4.2.5. IAM 角色所需的 AWS 权限
您可以选择定义自己的云身份和访问管理(IAM)角色,这些角色应用于安装程序创建的机器的实例配置集。您可以通过在 install-config.yaml 文件中定义 controlPlane.platform.aws.iamRole 和 compute.platform.aws.iamRoleThis 字段来指定现有的 IAM 角色。您可以使用这些字段与命名方案匹配,并为您的 IAM 角色包含预定义的权限界限。
control plane 和计算机器需要以下 IAM 角色权限:
例 4.14. control plane 实例配置集所需的 IAM 角色权限
-
sts:AssumeRole -
ec2:AttachVolume -
ec2:AuthorizeSecurityGroupIngress -
ec2:CreateSecurityGroup -
ec2:CreateTags -
ec2:CreateVolume -
ec2:DeleteSecurityGroup -
ec2:DeleteVolume -
ec2:Describe* -
ec2:DetachVolume -
ec2:ModifyInstanceAttribute -
ec2:ModifyVolume -
ec2:RevokeSecurityGroupIngress -
elasticloadbalancing:AddTags -
elasticloadbalancing:AttachLoadBalancerToSubnets -
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer -
elasticloadbalancing:CreateListener -
elasticloadbalancing:CreateLoadBalancer -
elasticloadbalancing:CreateLoadBalancerPolicy -
elasticloadbalancing:CreateLoadBalancerListeners -
elasticloadbalancing:CreateTargetGroup -
elasticloadbalancing:ConfigureHealthCheck -
elasticloadbalancing:DeleteListener -
elasticloadbalancing:DeleteLoadBalancer -
elasticloadbalancing:DeleteLoadBalancerListeners -
elasticloadbalancing:DeleteTargetGroup -
elasticloadbalancing:DeregisterInstancesFromLoadBalancer -
elasticloadbalancing:DeregisterTargets -
elasticloadbalancing:Describe* -
elasticloadbalancing:DetachLoadBalancerFromSubnets -
elasticloadbalancing:ModifyListener -
elasticloadbalancing:ModifyLoadBalancerAttributes -
elasticloadbalancing:ModifyTargetGroup -
elasticloadbalancing:ModifyTargetGroupAttributes -
elasticloadbalancing:RegisterInstancesWithLoadBalancer -
elasticloadbalancing:RegisterTargets -
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer -
elasticloadbalancing:SetLoadBalancerPoliciesOfListener -
kms:DescribeKey
例 4.15. 计算实例配置集所需的 IAM 角色权限
-
sts:AssumeRole -
ec2:DescribeInstances -
ec2:DescribeRegions
