AWS IAM Policies

When you run rpk cloud byoc aws apply to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the AWS API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users.

This page lists the IAM permissions Redpanda needs to create BYOC clusters. This does not pertain to BYOVPC clusters.
IAM permissions are not required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters.

AWS IAM policies

IAM policies are assigned to deployed Redpanda agents for BYOC AWS clusters that use the following AWS services:

Actions allowed with wildcard resources

The following actions apply only to Redpanda agents with wildcard resources.

RedpandaAgentActionsOnlyAllowedWithWildcardResources

statement {
   sid    = "RedpandaAgentActionsOnlyAllowedWithWildcardResources"
   effect = "Allow"
   actions = [
     "ec2:CreateTags",
     "ec2:DescribeAccountAttributes",
     "ec2:DescribeImages",
     "ec2:DescribeInstances",
     "ec2:DescribeInstanceTypes",
     "ec2:CreateLaunchTemplate",
     "ec2:CreateLaunchTemplateVersion",
     "ec2:DescribeLaunchTemplateVersions",
     "ec2:DescribeLaunchTemplates",
     "iam:ListPolicies",
     "iam:ListRoles",
     "iam:GetOpenIDConnectProvider",
     "iam:DeleteOpenIDConnectProvider",
     "autoscaling:DescribeScalingActivities",
     "autoscaling:DescribeAutoScalingGroups",
     "autoscaling:DescribeTags",
     "autoscaling:DescribeTerminationPolicyTypes",
     "autoscaling:DescribeInstanceRefreshes",
     "autoscaling:DescribeLaunchConfigurations",
     "iam:CreateServiceLinkedRole",
     "ec2:CreatePlacementGroup",
     "ec2:DeletePlacementGroup",
     "ec2:DescribePlacementGroups",
     "eks:DescribeNodegroup",
     "eks:DeleteNodegroup"
   ]
   resources = [
     "*",
   ]
 }

Run in EC2 instances

The following actions apply only to Redpanda agents running in AWS EC2 instances.

RedpandaAgentEC2RunInstances

statement {
   sid    = "RedpandaAgentEC2RunInstances"
   effect = "Allow"
   actions = [
     "ec2:RunInstances",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:instance/*",
     "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*",
     "arn:aws:ec2:*:${local.aws_account_id}:volume/*",
     "arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
     "arn:aws:ec2:*:${local.aws_account_id}:subnet/*",
     "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*",
     "arn:aws:ec2:*::image/*",
   ]
 }

Delete launch templates

The following actions apply only to Redpanda agents deleting AWS launch templates.

RedpandaAgentEC2RunInstances

statement {
   sid    = "RedpandaAgentLaunchTemplateDeletion"
   effect = "Allow"
   actions = [
     "ec2:DeleteLaunchTemplate",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:launch-template/__",
   ]
   condition {
     test     = "StringEquals"
     variable = "ec2:ResourceTag/redpanda-id"
     values = [
       var.redpanda_id,
     ]
   }
 }

Manage security groups

The following actions apply only to Redpanda agents managing AWS security groups.

RedpandaAgentSecurityGroups

statement {
   sid    = "RedpandaAgentSecurityGroups"
   effect = "Allow"
   actions = [
     "ec2:AuthorizeSecurityGroupEgress",
     "ec2:AuthorizeSecurityGroupIngress",
     "ec2:CreateSecurityGroup",
     "ec2:DeleteSecurityGroup",
     "ec2:RevokeSecurityGroupEgress",
     "ec2:RevokeSecurityGroupIngress",
     "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
     "ec2:UpdateSecurityGroupRuleDescriptionsEgress",
     "ec2:ModifySecurityGroupRules",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:security-group/*",
     "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
   ]
 }

Manage EKS clusters

The following actions apply only to Redpanda agents managing Amazon Elastic Kubernetes Service (Amazon EKS) clusters.

RedpandaAgentEKSCluster

statement {
   sid    = "RedpandaAgentEKSCluster"
   effect = "Allow"
   actions = [
     "eks:__",
   ]
   resources = [
     "arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}",
   ]
 }

Manage instance profiles

The following actions apply only to Redpanda agents managing AWS instance profiles.

RedpandaAgentInstanceProfile

statement {
   sid    = "RedpandaAgentInstanceProfile"
   effect = "Allow"
   actions = [
     "iam:AddRoleToInstanceProfile",
     "iam:RemoveRoleFromInstanceProfile",
     "iam:CreateInstanceProfile",
     "iam:DeleteInstanceProfile",
     "iam:GetInstanceProfile",
     "iam:TagInstanceProfile",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*",
     "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*",
   ]
 }

Create EKS OIDC providers

The following actions apply only to Redpanda agents creating and accessing AWS EKS OIDC providers.

RedpandaAgentEKSOIDCProvider

statement {
   sid    = "RedpandaAgentEKSOIDCProvider"
   effect = "Allow"
   actions = [
     "iam:CreateOpenIDConnectProvider",
     "iam:TagOpenIDConnectProvider",
     "iam:UntagOpenIDConnectProvider",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com",
   ]
 }

statement {
    sid    = "RedpandaAgentEKSOIDCProviderCACertThumbprintUpdate"
    effect = "Allow"
    actions = [
      "iam:UpdateOpenIDConnectProviderThumbprint",
    ]
    resources = [
      "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com",
      "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com/id/*",
    ]
    condition {
      test     = "StringEquals"
      variable = "aws:ResourceTag/redpanda-id"
      values = [
        var.redpanda_id,
      ]
    }
  }

Manage IAM policies

The following actions apply only to Redpanda agents managing AWS IAM policies.

RedpandaAgentIAMPolicies

statement {
   sid    = "RedpandaAgentIAMPolicies"
   effect = "Allow"
   actions = [
     "iam:CreatePolicy",
     "iam:DeletePolicy",
     "iam:GetPolicy",
     "iam:GetPolicyVersion",
     "iam:ListPolicyVersions",
     "iam:TagPolicy"
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}",
   ]
 }

Manage IAM roles

The following actions apply only to Redpanda agents managing AWS IAM roles.

RedpandaAgentIAMRoleManagement

statement {
   sid    = "RedpandaAgentIAMRoleManagement"
   effect = "Allow"
   actions = [
     "iam:CreateRole",
     "iam:DeleteRole",
     "iam:AttachRolePolicy",
     "iam:DetachRolePolicy",
     "iam:GetRole",
     "iam:TagRole",
     "iam:PassRole",
     "iam:ListAttachedRolePolicies",
     "iam:ListInstanceProfilesForRole",
     "iam:ListRolePolicies",
   ]
   resources = [
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_",
     "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_",
   ]
 }

Manage S3 buckets

The following actions apply only to Redpanda agents managing AWS Simple Storage Service (S3) buckets.

RedpandaAgentS3ManagementBucket

statement {
   sid    = "RedpandaAgentS3ManagementBucket"
   effect = "Allow"
   actions = [
     "s3:*",
   ]
   resources = [
     data.aws_s3_bucket.management.arn,
     "${data.aws_s3_bucket.management.arn}/*",
   ]
 }

Manage S3 cloud bucket storage

The following actions apply only to Redpanda agents managing AWS S3 cloud bucket storage.

RedpandaAgentS3ManagementBucket

 statement {
   sid    = "RedpandaAgentS3CloudStorageBucket"
   effect = "Allow"
   actions = [
     "s3:List*",
     "s3:Get*",
     "s3:CreateBucket",
     "s3:DeleteBucket",
     "s3:PutBucketPolicy",
     "s3:DeleteBucketPolicy",
   ]
   resources = [
     local.redpanda_cloud_storage_bucket_arn,
     "${local.redpanda_cloud_storage_bucket_arn}/*",
   ]
 }

Manage virtual private cloud (VPC)

The following actions apply only to Redpanda agents managing AWS VPCs.

RedpandaAgentVPCManagement

statement {
   sid    = "RedpandaAgentVPCManagement"
   effect = "Allow"
   actions = [
     "ec2:DescribeVpcs",
     "ec2:DescribeVpcAttribute",
     "ec2:DescribeSecurityGroups",
     "ec2:CreateInternetGateway",
     "ec2:DeleteInternetGateway",
     "ec2:AttachInternetGateway",
     "ec2:DescribeInternetGateways",
     "ec2:CreateNatGateway",
     "ec2:DeleteNatGateway",
     "ec2:DescribeNatGateways",
     "ec2:CreateRoute",
     "ec2:DeleteRoute",
     "ec2:CreateRouteTable",
     "ec2:DeleteRouteTable",
     "ec2:DescribeRouteTables",
     "ec2:AssociateRouteTable",
     "ec2:CreateSubnet",
     "ec2:DeleteSubnet",
     "ec2:DescribeSubnets",
     "ec2:CreateVpcEndpoint",
     "ec2:ModifyVpcEndpoint",
     "ec2:DeleteVpcEndpoints",
     "ec2:DescribeVpcEndpoints",
     "ec2:DescribeVpcEndpointServices",
     "ec2:DescribeVpcPeeringConnections",
     "ec2:ModifyVpcPeeringConnectionOptions",
     "ec2:DescribeNetworkAcls",
     "ec2:DescribeNetworkInterfaces",
     "ec2:AttachNetworkInterface",
     "ec2:DetachNetworkInterface",
     "ec2:DescribeAvailabilityZones",
   ]
   resources = [
     "*",
   ]
 }

Delete network interface

The following actions apply only to Redpanda agents deleting AWS network interfaces.

RedpandaAgentNetworkInterfaceDelete

statement {
   sid    = "RedpandaAgentNetworkInterfaceDelete"
   effect = "Allow"
   actions = [
     "ec2:DeleteNetworkInterface",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:network-interface/__",
   ]
 }

Create VPC peering

The following actions apply only to Redpanda agents creating AWS VPC peering.

RedpandaAgentVPCPeeringsCreate

statement {
   sid    = "RedpandaAgentVPCPeeringsCreate"
   effect = "Allow"
   actions = [
     "ec2:CreateVpcPeeringConnection",
   ]
   resources = [
     "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}",
   ]
 }

Delete VPC peering

The following actions apply only to Redpanda agents deleting AWS VPC peering.

RedpandaAgentVPCPeeringsDelete

statement {
   sid    = "RedpandaAgentVPCPeeringsDelete"
   effect = "Allow"
   actions = [
     "ec2:DeleteVpcPeeringConnection",
     "ec2:ModifyVpcPeeringConnectionOptions",
   ]
   resources = [
     "arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__",
   ]
   condition {
     test     = "StringEquals"
     variable = "ec2:ResourceTag/redpanda-id"
     values = [
       var.redpanda_id,
     ]
   }
 }

Manage DynamoDB Terraform backend

The following actions apply only to Redpanda agents managing the AWS DynamoDB Terraform backend.

RedpandaAgentTFBackend

statement {
   sid    = "RedpandaAgentTFBackend"
   effect = "Allow"
   actions = [
     "dynamodb:GetItem",
     "dynamodb:PutItem",
     "dynamodb:DeleteItem",
   ]
   resources = [
     "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*",
   ]
 }

Manage Route 53

The following actions apply only to Redpanda agents managing the AWS Route 53 service.

RedpandaAgentRoute53Management

statement {
   sid    = "RedpandaAgentRoute53Management"
   effect = "Allow"
   actions = [
     "route53:CreateHostedZone",
     "route53:GetChange",
     "route53:ChangeTagsForResource",
     "route53:GetHostedZone",
     "route53:ListTagsForResource",
     "route53:ListResourceRecordSets",
     "route53:ChangeResourceRecordSets",
     "route53:GetDNSSEC",
     "route53:DeleteHostedZone",
   ]
   resources = [
     "*",
   ]
 }

Manage Auto Scaling

The following actions apply only to Redpanda agents managing the AWS Auto Scaling.

RedpandaAgentAutoscaling

statement {
   sid    = "RedpandaAgentAutoscaling"
   effect = "Allow"
   actions = [
     "autoscaling:*",
   ]
   resources = [
     "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*",
     "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*"
   ]
 }

Was this helpful?

group Ask in the community

mail Share your feedback

group_add Make a contribution

What do you like about this doc?

Let us know what we do well:

Let us contact you about your feedback:

What did you not like about this doc?

Let us know what we can improve: