cluster-api-provider-aws
cluster-api-provider-aws copied to clipboard
kubernetes-sigs
SecretsManager actions in node IAM policy vs. CloudFormation template
/kind bug
What steps did you take and what happened:
In essence, attempted to bootstrap a workload cluster while not using clusteraws bootstrap iam create-cloudformation-stack, but by taking the output of clusterawsadm bootstrap iam print-policy --document [...] (which appear to be identical to the policies published as artifacts eg. here and creating the IAM policies, roles, and instance profiles through other automation.
When spinning up a workload cluster, the workload cluster was unable to fetch cloud-init userdata because no policy in the instance role permitted a GetSecretValue operation.
Troubleshooting this, I compared the CloudFormation stack (output of clusterawsadm bootstrap iam print-cloudformation-template) with the output of clusterawsadm bootstrap iam print-policy --document AWSIAMManagedPolicyCloudProviderNodes, and noticed that the CloudFormation stack does grant the GetSecretValue permission (and others) while the output of clusterawsadm bootstrap iam print-policy (or the previously linked artifact) do not.
What did you expect to happen:
I expected to be able to deploy a workload cluster using the IAM policies returned by clusterawsadm bootstrap iam print-policy --document [...].
Note: I'm not looking for help troubleshooting the actual userdata issue that occurred; this is already narrowed down to the missing IAM policy statement and my issue is resolved since using the CloudFormation template as a reference and updating the policy. This bug report is merely to document that there is a difference between the AWSIAMManagedPolicyCloudProviderNodes in the CF stack and JSON artifact, and to clarify whether this is by design, or whether the JSON artifact should be updated.
Anything else you would like to add:
Policy as returned by clusterawsadm bootstrap iam print-policy --document AWSIAMManagedPolicyCloudProviderNodes:
$ clusterawsadm bootstrap iam print-policy --document AWSIAMManagedPolicyCloudProviderNodes
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AssignIpv6Addresses",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:CreateTags",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstanceTypes",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
],
"Resource": [
"*"
]
}
]
}
Policy as embedded in the CF template:
$ clusterawsadm bootstrap iam print-cloudformation-template \
| yq -e '.Resources.AWSIAMManagedPolicyCloudProviderNodes.Properties.PolicyDocument' -o json
{
"Statement": [
{
"Action": [
"ec2:AssignIpv6Addresses",
"ec2:DescribeInstances",
"ec2:DescribeRegions",
"ec2:CreateTags",
"ec2:DescribeTags",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeInstanceTypes",
"ecr:GetAuthorizationToken",
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Action": [
"secretsmanager:DeleteSecret",
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": [
"arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*"
]
},
{
"Action": [
"ssm:UpdateInstanceInformation",
"ssmmessages:CreateControlChannel",
"ssmmessages:CreateDataChannel",
"ssmmessages:OpenControlChannel",
"ssmmessages:OpenDataChannel",
"s3:GetEncryptionConfiguration"
],
"Effect": "Allow",
"Resource": [
"*"
]
}
],
"Version": "2012-10-17T00:00:00Z"
}
AWSIAMManagedPolicyCloudProviderControlPlane and AWSIAMManagedPolicyControllers look the same in both places. I did not compare or use other policies.
Environment:
- Cluster-api-provider-aws version: v2.1.2
- Kubernetes version: (use
kubectl version): v1.24.13 - OS (e.g. from
/etc/os-release):
