Skip to content

Commit a3c3cac

Browse files
k8s-ci-robotk8s-ci-robot
authored
Merge pull request #4426 from wweiwei-li/main
Add eusc iam policy
2 parents c1356d2 + ff11b62 commit a3c3cac

File tree

1 file changed

+251
-0
lines changed

1 file changed

+251
-0
lines changed

docs/install/iam_policy_eusc.json

Lines changed: 251 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,251 @@
1+
{
2+
"Version": "2012-10-17",
3+
"Statement": [
4+
{
5+
"Effect": "Allow",
6+
"Action": [
7+
"iam:CreateServiceLinkedRole"
8+
],
9+
"Resource": "*",
10+
"Condition": {
11+
"StringEquals": {
12+
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
13+
}
14+
}
15+
},
16+
{
17+
"Effect": "Allow",
18+
"Action": [
19+
"ec2:DescribeAccountAttributes",
20+
"ec2:DescribeAddresses",
21+
"ec2:DescribeAvailabilityZones",
22+
"ec2:DescribeInternetGateways",
23+
"ec2:DescribeVpcs",
24+
"ec2:DescribeVpcPeeringConnections",
25+
"ec2:DescribeSubnets",
26+
"ec2:DescribeSecurityGroups",
27+
"ec2:DescribeInstances",
28+
"ec2:DescribeNetworkInterfaces",
29+
"ec2:DescribeTags",
30+
"ec2:GetCoipPoolUsage",
31+
"ec2:DescribeCoipPools",
32+
"ec2:GetSecurityGroupsForVpc",
33+
"ec2:DescribeIpamPools",
34+
"ec2:DescribeRouteTables",
35+
"elasticloadbalancing:DescribeLoadBalancers",
36+
"elasticloadbalancing:DescribeLoadBalancerAttributes",
37+
"elasticloadbalancing:DescribeListeners",
38+
"elasticloadbalancing:DescribeListenerCertificates",
39+
"elasticloadbalancing:DescribeSSLPolicies",
40+
"elasticloadbalancing:DescribeRules",
41+
"elasticloadbalancing:DescribeTargetGroups",
42+
"elasticloadbalancing:DescribeTargetGroupAttributes",
43+
"elasticloadbalancing:DescribeTargetHealth",
44+
"elasticloadbalancing:DescribeTags",
45+
"elasticloadbalancing:DescribeTrustStores",
46+
"elasticloadbalancing:DescribeListenerAttributes",
47+
"elasticloadbalancing:DescribeCapacityReservation"
48+
],
49+
"Resource": "*"
50+
},
51+
{
52+
"Effect": "Allow",
53+
"Action": [
54+
"cognito-idp:DescribeUserPoolClient",
55+
"acm:ListCertificates",
56+
"acm:DescribeCertificate",
57+
"iam:ListServerCertificates",
58+
"iam:GetServerCertificate",
59+
"waf-regional:GetWebACL",
60+
"waf-regional:GetWebACLForResource",
61+
"waf-regional:AssociateWebACL",
62+
"waf-regional:DisassociateWebACL",
63+
"wafv2:GetWebACL",
64+
"wafv2:GetWebACLForResource",
65+
"wafv2:AssociateWebACL",
66+
"wafv2:DisassociateWebACL",
67+
"shield:GetSubscriptionState",
68+
"shield:DescribeProtection",
69+
"shield:CreateProtection",
70+
"shield:DeleteProtection"
71+
],
72+
"Resource": "*"
73+
},
74+
{
75+
"Effect": "Allow",
76+
"Action": [
77+
"ec2:AuthorizeSecurityGroupIngress",
78+
"ec2:RevokeSecurityGroupIngress"
79+
],
80+
"Resource": "*"
81+
},
82+
{
83+
"Effect": "Allow",
84+
"Action": [
85+
"ec2:CreateSecurityGroup"
86+
],
87+
"Resource": "*"
88+
},
89+
{
90+
"Effect": "Allow",
91+
"Action": [
92+
"ec2:CreateTags"
93+
],
94+
"Resource": "arn:aws-eusc:ec2:*:*:security-group/*",
95+
"Condition": {
96+
"StringEquals": {
97+
"ec2:CreateAction": "CreateSecurityGroup"
98+
},
99+
"Null": {
100+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
101+
}
102+
}
103+
},
104+
{
105+
"Effect": "Allow",
106+
"Action": [
107+
"ec2:CreateTags",
108+
"ec2:DeleteTags"
109+
],
110+
"Resource": "arn:aws-eusc:ec2:*:*:security-group/*",
111+
"Condition": {
112+
"Null": {
113+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
114+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
115+
}
116+
}
117+
},
118+
{
119+
"Effect": "Allow",
120+
"Action": [
121+
"ec2:AuthorizeSecurityGroupIngress",
122+
"ec2:RevokeSecurityGroupIngress",
123+
"ec2:DeleteSecurityGroup"
124+
],
125+
"Resource": "*",
126+
"Condition": {
127+
"Null": {
128+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
129+
}
130+
}
131+
},
132+
{
133+
"Effect": "Allow",
134+
"Action": [
135+
"elasticloadbalancing:CreateLoadBalancer",
136+
"elasticloadbalancing:CreateTargetGroup"
137+
],
138+
"Resource": "*",
139+
"Condition": {
140+
"Null": {
141+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
142+
}
143+
}
144+
},
145+
{
146+
"Effect": "Allow",
147+
"Action": [
148+
"elasticloadbalancing:CreateListener",
149+
"elasticloadbalancing:DeleteListener",
150+
"elasticloadbalancing:CreateRule",
151+
"elasticloadbalancing:DeleteRule"
152+
],
153+
"Resource": "*"
154+
},
155+
{
156+
"Effect": "Allow",
157+
"Action": [
158+
"elasticloadbalancing:AddTags",
159+
"elasticloadbalancing:RemoveTags"
160+
],
161+
"Resource": [
162+
"arn:aws-eusc:elasticloadbalancing:*:*:targetgroup/*/*",
163+
"arn:aws-eusc:elasticloadbalancing:*:*:loadbalancer/net/*/*",
164+
"arn:aws-eusc:elasticloadbalancing:*:*:loadbalancer/app/*/*"
165+
],
166+
"Condition": {
167+
"Null": {
168+
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
169+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
170+
}
171+
}
172+
},
173+
{
174+
"Effect": "Allow",
175+
"Action": [
176+
"elasticloadbalancing:AddTags",
177+
"elasticloadbalancing:RemoveTags"
178+
],
179+
"Resource": [
180+
"arn:aws-eusc:elasticloadbalancing:*:*:listener/net/*/*/*",
181+
"arn:aws-eusc:elasticloadbalancing:*:*:listener/app/*/*/*",
182+
"arn:aws-eusc:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
183+
"arn:aws-eusc:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
184+
]
185+
},
186+
{
187+
"Effect": "Allow",
188+
"Action": [
189+
"elasticloadbalancing:ModifyLoadBalancerAttributes",
190+
"elasticloadbalancing:SetIpAddressType",
191+
"elasticloadbalancing:SetSecurityGroups",
192+
"elasticloadbalancing:SetSubnets",
193+
"elasticloadbalancing:DeleteLoadBalancer",
194+
"elasticloadbalancing:ModifyTargetGroup",
195+
"elasticloadbalancing:ModifyTargetGroupAttributes",
196+
"elasticloadbalancing:DeleteTargetGroup",
197+
"elasticloadbalancing:ModifyListenerAttributes",
198+
"elasticloadbalancing:ModifyCapacityReservation",
199+
"elasticloadbalancing:ModifyIpPools"
200+
],
201+
"Resource": "*",
202+
"Condition": {
203+
"Null": {
204+
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
205+
}
206+
}
207+
},
208+
{
209+
"Effect": "Allow",
210+
"Action": [
211+
"elasticloadbalancing:AddTags"
212+
],
213+
"Resource": [
214+
"arn:aws-eusc:elasticloadbalancing:*:*:targetgroup/*/*",
215+
"arn:aws-eusc:elasticloadbalancing:*:*:loadbalancer/net/*/*",
216+
"arn:aws-eusc:elasticloadbalancing:*:*:loadbalancer/app/*/*"
217+
],
218+
"Condition": {
219+
"StringEquals": {
220+
"elasticloadbalancing:CreateAction": [
221+
"CreateTargetGroup",
222+
"CreateLoadBalancer"
223+
]
224+
},
225+
"Null": {
226+
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
227+
}
228+
}
229+
},
230+
{
231+
"Effect": "Allow",
232+
"Action": [
233+
"elasticloadbalancing:RegisterTargets",
234+
"elasticloadbalancing:DeregisterTargets"
235+
],
236+
"Resource": "arn:aws-eusc:elasticloadbalancing:*:*:targetgroup/*/*"
237+
},
238+
{
239+
"Effect": "Allow",
240+
"Action": [
241+
"elasticloadbalancing:SetWebAcl",
242+
"elasticloadbalancing:ModifyListener",
243+
"elasticloadbalancing:AddListenerCertificates",
244+
"elasticloadbalancing:RemoveListenerCertificates",
245+
"elasticloadbalancing:ModifyRule",
246+
"elasticloadbalancing:SetRulePriorities"
247+
],
248+
"Resource": "*"
249+
}
250+
]
251+
}

0 commit comments

Comments
 (0)