Configure IAM Policies: AWS
Redpanda automatically assigns IAM policies to agents at the time they are deployed. The permissions grant that agent access to BYOC clusters in AWS and GCP. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access so that Redpanda brokers can communicate with the BYOC clusters.
See also: BYOC architecture
AWS IAM policies
IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services:
Actions allowed with wildcard resources
The following actions apply only to Redpanda agents with wildcard resources.
statement {
sid = "RedpandaAgentActionsOnlyAllowedWithWildcardResources"
effect = "Allow"
actions = [
"ec2:CreateTags",
"ec2:DescribeAccountAttributes",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"iam:ListPolicies",
"iam:ListRoles",
"iam:GetOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeTags",
"autoscaling:DescribeTerminationPolicyTypes",
"autoscaling:DescribeInstanceRefreshes",
"autoscaling:DescribeLaunchConfigurations",
"iam:CreateServiceLinkedRole",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups"
]
resources = [
"*",
]
}
Run in EC2 instances
The following actions apply only to Redpanda agents running in AWS EC2 instances.
statement {
sid = "RedpandaAgentEC2RunInstances"
effect = "Allow"
actions = [
"ec2:RunInstances",
]
resources = [
"arn:aws:ec2:*:${local.aws_account_id}:instance/*",
"arn:aws:ec2:*:${local.aws_account_id}:network-interface/*",
"arn:aws:ec2:*:${local.aws_account_id}:volume/*",
"arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
"arn:aws:ec2:*:${local.aws_account_id}:subnet/*",
"arn:aws:ec2:*:${local.aws_account_id}:launch-template/*",
"arn:aws:ec2:*::image/*",
]
}
Delete launch templates
The following actions apply only to Redpanda agents deleting AWS launch templates.
statement {
sid = "RedpandaAgentLaunchTemplateDeletion"
effect = "Allow"
actions = [
"ec2:DeleteLaunchTemplate",
]
resources = [
"arn:aws:ec2:__:${local.aws_account_id}:launch-template/__",
]
condition {
test = "StringEquals"
variable = "ec2:ResourceTag/redpanda-id"
values = [
var.redpanda_id,
]
}
}
Manage security groups
The following actions apply only to Redpanda agents managing AWS security groups.
statement {
sid = "RedpandaAgentSecurityGroups"
effect = "Allow"
actions = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:ModifySecurityGroupRules",
]
resources = [
"arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
"arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
]
}
Manage EKS clusters
The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters.
statement {
sid = "RedpandaAgentEKSCluster"
effect = "Allow"
actions = [
"eks:__",
]
resources = [
"arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}",
]
}
Manage instance profiles
The following actions apply only to Redpanda agents managing AWS instance profiles.
statement {
sid = "RedpandaAgentInstanceProfile"
effect = "Allow"
actions = [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:TagInstanceProfile",
]
resources = [
"arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*",
"arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*",
]
}
Create EKS OIDC providers
The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers.
statement {
sid = "RedpandaAgentEKSOIDCProvider"
effect = "Allow"
actions = [
"iam:CreateOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:UntagOpenIDConnectProvider",
]
resources = [
"arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com",
]
}
Manage IAM policies
The following actions apply only to Redpanda agents managing AWS IAM policies.
statement {
sid = "RedpandaAgentIAMPolicies"
effect = "Allow"
actions = [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:TagPolicy"
]
resources = [
"arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}",
]
}
Manage IAM roles
The following actions apply only to Redpanda agents managing AWS IAM roles.
statement {
sid = "RedpandaAgentIAMRoleManagement"
effect = "Allow"
actions = [
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:TagRole",
"iam:PassRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
]
resources = [
"arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_",
]
}
Manage S3 buckets
The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets.
statement {
sid = "RedpandaAgentS3ManagementBucket"
effect = "Allow"
actions = [
"s3:*",
]
resources = [
data.aws_s3_bucket.management.arn,
"${data.aws_s3_bucket.management.arn}/*",
]
}
Manage S3 cloud bucket storage
The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage.
statement {
sid = "RedpandaAgentS3CloudStorageBucket"
effect = "Allow"
actions = [
"s3:List*",
"s3:Get*",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
]
resources = [
local.redpanda_cloud_storage_bucket_arn,
"${local.redpanda_cloud_storage_bucket_arn}/*",
]
}
Manage virtual private cloud (VPC)
The following actions apply only to Redpanda agents managing AWS VPCs.
statement {
sid = "RedpandaAgentVPCManagement"
effect = "Allow"
actions = [
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSecurityGroups",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateNatGateway",
"ec2:DeleteNatGateway",
"ec2:DescribeNatGateways",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable",
"ec2:DescribeRouteTables",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:DescribeSubnets",
"ec2:CreateVpcEndpoint",
"ec2:ModifyVpcEndpoint",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcPeeringConnections",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:DescribeAvailabilityZones",
]
resources = [
"*",
]
}
Delete network interface
The following actions apply only to Redpanda agents deleting AWS network interfaces.
statement {
sid = "RedpandaAgentNetworkInterfaceDelete"
effect = "Allow"
actions = [
"ec2:DeleteNetworkInterface",
]
resources = [
"arn:aws:ec2:__:${local.aws_account_id}:network-interface/__",
]
}
Create VPC peering
The following actions apply only to Redpanda agents creating AWS VPC peering.
statement {
sid = "RedpandaAgentVPCPeeringsCreate"
effect = "Allow"
actions = [
"ec2:CreateVpcPeeringConnection",
]
resources = [
"arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
]
}
Delete VPC peering
The following actions apply only to Redpanda agents deleting AWS VPC peering.
statement {
sid = "RedpandaAgentVPCPeeringsDelete"
effect = "Allow"
actions = [
"ec2:DeleteVpcPeeringConnection",
"ec2:ModifyVpcPeeringConnectionOptions",
]
resources = [
"arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__",
]
condition {
test = "StringEquals"
variable = "ec2:ResourceTag/redpanda-id"
values = [
var.redpanda_id,
]
}
}
Manage DynamoDB Terraform backend
The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend.
statement {
sid = "RedpandaAgentTFBackend"
effect = "Allow"
actions = [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
]
resources = [
"arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*",
]
}
Manage Route 53
The following actions apply only to Redpanda agents managing the AWS Route 53 service.
statement {
sid = "RedpandaAgentRoute53Management"
effect = "Allow"
actions = [
"route53:CreateHostedZone",
"route53:GetChange",
"route53:ChangeTagsForResource",
"route53:GetHostedZone",
"route53:ListTagsForResource",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
"route53:GetDNSSEC",
"route53:DeleteHostedZone",
]
resources = [
"*",
]
}
Manage Auto Scaling
The following actions apply only to Redpanda agents managing the AWS Auto Scaling.
statement {
sid = "RedpandaAgentAutoscaling"
effect = "Allow"
actions = [
"autoscaling:*",
]
resources = [
"arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*",
"arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*"
]
}