Merge pull request #2793 from ElijahQuinones/mangedPolicyClones

k8s-ci-robot · web-flow · commit 87f31ef521f6 · 2025-11-17T10:43:39.000-08:00
Revise docs and example to account for managed policy change
diff --git a/docs/example-iam-policy.json b/docs/example-iam-policy.json
@@ -22,6 +22,15 @@
       ],
       "Resource": "arn:aws:ec2:*:*:volume/*"
     },
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:CopyVolumes"
+      ],
+      "Resource": [
+        "arn:aws:ec2:*:*:volume/vol-*"
+      ]
+    },
     {
       "Effect": "Allow",
       "Action": [
@@ -54,7 +63,8 @@
         "StringEquals": {
           "ec2:CreateAction": [
             "CreateVolume",
-            "CreateSnapshot"
+            "CreateSnapshot",
+            "CopyVolumes"
           ]
         }
       }
@@ -72,7 +82,8 @@
     {
       "Effect": "Allow",
       "Action": [
-        "ec2:CreateVolume"
+        "ec2:CreateVolume",
+        "ec2:CopyVolumes"
       ],
       "Resource": "arn:aws:ec2:*:*:volume/*",
       "Condition": {
@@ -84,7 +95,8 @@
     {
       "Effect": "Allow",
       "Action": [
-        "ec2:CreateVolume"
+        "ec2:CreateVolume",
+        "ec2:CopyVolumes"
       ],
       "Resource": "arn:aws:ec2:*:*:volume/*",
       "Condition": {
diff --git a/docs/install.md b/docs/install.md
@@ -93,57 +93,6 @@ Modification of tags of existing volumes can, in some configurations, allow the
 </pre>
 </details>
 
-<details>
-<summary>Creating a clone of a volume</summary>
-<br>
-The following statements give the EBS CSI Driver access to clone volumes:
-<pre>
-{ 
-  "Effect": "Allow",
-  "Action": [
-    "ec2:CopyVolumes"
-  ],
-  "Resource": "arn:aws:ec2:*:*:volume/vol-*"
-},
-{
-  "Effect": "Allow",
-  "Action": [
-    "ec2:CopyVolumes"
-  ],
-  "Resource": "arn:aws:ec2:*:*:volume/*",
-  "Condition": {
-    "StringLike": {
-      "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
-    }
-  }
-},
-{
-  "Effect": "Allow",
-  "Action": [
-    "ec2:CopyVolumes"
-  ],
-  "Resource": "arn:aws:ec2:*:*:volume/*",
-  "Condition": {
-    "StringLike": {
-      "aws:RequestTag/CSIVolumeName": "*"
-    }
-  }
-},
-{
-  "Effect": "Allow",
-  "Action": [
-    "ec2:CreateTags"
-  ],
-  "Resource": "arn:aws:ec2:*:*:volume/*",
-  "Condition": {
-    "StringEquals": {
-      "ec2:CreateAction": "CopyVolumes"
-    }
-  }
-}
-</pre>
-</details>
-
 There are several options to pass credentials to the EBS CSI Driver, each documented below:
 
 #### (EKS Only) EKS Pod Identity
diff --git a/examples/kubernetes/clone/README.md b/examples/kubernetes/clone/README.md
@@ -3,7 +3,6 @@
 ## Prerequisites
 
 1. The [aws-ebs-csi-driver](https://github.com/kubernetes-sigs/aws-ebs-csi-driver) on at least v1.51.0 installed.
-2. Default managed policy will need to be adjusted see [install.md](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/install.md)  
 
 ## Usage
 
