--- title: Minimum EKS Permissions --- Documented here is a minimum set of permissions necessary to use all functionality of the EKS driver in Rancher. Additional permissions are required for Rancher to provision the `Service Role` and `VPC` resources. Optionally these resources can be created **before** the cluster creation and will be selectable when defining the cluster configuration. Resource | Description ---------|------------ Service Role | The service role provides Kubernetes the permissions it requires to manage resources on your behalf. Rancher can create the service role with the following [Service Role Permissions](#service-role-permissions). VPC | Provides isolated network resources utilised by EKS and worker nodes. Rancher can create the VPC resources with the following [VPC Permissions](#vpc-permissions). Resource targeting uses `*` as the ARN of many of the resources created cannot be known before creating the EKS cluster in Rancher. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "EC2Permissions", "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupEgress", "ec2:DescribeRegions", "ec2:DescribeVpcs", "ec2:DescribeTags", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeRouteTables", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "ec2:DescribeKeyPairs", "ec2:DescribeInternetGateways", "ec2:DescribeImages", "ec2:DescribeAvailabilityZones", "ec2:DescribeAccountAttributes", "ec2:DeleteTags", "ec2:DeleteLaunchTemplate", "ec2:DeleteSecurityGroup", "ec2:DeleteKeyPair", "ec2:CreateTags", "ec2:CreateSecurityGroup", "ec2:CreateLaunchTemplateVersion", "ec2:CreateLaunchTemplate", "ec2:CreateKeyPair", "ec2:AuthorizeSecurityGroupIngress", "ec2:AuthorizeSecurityGroupEgress" ], "Resource": "*" }, { "Sid": "CloudFormationPermissions", "Effect": "Allow", "Action": [ "cloudformation:ListStacks", "cloudformation:ListStackResources", "cloudformation:DescribeStacks", "cloudformation:DescribeStackResources", "cloudformation:DescribeStackResource", "cloudformation:DeleteStack", "cloudformation:CreateStackSet", "cloudformation:CreateStack" ], "Resource": "*" }, { "Sid": "IAMPermissions", "Effect": "Allow", "Action": [ "iam:PassRole", "iam:ListRoles", "iam:ListRoleTags", "iam:ListInstanceProfilesForRole", "iam:ListInstanceProfiles", "iam:ListAttachedRolePolicies", "iam:GetRole", "iam:GetInstanceProfile", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:CreateRole", "iam:AttachRolePolicy" ], "Resource": "*" }, { "Sid": "KMSPermissions", "Effect": "Allow", "Action": "kms:ListKeys", "Resource": "*" }, { "Sid": "EKSPermissions", "Effect": "Allow", "Action": [ "eks:UpdateNodegroupVersion", "eks:UpdateNodegroupConfig", "eks:UpdateClusterVersion", "eks:UpdateClusterConfig", "eks:UntagResource", "eks:TagResource", "eks:ListUpdates", "eks:ListTagsForResource", "eks:ListNodegroups", "eks:ListFargateProfiles", "eks:ListClusters", "eks:DescribeUpdate", "eks:DescribeNodegroup", "eks:DescribeFargateProfile", "eks:DescribeCluster", "eks:DeleteNodegroup", "eks:DeleteFargateProfile", "eks:DeleteCluster", "eks:CreateNodegroup", "eks:CreateFargateProfile", "eks:CreateCluster" ], "Resource": "*" } ] } ``` ### Service Role Permissions Permissions required for Rancher to create service role on users behalf during the EKS cluster creation process. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "IAMPermissions", "Effect": "Allow", "Action": [ "iam:AddRoleToInstanceProfile", "iam:AttachRolePolicy", "iam:CreateInstanceProfile", "iam:CreateRole", "iam:CreateServiceLinkedRole", "iam:DeleteInstanceProfile", "iam:DeleteRole", "iam:DetachRolePolicy", "iam:GetInstanceProfile", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:ListRoles", "iam:ListRoleTags", "iam:PassRole", "iam:RemoveRoleFromInstanceProfile" ], "Resource": "*" } ] } ``` When an EKS cluster is created, Rancher will create a service role with the following trust policy: ```json { "Version": "2012-10-17", "Statement": [ { "Action": "sts:AssumeRole", "Principal": { "Service": "eks.amazonaws.com" }, "Effect": "Allow", "Sid": "" } ] } ``` This role will also have two role policy attachments with the following policies ARNs: ``` arn:aws:iam::aws:policy/AmazonEKSClusterPolicy arn:aws:iam::aws:policy/AmazonEKSServicePolicy ``` ### VPC Permissions Permissions required for Rancher to create VPC and associated resources. ```json { "Version": "2012-10-17", "Statement": [ { "Sid": "VPCPermissions", "Effect": "Allow", "Action": [ "ec2:ReplaceRoute", "ec2:ModifyVpcAttribute", "ec2:ModifySubnetAttribute", "ec2:DisassociateRouteTable", "ec2:DetachInternetGateway", "ec2:DescribeVpcs", "ec2:DeleteVpc", "ec2:DeleteTags", "ec2:DeleteSubnet", "ec2:DeleteRouteTable", "ec2:DeleteRoute", "ec2:DeleteInternetGateway", "ec2:CreateVpc", "ec2:CreateSubnet", "ec2:CreateSecurityGroup", "ec2:CreateRouteTable", "ec2:CreateRoute", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:AssociateRouteTable" ], "Resource": "*" } ] } ```