Skip to content

Commit b28e70d

Browse files
authored
Merge pull request #2287 from ConnorJC3/iam-policy-new
Update example policy and documentation
2 parents c344ffc + 69c3519 commit b28e70d

File tree

3 files changed

+189
-56
lines changed

3 files changed

+189
-56
lines changed

docs/example-iam-policy.json

+71-24
Original file line numberDiff line numberDiff line change
@@ -4,46 +4,76 @@
44
{
55
"Effect": "Allow",
66
"Action": [
7-
"ec2:CreateSnapshot",
8-
"ec2:AttachVolume",
9-
"ec2:DetachVolume",
10-
"ec2:ModifyVolume",
117
"ec2:DescribeAvailabilityZones",
128
"ec2:DescribeInstances",
139
"ec2:DescribeSnapshots",
1410
"ec2:DescribeTags",
1511
"ec2:DescribeVolumes",
16-
"ec2:DescribeVolumesModifications",
17-
"ec2:EnableFastSnapshotRestores"
12+
"ec2:DescribeVolumesModifications"
1813
],
1914
"Resource": "*"
2015
},
2116
{
2217
"Effect": "Allow",
2318
"Action": [
24-
"ec2:CreateTags"
19+
"ec2:CreateSnapshot",
20+
"ec2:ModifyVolume"
21+
],
22+
"Resource": "arn:aws:ec2:*:*:volume/*"
23+
},
24+
{
25+
"Effect": "Allow",
26+
"Action": [
27+
"ec2:AttachVolume",
28+
"ec2:DetachVolume"
2529
],
2630
"Resource": [
27-
"arn:*:ec2:*:*:volume/*",
28-
"arn:*:ec2:*:*:snapshot/*"
31+
"arn:aws:ec2:*:*:volume/*",
32+
"arn:aws:ec2:*:*:instance/*"
2933
]
3034
},
35+
{
36+
"Effect": "Allow",
37+
"Action": [
38+
"ec2:CreateVolume",
39+
"ec2:EnableFastSnapshotRestores"
40+
],
41+
"Resource": "arn:aws:ec2:*:*:snapshot/*"
42+
},
43+
{
44+
"Effect": "Allow",
45+
"Action": [
46+
"ec2:CreateTags"
47+
],
48+
"Resource": [
49+
"arn:aws:ec2:*:*:volume/*",
50+
"arn:aws:ec2:*:*:snapshot/*"
51+
],
52+
"Condition": {
53+
"StringEquals": {
54+
"ec2:CreateAction": [
55+
"CreateVolume",
56+
"CreateSnapshot"
57+
]
58+
}
59+
}
60+
},
3161
{
3262
"Effect": "Allow",
3363
"Action": [
3464
"ec2:DeleteTags"
3565
],
3666
"Resource": [
37-
"arn:*:ec2:*:*:volume/*",
38-
"arn:*:ec2:*:*:snapshot/*"
67+
"arn:aws:ec2:*:*:volume/*",
68+
"arn:aws:ec2:*:*:snapshot/*"
3969
]
4070
},
4171
{
4272
"Effect": "Allow",
4373
"Action": [
4474
"ec2:CreateVolume"
4575
],
46-
"Resource": "arn:*:ec2:*:*:volume/*",
76+
"Resource": "arn:aws:ec2:*:*:volume/*",
4777
"Condition": {
4878
"StringLike": {
4979
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
@@ -55,7 +85,7 @@
5585
"Action": [
5686
"ec2:CreateVolume"
5787
],
58-
"Resource": "arn:*:ec2:*:*:volume/*",
88+
"Resource": "arn:aws:ec2:*:*:volume/*",
5989
"Condition": {
6090
"StringLike": {
6191
"aws:RequestTag/CSIVolumeName": "*"
@@ -65,19 +95,24 @@
6595
{
6696
"Effect": "Allow",
6797
"Action": [
68-
"ec2:CreateVolume"
98+
"ec2:DeleteVolume"
6999
],
70-
"Resource": "arn:*:ec2:*:*:snapshot/*"
100+
"Resource": "arn:aws:ec2:*:*:volume/*",
101+
"Condition": {
102+
"StringLike": {
103+
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
104+
}
105+
}
71106
},
72107
{
73108
"Effect": "Allow",
74109
"Action": [
75110
"ec2:DeleteVolume"
76111
],
77-
"Resource": "*",
112+
"Resource": "arn:aws:ec2:*:*:volume/*",
78113
"Condition": {
79114
"StringLike": {
80-
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
115+
"ec2:ResourceTag/CSIVolumeName": "*"
81116
}
82117
}
83118
},
@@ -86,22 +121,34 @@
86121
"Action": [
87122
"ec2:DeleteVolume"
88123
],
89-
"Resource": "*",
124+
"Resource": "arn:aws:ec2:*:*:volume/*",
90125
"Condition": {
91126
"StringLike": {
92-
"ec2:ResourceTag/CSIVolumeName": "*"
127+
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
93128
}
94129
}
95130
},
96131
{
97132
"Effect": "Allow",
98133
"Action": [
99-
"ec2:DeleteVolume"
134+
"ec2:CreateSnapshot"
100135
],
101-
"Resource": "*",
136+
"Resource": "arn:aws:ec2:*:*:snapshot/*",
102137
"Condition": {
103138
"StringLike": {
104-
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
139+
"aws:RequestTag/CSIVolumeSnapshotName": "*"
140+
}
141+
}
142+
},
143+
{
144+
"Effect": "Allow",
145+
"Action": [
146+
"ec2:CreateSnapshot"
147+
],
148+
"Resource": "arn:aws:ec2:*:*:snapshot/*",
149+
"Condition": {
150+
"StringLike": {
151+
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
105152
}
106153
}
107154
},
@@ -110,7 +157,7 @@
110157
"Action": [
111158
"ec2:DeleteSnapshot"
112159
],
113-
"Resource": "*",
160+
"Resource": "arn:aws:ec2:*:*:snapshot/*",
114161
"Condition": {
115162
"StringLike": {
116163
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
@@ -122,7 +169,7 @@
122169
"Action": [
123170
"ec2:DeleteSnapshot"
124171
],
125-
"Resource": "*",
172+
"Resource": "arn:aws:ec2:*:*:snapshot/*",
126173
"Condition": {
127174
"StringLike": {
128175
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"

docs/install.md

+36-8
Original file line numberDiff line numberDiff line change
@@ -35,20 +35,48 @@ Kubernetes metadata does not provide information about the number of ENIs or EBS
3535

3636
## Installation
3737
### Set up driver permissions
38-
The driver requires IAM permissions to talk to Amazon EBS to manage the volume on user's behalf. [The example policy here](./example-iam-policy.json) defines these permissions. AWS maintains a managed policy, available at ARN `arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy`.
3938

40-
The baseline example policy does not give the EBS CSI Driver access to KMS keys to use to encrypt volumes. If you wish to encrypt volumes, add an additional statement to the role granting these permissions, for example the below statement would grant the driver access to all KMS keys in the account:
41-
```
39+
> [!NOTE]
40+
> The example policy and documentation below use the [`aws` partition in ARNs](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference-arns.html). When installing the EBS CSI Driver on other partitions, replace instances of `arn:aws:` with the local partition, such as `arn:aws-us-gov:` for AWS GovCloud.
41+
42+
The driver requires IAM permissions to talk to Amazon EBS to manage the volume on user's behalf. [The example policy here](./example-iam-policy.json) defines these permissions. AWS maintains a [managed policy version of the example policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEBSCSIDriverPolicy.html), available at ARN `arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy`.
43+
44+
The baseline example policy excludes permissions for some rarer and potentially dangerous usecases. For these usecases, additional statements are necessary:
45+
46+
<details>
47+
<summary>Encrypted EBS Volumes via KMS</summary>
48+
<br>
49+
To create and manage encrypted EBS volumes, the EBS CSI Driver requires access to the KMS key(s) used for encryption/decryption of the volume(s). The below example grants the EBS CSI Driver access to all KMS keys in the account, but it is best practice to restrict the resource to only the keys the EBS CSI Driver needs access to.
50+
<pre>
4251
{
4352
"Effect": "Allow",
4453
"Action": [
45-
"kms:Decrypt",
46-
"kms:GenerateDataKeyWithoutPlaintext",
47-
"kms:CreateGrant"
54+
"kms:Decrypt",
55+
"kms:GenerateDataKeyWithoutPlaintext",
56+
"kms:CreateGrant"
4857
],
49-
"Resource": "*"
58+
"Resource": "arn:aws:kms:*:*:key/*"
5059
}
51-
```
60+
</pre>
61+
</details>
62+
63+
<details>
64+
<summary>Modifying tags of existing volumes</summary>
65+
<br>
66+
Modification of tags of existing volumes can, in some configurations, allow the driver to bypass tag-based policies and restrictions, so it is not included in the default policy. Below is an example statement that will grant the EBS CSI Driver the ability to modify tags of any volume or snapshot:
67+
<pre>
68+
{
69+
"Effect": "Allow",
70+
"Action": [
71+
"ec2:CreateTags"
72+
],
73+
"Resource": [
74+
"arn:aws:ec2:*:*:volume/*",
75+
"arn:aws:ec2:*:*:snapshot/*"
76+
]
77+
}
78+
</pre>
79+
</details>
5280

5381
There are several options to pass credentials to the EBS CSI Driver, each documented below:
5482

0 commit comments

Comments
 (0)