Docs Self-Managed Deploy Cloud Security Authorization Cloud IAM Policies IAM Policies Redpanda automatically assigns IAM policies to agents at the time they are deployed. The permissions grant that agent access to BYOC clusters in AWS and GCP. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access so that Redpanda brokers can communicate with the BYOC clusters. AWS IAM policies IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services: Amazon Elastic Compute Cloud (AWS EC2) Amazon Elastic Compute Cloud Auto Scaling (AWS EC2 Auto Scaling) Amazon Simple Storage Service (AWS S3) Amazon Route 53 Amazon DynamoDB Actions allowed with wildcard resources The following actions apply only to Redpanda agents with wildcard resources. RedpandaAgentActionsOnlyAllowedWithWildcardResources statement { sid = "RedpandaAgentActionsOnlyAllowedWithWildcardResources" effect = "Allow" actions = [ "ec2:CreateTags", "ec2:DescribeAccountAttributes", "ec2:DescribeImages", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplates", "iam:ListPolicies", "iam:ListRoles", "iam:GetOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeTags", "autoscaling:DescribeTerminationPolicyTypes", "autoscaling:DescribeInstanceRefreshes", "autoscaling:DescribeLaunchConfigurations", "iam:CreateServiceLinkedRole", "ec2:CreatePlacementGroup", "ec2:DeletePlacementGroup", "ec2:DescribePlacementGroups" ] resources = [ "*", ] } Run in EC2 instances The following actions apply only to Redpanda agents running in AWS EC2 instances. RedpandaAgentEC2RunInstances statement { sid = "RedpandaAgentEC2RunInstances" effect = "Allow" actions = [ "ec2:RunInstances", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:instance/*", "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*", "arn:aws:ec2:*:${local.aws_account_id}:volume/*", "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", "arn:aws:ec2:*:${local.aws_account_id}:subnet/*", "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*", "arn:aws:ec2:*::image/*", ] } Delete launch templates The following actions apply only to Redpanda agents deleting AWS launch templates. RedpandaAgentEC2RunInstances statement { sid = "RedpandaAgentLaunchTemplateDeletion" effect = "Allow" actions = [ "ec2:DeleteLaunchTemplate", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:launch-template/__", ] condition { test = "StringEquals" variable = "ec2:ResourceTag/redpanda-id" values = [ var.redpanda_id, ] } } Manage security groups The following actions apply only to Redpanda agents managing AWS security groups. RedpandaAgentSecurityGroups statement { sid = "RedpandaAgentSecurityGroups" effect = "Allow" actions = [ "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:RevokeSecurityGroupEgress", "ec2:RevokeSecurityGroupIngress", "ec2:UpdateSecurityGroupRuleDescriptionsIngress", "ec2:UpdateSecurityGroupRuleDescriptionsEgress", "ec2:ModifySecurityGroupRules", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", ] } Manage EKS clusters The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters. RedpandaAgentEKSCluster statement { sid = "RedpandaAgentEKSCluster" effect = "Allow" actions = [ "eks:__", ] resources = [ "arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}", ] } Manage instance profiles The following actions apply only to Redpanda agents managing AWS instance profiles. RedpandaAgentInstanceProfile statement { sid = "RedpandaAgentInstanceProfile" effect = "Allow" actions = [ "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:CreateInstanceProfile", "iam:DeleteInstanceProfile", "iam:GetInstanceProfile", "iam:TagInstanceProfile", ] resources = [ "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*", "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*", ] } Create EKS OIDC providers The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers. RedpandaAgentEKSOIDCProvider statement { sid = "RedpandaAgentEKSOIDCProvider" effect = "Allow" actions = [ "iam:CreateOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:UntagOpenIDConnectProvider", ] resources = [ "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", ] } Manage IAM policies The following actions apply only to Redpanda agents managing AWS IAM policies. RedpandaAgentIAMPolicies statement { sid = "RedpandaAgentIAMPolicies" effect = "Allow" actions = [ "iam:CreatePolicy", "iam:DeletePolicy", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:ListPolicyVersions", "iam:TagPolicy" ] resources = [ "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}", ] } Manage IAM roles The following actions apply only to Redpanda agents managing AWS IAM roles. RedpandaAgentIAMRoleManagement statement { sid = "RedpandaAgentIAMRoleManagement" effect = "Allow" actions = [ "iam:CreateRole", "iam:DeleteRole", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:GetRole", "iam:TagRole", "iam:PassRole", "iam:ListAttachedRolePolicies", "iam:ListInstanceProfilesForRole", "iam:ListRolePolicies", ] resources = [ "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}", "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_", "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_", ] } Manage S3 buckets The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets. RedpandaAgentS3ManagementBucket statement { sid = "RedpandaAgentS3ManagementBucket" effect = "Allow" actions = [ "s3:*", ] resources = [ data.aws_s3_bucket.management.arn, "${data.aws_s3_bucket.management.arn}/*", ] } Manage S3 cloud bucket storage The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage. RedpandaAgentS3ManagementBucket statement { sid = "RedpandaAgentS3CloudStorageBucket" effect = "Allow" actions = [ "s3:List__", "s3:Get__", "s3:CreateBucket", "s3:DeleteBucket", ] resources = [ local.redpanda_cloud_storage_bucket_arn, "${local.redpanda_cloud_storage_bucket_arn}/*", ] } Manage virtual private cloud (VPC) The following actions apply only to Redpanda agents managing AWS VPCs. RedpandaAgentVPCManagement statement { sid = "RedpandaAgentVPCManagement" effect = "Allow" actions = [ "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:CreateInternetGateway", "ec2:DeleteInternetGateway", "ec2:AttachInternetGateway", "ec2:DescribeInternetGateways", "ec2:CreateNatGateway", "ec2:DeleteNatGateway", "ec2:DescribeNatGateways", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:CreateRouteTable", "ec2:DeleteRouteTable", "ec2:DescribeRouteTables", "ec2:AssociateRouteTable", "ec2:CreateSubnet", "ec2:DeleteSubnet", "ec2:DescribeSubnets", "ec2:CreateVpcEndpoint", "ec2:ModifyVpcEndpoint", "ec2:DeleteVpcEndpoints", "ec2:DescribeVpcEndpoints", "ec2:DescribeVpcEndpointServices", "ec2:DescribeVpcPeeringConnections", "ec2:ModifyVpcPeeringConnectionOptions", "ec2:DescribeNetworkAcls", "ec2:DescribeNetworkInterfaces", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:DescribeAvailabilityZones", ] resources = [ "*", ] } Delete network interface The following actions apply only to Redpanda agents deleting AWS network interfaces. RedpandaAgentNetworkInterfaceDelete statement { sid = "RedpandaAgentNetworkInterfaceDelete" effect = "Allow" actions = [ "ec2:DeleteNetworkInterface", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:network-interface/__", ] } Create VPC peering The following actions apply only to Redpanda agents creating AWS VPC peering. RedpandaAgentVPCPeeringsCreate statement { sid = "RedpandaAgentVPCPeeringsCreate" effect = "Allow" actions = [ "ec2:CreateVpcPeeringConnection", ] resources = [ "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", ] } Delete VPC peering The following actions apply only to Redpanda agents deleting AWS VPC peering. RedpandaAgentVPCPeeringsDelete statement { sid = "RedpandaAgentVPCPeeringsDelete" effect = "Allow" actions = [ "ec2:DeleteVpcPeeringConnection", "ec2:ModifyVpcPeeringConnectionOptions", ] resources = [ "arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__", ] condition { test = "StringEquals" variable = "ec2:ResourceTag/redpanda-id" values = [ var.redpanda_id, ] } } Manage DynamoDB Terraform backend The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend. RedpandaAgentTFBackend statement { sid = "RedpandaAgentTFBackend" effect = "Allow" actions = [ "dynamodb:GetItem", "dynamodb:PutItem", "dynamodb:DeleteItem", ] resources = [ "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*", ] } Manage Route 53 The following actions apply only to Redpanda agents managing the AWS Route 53 service. RedpandaAgentRoute53Management statement { sid = "RedpandaAgentRoute53Management" effect = "Allow" actions = [ "route53:CreateHostedZone", "route53:GetChange", "route53:ChangeTagsForResource", "route53:GetHostedZone", "route53:ListTagsForResource", "route53:ListResourceRecordSets", "route53:ChangeResourceRecordSets", "route53:GetDNSSEC", "route53:DeleteHostedZone", ] resources = [ "*", ] } Manage Auto Scaling The following actions apply only to Redpanda agents managing the AWS Auto Scaling. RedpandaAgentAutoscaling statement { sid = "RedpandaAgentAutoscaling" effect = "Allow" actions = [ "autoscaling:*", ] resources = [ "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*", "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*" ] } GCP IAM permissions The Redpanda agent service account for GCP is granted the following roles/permissions to manage Redpanda cluster resources: Role/Permission Description compute.addresses.get Allows a user to retrieve a specified address. compute.autoscalers.get Allows a user to retrieve a specified autoscaler. compute.autoscalers.list Allows a user to list autoscalers in a specified zone. compute.firewalls.create Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances. compute.firewalls.delete Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration. compute.firewalls.get Allows a user to view the details and configuration of a specific firewall rule for GCP projects. compute.firewalls.update Allows a user to modify a specified firewall. compute.globalOperations.get Allows a user to retrieve information about a specific global operation in a GCP project. compute.instanceGroupManagers.create Allows a user to create a managed instance group. compute.instanceGroupManagers.delete Allows a user to delete a specified managed instance group. compute.instanceGroupManagers.get Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP. compute.instanceGroupManagers.update Allows a user to modify a specified managed instance group. compute.instanceGroups.create Allows a user to create an instance group. compute.instanceGroups.delete Allows a user to delete a specified instance group. compute.instanceGroups.get Allows a user to retrieve a specified instance group. compute.instanceGroups.update Allows a user to modify a specified instance group. compute.instances.create Allows a user to create an instance. compute.instances.delete Allows a user to delete a specified instance. compute.instances.get Allows a user to retrieve a specified instance. compute.instances.list Allows a user to list instances contained within a specified zone. compute.instances.reset Allows a user to perform a reset on the specified instance. compute.instances.setDeletionProtection Allows a user to enable deletion protection on a specified instance. compute.instances.update Allows a user to modify a specified instance. compute.instanceTemplates.create Allows a user to create an instance template. compute.instanceTemplates.delete Allows a user to delete a specified instance template. compute.instanceTemplates.get Allows a user to retrieve a specified instance template. compute.networks.create Allows a user to create a network. compute.networks.delete Allows a user to delete a specified network. compute.networks.get Allows a user to retrieve a specified network. compute.networks.getEffectiveFirewalls Allows a user to retrieve the effective firewalls for a specified network. compute.networks.update Allows a user to modify a specified network. compute.networks.updatePolicy Allows a user to update the configuration of existing GCP network resources. compute.projects.get Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project. compute.regions.get Allows a user to retrieve a specified region. compute.regions.list Allows a user to retrieve a list of the available regions in a GCP project. compute.routers.get Allows a user to retrieve a specified router. compute.subnetworks.get Allows a user to retrieve a specified subnetwork. compute.zoneOperations.get Allows a user to retrieve a specified zone operation. compute.zones.get Allows a user to retrieve a specified zone. compute.zones.list Allows a user to retrieve a list of the available zones in a GCP project. dns.changes.create Allows a user to create and update DNS resource record sets. dns.changes.get Allows a user to retrieve the information about an existing DNS change. dns.changes.list Allows a user to retrieve a list of changes to DNS resource record sets. dns.managedZones.create Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix. dns.managedZones.delete Allows a user or service account to delete managed zones within the Google Cloud DNS project. dns.managedZones.get Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service. dns.managedZones.list Allows a user or service account to list the managed zones within a Google Cloud DNS project. dns.managedZones.update Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project. dns.projects.get Allows a user to retrieve information about an existing GCP DNS project. dns.resourceRecordSets.create Allows a user to create resource record sets within a DNS zone. dns.resourceRecordSets.delete Allows a user to delete resource record sets within a DNS zone. dns.resourceRecordSets.get Allows a user or service account to retrieve information about resource record sets within a managed DNS zone. dns.resourceRecordSets.list Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone. dns.resourceRecordSets.update Allows a user or service account to make changes to the resource records in a DNS zone. iam.roles.create Allows a user to create a custom role for a GCP project or an organization. iam.roles.delete Allows a user to delete a custom role from a GCP project or an organization. iam.roles.get Allows a user to retrieve information about a specific role, including its permissions. iam.roles.list Allows a user to list predefined roles, or the custom roles for a project or an organization. iam.roles.undelete Allows a user to undelete a custom role from an organization or a project. iam.roles.update Allows a user to update an IAM custom role. iam.serviceAccounts.actAs Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user. iam.serviceAccounts.create Allows a user to create a service account for a project. iam.serviceAccounts.delete Allows a user to delete a service account for a project. iam.serviceAccounts.get Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account. iam.serviceAccounts.getIamPolicy Allows a user to retrieve the IAM policy for a service account. iam.serviceAccounts.setIamPolicy Allows a user to set the IAM policy for a service account. iam.serviceAccounts.update Allows a user to modify the service account for a project. logging.logEntries.create Allows user to write log entries. resourcemanager.projects.get Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API. resourcemanager.projects.getIamPolicy Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist. resourcemanager.projects.setIamPolicy Allows a user or service account to set the IAM access control policy for the specified project. storage.buckets.get Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket’s name, location, storage class, access control settings, and other attributes. storage.buckets.getIamPolicy Allows a user to retrieve the IAM policy for a bucket. storage.buckets.setIamPolicy Allows a user to set the IAM policy for a bucket. Storage Object Admin Grants full control of bucket objects. The Redpanda Agent Storage Admin grant is scoped to a single bucket. Kubernetes Engine Admin Full management of Kubernetes clusters and their Kubernetes API objects. Back to top × Simple online edits For simple changes, such as fixing a typo, you can edit the content directly on GitHub. Edit on GitHub Or, open an issue to let us know about something that you want us to change. Open an issue Contribution guide For extensive content updates, or if you prefer to work locally, read our contribution guide . Was this helpful? thumb_up thumb_down group Ask in the community mail Share your feedback group_add Make a contribution Cloud Authorization Encryption