Connecting Your AWS Account: Cloud Permissions #
When you run the provided CloudFormation template in your AWS account, Stackbooster is granted specific permissions necessary to manage and operate EKS clusters on your behalf. These permissions are essential for provisioning, maintaining, scaling, and deprovisioning the infrastructure, ensuring seamless and automated operations. This document outlines the permissions granted, grouped by their purpose, and explains their roles in the Stackbooster ecosystem.
Permissions Granted #
1. EC2 Management #
Stackbooster requires extensive permissions to manage EC2 resources, necessary for provisioning and maintaining the infrastructure required for EKS clusters. The following permissions are granted to enable these operations:
VPC Management:
ec2:CreateVpc
,ec2:DeleteVpc
ec2:CreateInternetGateway
,ec2:AttachInternetGateway
,ec2:DeleteInternetGateway
,ec2:DetachInternetGateway
ec2:CreateRouteTable
,ec2:DeleteRouteTable
,ec2:AssociateRouteTable
,ec2:DisassociateRouteTable
ec2:CreateRoute
,ec2:DeleteRoute
ec2:CreateSubnet
,ec2:DeleteSubnet
,ec2:DescribeSubnets
,ec2:ModifySubnetAttribute
Security Group Management:
ec2:CreateSecurityGroup
,ec2:DeleteSecurityGroup
,ec2:DescribeSecurityGroups
ec2:AuthorizeSecurityGroupIngress
,ec2:AuthorizeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
,ec2:RevokeSecurityGroupEgress
Instance Management:
ec2:RunInstances
,ec2:TerminateInstances
ec2:DescribeInstances
,ec2:StartInstances
,ec2:StopInstances
,ec2:MonitorInstances
ec2:AttachVolume
,ec2:DetachVolume
,ec2:ModifyInstanceAttribute
ec2:CreateLaunchTemplate
,ec2:DeleteLaunchTemplate
,ec2:DescribeLaunchTemplates
ec2:RequestSpotInstances
,ec2:CancelSpotInstanceRequests
,ec2:DescribeSpotInstanceRequests
Resource Management:
ec2:CreateSnapshot
,ec2:DeleteSnapshot
ec2:CreateTags
,ec2:DeleteTags
ec2:CreateVolume
,ec2:DeleteVolume
,ec2:ModifyVolume
2. EKS Management #
To provision, manage, and deprovision EKS clusters, Stackbooster requires the following permissions:
eks:ListClusters
,eks:DescribeCluster
,eks:CreateCluster
,eks:DeleteCluster
eks:ListNodegroups
,eks:DescribeNodegroup
,eks:CreateNodegroup
,eks:DeleteNodegroup
eks:TagResource
,eks:CreateAddon
,eks:DeleteAddon
,eks:DescribeAddon
,eks:ListAddons
,eks:UpdateAddon
eks:CreateAccessEntry
,eks:DeleteAccessEntry
,eks:DescribeAccessEntry
,eks:ListAccessEntries
eks:AssociateAccessPolicy
,eks:DisassociateAccessPolicy
,eks:ListAccessPolicies
,eks:ListAssociatedAccessPolicies
3. IAM Management #
Stackbooster needs IAM permissions to manage roles and policies, ensuring proper access control for the EKS clusters:
iam:CreateRole
,iam:DeleteRole
,iam:GetRole
,iam:ListRoles
iam:AttachRolePolicy
,iam:DetachRolePolicy
,iam:PutRolePolicy
,iam:DeleteRolePolicy
iam:PassRole
,iam:ListAttachedRolePolicies
iam:CreateInstanceProfile
,iam:DeleteInstanceProfile
,iam:GetInstanceProfile
,iam:ListInstanceProfiles
,iam:ListInstanceProfilesForRole
iam:CreateOpenIDConnectProvider
,iam:DeleteOpenIDConnectProvider
4. CloudFormation Management #
These permissions allow Stackbooster to create, update, and manage CloudFormation stacks, facilitating the automation of resource provisioning:
cloudformation:CreateStack
,cloudformation:DeleteStack
,cloudformation:UpdateStack
cloudformation:CreateChangeSet
,cloudformation:Describe*
,cloudformation:List*
5. Auto Scaling Management #
To ensure efficient scaling of resources, Stackbooster requires the following permissions to manage Auto Scaling groups:
autoscaling:CreateAutoScalingGroup
,autoscaling:DeleteAutoScalingGroup
,autoscaling:UpdateAutoScalingGroup
Role Assumption #
Stackbooster’s AWS account assumes a role in the tenant’s AWS account, which grants the above permissions. The role assumption is facilitated by the following configuration:
Assume Role Policy: Allows Stackbooster’s AWS account to assume the role using
sts:AssumeRole
with the providedExternalId
.Security Audit: Provides read-only access to AWS services and resources for auditing and monitoring purposes.