"iam:CreateOpenIDConnectProvider", | |
"iam:CreatePolicy", | |
"iam:DetachRolePolicy", | |
"cloudformation:CreateStack", | |
"cloudformation:DeleteStack", | |
"ecr:DescribeRepositories", | |
"iam:GetOpenIDConnectProvider" | |
], | |
"Resource": [ | |
"arn:aws:iam::*:policy/CFN*", | |
"arn:aws:iam::*:policy/*jenkins-x-vault*", | |
"arn:aws:iam::*:oidc-provider/*", | |
"arn:aws:iam::*:role/*addon-iamserviceaccoun*", | |
"arn:aws:iam::*:user/*", | |
"arn:aws:ecr:*:*:repository/*", | |
"arn:aws:cloudformation:*:*:stack/JenkinsXPolicies*/*", | |
"arn:aws:cloudformation:*:*:stack/*addon-iamserviceaccount*/*", | |
"arn:aws:cloudformation:*:*:stack/*jenkins-x-vault*/*" | |
] | |
}, | |
{ | |
"Sid": "VisualEditor2", | |
"Effect": "Allow", | |
"Action": [ | |
"iam:CreatePolicy", | |
"iam:DetachRolePolicy", | |
"iam:GetPolicy", | |
"iam:CreateRole", | |
"iam:AttachRolePolicy", | |
"iam:GetOpenIDConnectProvider", | |
"iam:CreateOpenIDConnectProvider" | |
], | |
"Resource": [ | |
"arn:aws:iam::*:oidc-provider/*", | |
"arn:aws:iam::*:role/*addon-iamserviceaccoun*", | |
"arn:aws:iam::*:policy/CFN*" | |
] | |
}, | |
{ | |
"Sid": "VisualEditor3", | |
"Effect": "Allow", | |
"Action": "eks:*", | |
"Resource": [ | |
"arn:aws:eks:*:*:fargateprofile/*/*/*", | |
"arn:aws:eks:*:*:cluster/*", | |
"arn:aws:eks:*:*:nodegroup/*/*/*" | |
] | |
} | |
] | |
} | |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment