23.2 23.1 22.3 22.2 22.1 21.11

IAM Policies

Redpanda automatically assigns IAM policies to agents at the time they are deployed. The permissions grant that agent access to BYOC clusters in AWS and GCP. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access so that Redpanda brokers can communicate with the BYOC clusters.

AWS IAM policies

IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services:

Actions allowed with wildcard resources

The following actions apply only to Redpanda agents with wildcard resources.

statement {
   sid    = "RedpandaAgentActionsOnlyAllowedWithWildcardResources"
   effect = "Allow"
   actions = [
     "ec2:CreateTags",
     "ec2:DescribeAccountAttributes",
     "ec2:DescribeImages",
     "ec2:DescribeInstances",
     "ec2:DescribeInstanceTypes",
     "ec2:CreateLaunchTemplate",
     "ec2:CreateLaunchTemplateVersion",
     "ec2:DescribeLaunchTemplateVersions",
     "ec2:DescribeLaunchTemplates",
     "iam:ListPolicies",
     "iam:ListRoles",
     "iam:GetOpenIDConnectProvider",
     "iam:DeleteOpenIDConnectProvider",
     "autoscaling:DescribeScalingActivities",
     "autoscaling:DescribeAutoScalingGroups",
     "autoscaling:DescribeTags",
     "autoscaling:DescribeTerminationPolicyTypes",
     "autoscaling:DescribeInstanceRefreshes",
     "autoscaling:DescribeLaunchConfigurations",
     "iam:CreateServiceLinkedRole",
   ]
   resources = [
     "*",
   ]
 }

Run in EC2 instances

The following actions apply only to Redpanda agents running in AWS EC2 instances.

statement {
   sid    = "RedpandaAgentEC2RunInstances"
   effect = "Allow"
   actions = [
     "ec2:RunInstances",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:instance/*",
     "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*",
     "arn:aws:ec2:*:${local.aws_account_id}:volume/*",
     "arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
     "arn:aws:ec2:*:${local.aws_account_id}:subnet/*",
     "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*",
     "arn:aws:ec2:*::image/*",
   ]
 }

Delete launch templates

The following actions apply only to Redpanda agents deleting AWS launch templates.

statement {
   sid    = "RedpandaAgentLaunchTemplateDeletion"
   effect = "Allow"
   actions = [
     "ec2:DeleteLaunchTemplate",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:launch-template/__",
   ]
   condition {
     test     = "StringEquals"
     variable = "ec2:ResourceTag/redpanda-id"
     values = [
       var.redpanda_id,
     ]
   }
 }

Manage security groups

The following actions apply only to Redpanda agents managing AWS security groups.

statement {
   sid    = "RedpandaAgentSecurityGroups"
   effect = "Allow"
   actions = [
     "ec2:AuthorizeSecurityGroupEgress",
     "ec2:AuthorizeSecurityGroupIngress",
     "ec2:CreateSecurityGroup",
     "ec2:DeleteSecurityGroup",
     "ec2:RevokeSecurityGroupEgress",
     "ec2:RevokeSecurityGroupIngress",
     "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
     "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
     "ec2:ModifySecurityGroupRules",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
     "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
   ]
 }

Manage EKS clusters

The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters.

statement {
   sid    = "RedpandaAgentEKSCluster"
   effect = "Allow"
   actions = [
     "eks:__",
   ]
   resources = [
     "arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}",
   ]
 }

Manage instance profiles

The following actions apply only to Redpanda agents managing AWS instance profiles.

statement {
   sid    = "RedpandaAgentInstanceProfile"
   effect = "Allow"
   actions = [
     "iam:AddRoleToInstanceProfile",
     "iam:RemoveRoleFromInstanceProfile",
     "iam:CreateInstanceProfile",
     "iam:DeleteInstanceProfile",
     "iam:GetInstanceProfile",
     "iam:TagInstanceProfile",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*",
     "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*",
   ]
 }

Create EKS OIDC providers

The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers.

statement {
   sid    = "RedpandaAgentEKSOIDCProvider"
   effect = "Allow"
   actions = [
     "iam:CreateOpenIDConnectProvider",
     "iam:TagOpenIDConnectProvider",
     "iam:UntagOpenIDConnectProvider",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com",
   ]
 }

Manage IAM policies

The following actions apply only to Redpanda agents managing AWS IAM policies.

statement {
   sid    = "RedpandaAgentIAMPolicies"
   effect = "Allow"
   actions = [
     "iam:CreatePolicy",
     "iam:DeletePolicy",
     "iam:GetPolicy",
     "iam:GetPolicyVersion",
     "iam:ListPolicyVersions",
     "iam:TagPolicy"
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}",
   ]
 }

Manage IAM roles

The following actions apply only to Redpanda agents managing AWS IAM roles.

statement {
   sid    = "RedpandaAgentIAMRoleManagement"
   effect = "Allow"
   actions = [
     "iam:CreateRole",
     "iam:DeleteRole",
     "iam:AttachRolePolicy",
     "iam:DetachRolePolicy",
     "iam:GetRole",
     "iam:TagRole",
     "iam:PassRole",
     "iam:ListAttachedRolePolicies",
     "iam:ListInstanceProfilesForRole",
     "iam:ListRolePolicies",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_",
   ]
 }

Manage S3 buckets

The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets.

statement {
   sid    = "RedpandaAgentS3ManagementBucket"
   effect = "Allow"
   actions = [
     "s3:*",
   ]
   resources = [
     data.aws_s3_bucket.management.arn,
     "${data.aws_s3_bucket.management.arn}/*",
   ]
 }

Manage S3 cloud bucket storage

The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage.

statement {
  sid    = "RedpandaAgentS3CloudStorageBucket"
  effect = "Allow"
  actions = [
    "s3:List__",
    "s3:Get__",
    "s3:CreateBucket",
    "s3:DeleteBucket",
  ]
  resources = [
    local.redpanda_cloud_storage_bucket_arn,
    "${local.redpanda_cloud_storage_bucket_arn}/*",
  ]
}

Manage virtual private cloud (VPC)

The following actions apply only to Redpanda agents managing AWS VPCs.

statement {
   sid    = "RedpandaAgentVPCManagement"
   effect = "Allow"
   actions = [
     "ec2:DescribeVpcs",
     "ec2:DescribeVpcAttribute",
     "ec2:DescribeSecurityGroups",
     "ec2:CreateInternetGateway",
     "ec2:DeleteInternetGateway",
     "ec2:AttachInternetGateway",
     "ec2:DescribeInternetGateways",
     "ec2:CreateNatGateway",
     "ec2:DeleteNatGateway",
     "ec2:DescribeNatGateways",
     "ec2:CreateRoute",
     "ec2:DeleteRoute",
     "ec2:CreateRouteTable",
     "ec2:DeleteRouteTable",
     "ec2:DescribeRouteTables",
     "ec2:AssociateRouteTable",
     "ec2:CreateSubnet",
     "ec2:DeleteSubnet",
     "ec2:DescribeSubnets",
     "ec2:CreateVpcEndpoint",
     "ec2:ModifyVpcEndpoint",
     "ec2:DeleteVpcEndpoints",
     "ec2:DescribeVpcEndpoints",
     "ec2:DescribeVpcEndpointServices",
     "ec2:DescribeVpcPeeringConnections",
     "ec2:ModifyVpcPeeringConnectionOptions",
     "ec2:DescribeNetworkAcls",
     "ec2:DescribeNetworkInterfaces",
     "ec2:AttachNetworkInterface",
     "ec2:DetachNetworkInterface",
     "ec2:DescribeAvailabilityZones",
   ]
   resources = [
     "*",
   ]
 }

Delete network interface

The following actions apply only to Redpanda agents deleting AWS network interfaces.

statement {
   sid    = "RedpandaAgentNetworkInterfaceDelete"
   effect = "Allow"
   actions = [
     "ec2:DeleteNetworkInterface",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:network-interface/__",
   ]
 }

Create VPC peering

The following actions apply only to Redpanda agents creating AWS VPC peering.

statement {
   sid    = "RedpandaAgentVPCPeeringsCreate"
   effect = "Allow"
   actions = [
     "ec2:CreateVpcPeeringConnection",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
   ]
 }

Delete VPC peering

The following actions apply only to Redpanda agents deleting AWS VPC peering.

statement {
   sid    = "RedpandaAgentVPCPeeringsDelete"
   effect = "Allow"
   actions = [
     "ec2:DeleteVpcPeeringConnection",
     "ec2:ModifyVpcPeeringConnectionOptions",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__",
   ]
   condition {
     test     = "StringEquals"
     variable = "ec2:ResourceTag/redpanda-id"
     values = [
       var.redpanda_id,
     ]
   }
 }

Manage DynamoDB Terraform backend

The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend.

statement {
   sid    = "RedpandaAgentTFBackend"
   effect = "Allow"
   actions = [
     "dynamodb:GetItem",
     "dynamodb:PutItem",
     "dynamodb:DeleteItem",
   ]
   resources = [
     "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*",
   ]
 }

Manage Route 53

The following actions apply only to Redpanda agents managing the AWS Route 53 service.

statement {
   sid    = "RedpandaAgentRoute53Management"
   effect = "Allow"
   actions = [
     "route53:CreateHostedZone",
     "route53:GetChange",
     "route53:ChangeTagsForResource",
     "route53:GetHostedZone",
     "route53:ListTagsForResource",
     "route53:ListResourceRecordSets",
     "route53:ChangeResourceRecordSets",
     "route53:GetDNSSEC",
     "route53:DeleteHostedZone",
   ]
   resources = [
     "*",
   ]
 }

Manage Auto Scaling

The following actions apply only to Redpanda agents managing the AWS Auto Scaling.

statement {
   sid    = "RedpandaAgentAutoscaling"
   effect = "Allow"
   actions = [
     "autoscaling:*",
   ]
   resources = [
     "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*",
     "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*"
   ]
 }

GCP IAM permissions

The Redpanda agent role for GCP provides the following permissions to manage Redpanda cluster resources:

Permission Description

compute.firewalls.create

Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances.

compute.firewalls.delete

Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration.

compute.firewalls.get

Allows a user to view the details and configuration of a specific firewall rule for GCP projects.

compute.globalOperations.get

Allows a user to retrieve information about a specific global operation in a GCP project.

compute.instanceGroupManagers.get

Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP.

compute.networks.updatePolicy

Allows a user to update the configuration of existing GCP network resources.

compute.projects.get

Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project.

compute.zones.list

Allows a user to retrieve a list of the available zones in a GCP project.

dns.managedZones.create

Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix.

dns.managedZones.get

Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service.

dns.managedZones.list

Allows a user or service account to list the managed zones within a Google Cloud DNS project.

dns.managedZones.update

Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project.

dns.managedZones.delete

Allows a user or service account to delete managed zones within the Google Cloud DNS project.

dns.resourceRecordSets.create

Allows a user to create resource record sets within a DNS zone.

dns.resourceRecordSets.delete

Allows a user to delete resource record sets within a DNS zone.

dns.resourceRecordSets.get

Allows a user or service account to retrieve information about resource record sets within a managed DNS zone.

dns.resourceRecordSets.list

Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone.

dns.resourceRecordSets.update

Allows a user or service account to make changes to the resource records in a DNS zone.

dns.changes.create

Allows a user to create and update DNS resource record sets.

dns.changes.get

Allows a user to retrieve the information about an existing DNS change.

dns.changes.list

Allows a user to retrieve a list of changes to DNS resource record sets.

dns.projects.get

Allows a user to retrieve information about an existing GCP DNS project.

iam.roles.create

Allows a user to create a custom role for a GCP project or an organization.

iam.roles.delete

Allows a user to delete a custom role from a GCP project or an organization.

iam.roles.get

Allows a user to retrieve information about a specific role, including its permissions.

iam.roles.list

Allows a user to list predefined roles, or the custom roles for a project or an organization.

iam.roles.undelete

Allows a user to undelete a custom role from an organization or a project.

iam.roles.update

Allows a user to update an IAM custom role.

iam.serviceAccountKeys.create

Allows a user to create a private key for a service account.

iam.serviceAccountKeys.get

Allows a user or service account to view information about existing service account keys associated with a particular service account.

iam.serviceAccounts.actAs

Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user.

iam.serviceAccounts.create

Allows a user to create a service account for a project.

iam.serviceAccounts.delete

Allows a user to delete a service account for a project.

iam.serviceAccounts.get

Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account.

iam.serviceAccounts.getIamPolicy

Allows a user to retrieve the IAM policy for a service account.

iam.serviceAccounts.setIamPolicy

Allows a user to set the IAM policy for a service account.

resourcemanager.projects.get

Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API.

resourcemanager.projects.getIamPolicy

Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist.

resourcemanager.projects.setIamPolicy

Allows a user or service account to set the IAM access control policy for the specified project.

storage.buckets.get

Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket’s name, location, storage class, access control settings, and other attributes.

storage.buckets.getIamPolicy

Allows a user to retrieve the IAM policy for a bucket.

storage.buckets.setIamPolicy

Allows a user to set the IAM policy for a bucket.

storage.objects.create

Allows a user to add new objects to a bucket.

storage.objects.delete

Allows a user to delete objects from a bucket.

storage.objects.get

Allows a user to read object data and metadata, excluding ACLs.

storage.objects.getIamPolicy

Allows a user to read object ACLs, returned as IAM policies.

storage.objects.list

Allows a user to list objects in a bucket and read object metadata, excluding ACLs, when listing.

storage.objects.update

Allows a user to update object metadata, excluding ACLs.