Skip to content

Instantly share code, notes, and snippets.

@mitchellhuang

mitchellhuang/aws-ebs-csi-driver-policy-strict.json

Last active October 3, 2022 22:33
Show Gist options
  • Save mitchellhuang/ed141207493745ea22ac02f27396df16 to your computer and use it in GitHub Desktop.
Save mitchellhuang/ed141207493745ea22ac02f27396df16 to your computer and use it in GitHub Desktop.
Download ZIP
AWS EBS CSI Driver Strict Policy
Raw
aws-ebs-csi-driver-policy-strict.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*",
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true",
"ec2:ResourceTag/kubernetes.io/cluster/<%= cluster_name %>": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*",
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true",
"ec2:ResourceTag/kubernetes.io/cluster/<%= cluster_name %>": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*",
"aws:RequestTag/ebs.csi.aws.com/cluster": "true",
"aws:RequestTag/kubernetes.io/cluster/<%= cluster_name %>": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*",
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true",
"ec2:ResourceTag/kubernetes.io/cluster/<%= cluster_name %>": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/cluster/<%= cluster_name %>": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyVolume",
"ec2:DeleteVolume"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*",
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true",
"ec2:ResourceTag/kubernetes.io/cluster/<%= cluster_name %>": "owned"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": "*",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*",
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true",
"ec2:ResourceTag/kubernetes.io/cluster/<%= cluster_name %>": "owned"
}
}
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment