Configure IAM Policies: AWS
Redpanda automatically assigns IAM policies to agents at the time they are deployed. The permissions grant that agent access to BYOC clusters in AWS and GCP. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access so that Redpanda brokers can communicate with the BYOC clusters.
See also: BYOC architecture
AWS IAM policies
IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services:
Actions allowed with wildcard resources
The following actions apply only to Redpanda agents with wildcard resources.
RedpandaAgentActionsOnlyAllowedWithWildcardResources
statement {
sid = "RedpandaAgentActionsOnlyAllowedWithWildcardResources"
effect = "Allow"
actions = [
"ec2:CreateTags",
"ec2:DescribeAccountAttributes",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:CreateLaunchTemplate",
"ec2:CreateLaunchTemplateVersion",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeLaunchTemplates",
"iam:ListPolicies",
"iam:ListRoles",
"iam:GetOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"autoscaling:DescribeScalingActivities",
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeTags",
"autoscaling:DescribeTerminationPolicyTypes",
"autoscaling:DescribeInstanceRefreshes",
"autoscaling:DescribeLaunchConfigurations",
"iam:CreateServiceLinkedRole",
"ec2:CreatePlacementGroup",
"ec2:DeletePlacementGroup",
"ec2:DescribePlacementGroups"
]
resources = [
"*",
]
}Run in EC2 instances
The following actions apply only to Redpanda agents running in AWS EC2 instances.
RedpandaAgentEC2RunInstances
statement {
sid = "RedpandaAgentEC2RunInstances"
effect = "Allow"
actions = [
"ec2:RunInstances",
]
resources = [
"arn:aws:ec2:*:${local.aws_account_id}:instance/*",
"arn:aws:ec2:*:${local.aws_account_id}:network-interface/*",
"arn:aws:ec2:*:${local.aws_account_id}:volume/*",
"arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
"arn:aws:ec2:*:${local.aws_account_id}:subnet/*",
"arn:aws:ec2:*:${local.aws_account_id}:launch-template/*",
"arn:aws:ec2:*::image/*",
]
}Delete launch templates
The following actions apply only to Redpanda agents deleting AWS launch templates.
RedpandaAgentEC2RunInstances
statement {
sid = "RedpandaAgentLaunchTemplateDeletion"
effect = "Allow"
actions = [
"ec2:DeleteLaunchTemplate",
]
resources = [
"arn:aws:ec2:__:${local.aws_account_id}:launch-template/__",
]
condition {
test = "StringEquals"
variable = "ec2:ResourceTag/redpanda-id"
values = [
var.redpanda_id,
]
}
}Manage security groups
The following actions apply only to Redpanda agents managing AWS security groups.
RedpandaAgentSecurityGroups
statement {
sid = "RedpandaAgentSecurityGroups"
effect = "Allow"
actions = [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress",
"ec2:ModifySecurityGroupRules",
]
resources = [
"arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
"arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
]
}Manage EKS clusters
The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters.
RedpandaAgentEKSCluster
statement {
sid = "RedpandaAgentEKSCluster"
effect = "Allow"
actions = [
"eks:__",
]
resources = [
"arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}",
]
}Manage instance profiles
The following actions apply only to Redpanda agents managing AWS instance profiles.
RedpandaAgentInstanceProfile
statement {
sid = "RedpandaAgentInstanceProfile"
effect = "Allow"
actions = [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:TagInstanceProfile",
]
resources = [
"arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*",
"arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*",
]
}Create EKS OIDC providers
The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers.
RedpandaAgentEKSOIDCProvider
statement {
sid = "RedpandaAgentEKSOIDCProvider"
effect = "Allow"
actions = [
"iam:CreateOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:UntagOpenIDConnectProvider",
]
resources = [
"arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com",
]
}Manage IAM policies
The following actions apply only to Redpanda agents managing AWS IAM policies.
RedpandaAgentIAMPolicies
statement {
sid = "RedpandaAgentIAMPolicies"
effect = "Allow"
actions = [
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListPolicyVersions",
"iam:TagPolicy"
]
resources = [
"arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}",
]
}Manage IAM roles
The following actions apply only to Redpanda agents managing AWS IAM roles.
RedpandaAgentIAMRoleManagement
statement {
sid = "RedpandaAgentIAMRoleManagement"
effect = "Allow"
actions = [
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:DetachRolePolicy",
"iam:GetRole",
"iam:TagRole",
"iam:PassRole",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
]
resources = [
"arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_",
"arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_",
]
}Manage S3 buckets
The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets.
RedpandaAgentS3ManagementBucket
statement {
sid = "RedpandaAgentS3ManagementBucket"
effect = "Allow"
actions = [
"s3:*",
]
resources = [
data.aws_s3_bucket.management.arn,
"${data.aws_s3_bucket.management.arn}/*",
]
}Manage S3 cloud bucket storage
The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage.
RedpandaAgentS3ManagementBucket
statement {
sid = "RedpandaAgentS3CloudStorageBucket"
effect = "Allow"
actions = [
"s3:List*",
"s3:Get*",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketPolicy",
"s3:DeleteBucketPolicy",
]
resources = [
local.redpanda_cloud_storage_bucket_arn,
"${local.redpanda_cloud_storage_bucket_arn}/*",
]
}Manage virtual private cloud (VPC)
The following actions apply only to Redpanda agents managing AWS VPCs.
RedpandaAgentVPCManagement
statement {
sid = "RedpandaAgentVPCManagement"
effect = "Allow"
actions = [
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSecurityGroups",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DescribeInternetGateways",
"ec2:CreateNatGateway",
"ec2:DeleteNatGateway",
"ec2:DescribeNatGateways",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable",
"ec2:DescribeRouteTables",
"ec2:AssociateRouteTable",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:DescribeSubnets",
"ec2:CreateVpcEndpoint",
"ec2:ModifyVpcEndpoint",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcPeeringConnections",
"ec2:ModifyVpcPeeringConnectionOptions",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:DescribeAvailabilityZones",
]
resources = [
"*",
]
}Delete network interface
The following actions apply only to Redpanda agents deleting AWS network interfaces.
RedpandaAgentNetworkInterfaceDelete
statement {
sid = "RedpandaAgentNetworkInterfaceDelete"
effect = "Allow"
actions = [
"ec2:DeleteNetworkInterface",
]
resources = [
"arn:aws:ec2:__:${local.aws_account_id}:network-interface/__",
]
}Create VPC peering
The following actions apply only to Redpanda agents creating AWS VPC peering.
RedpandaAgentVPCPeeringsCreate
statement {
sid = "RedpandaAgentVPCPeeringsCreate"
effect = "Allow"
actions = [
"ec2:CreateVpcPeeringConnection",
]
resources = [
"arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
]
}Delete VPC peering
The following actions apply only to Redpanda agents deleting AWS VPC peering.
RedpandaAgentVPCPeeringsDelete
statement {
sid = "RedpandaAgentVPCPeeringsDelete"
effect = "Allow"
actions = [
"ec2:DeleteVpcPeeringConnection",
"ec2:ModifyVpcPeeringConnectionOptions",
]
resources = [
"arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__",
]
condition {
test = "StringEquals"
variable = "ec2:ResourceTag/redpanda-id"
values = [
var.redpanda_id,
]
}
}Manage DynamoDB Terraform backend
The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend.
RedpandaAgentTFBackend
statement {
sid = "RedpandaAgentTFBackend"
effect = "Allow"
actions = [
"dynamodb:GetItem",
"dynamodb:PutItem",
"dynamodb:DeleteItem",
]
resources = [
"arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*",
]
}Manage Route 53
The following actions apply only to Redpanda agents managing the AWS Route 53 service.
RedpandaAgentRoute53Management
statement {
sid = "RedpandaAgentRoute53Management"
effect = "Allow"
actions = [
"route53:CreateHostedZone",
"route53:GetChange",
"route53:ChangeTagsForResource",
"route53:GetHostedZone",
"route53:ListTagsForResource",
"route53:ListResourceRecordSets",
"route53:ChangeResourceRecordSets",
"route53:GetDNSSEC",
"route53:DeleteHostedZone",
]
resources = [
"*",
]
}Manage Auto Scaling
The following actions apply only to Redpanda agents managing the AWS Auto Scaling.
RedpandaAgentAutoscaling
statement {
sid = "RedpandaAgentAutoscaling"
effect = "Allow"
actions = [
"autoscaling:*",
]
resources = [
"arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*",
"arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*"
]
}Was this helpful?
