feat: update permissions for bootstrap and boundary policy (#52)

* feat: update permissions for bootstrap role boundry * chore: remove duplicated statement
streamnative · Dec 11, 2023 · 711f06a · 711f06a
1 parent e5bf7e6
commit 711f06a
Show file tree

Hide file tree

Showing 2 changed files with 8 additions and 31 deletions.
diff --git a/modules/aws/files/bootstrap_role_iam_policy.json.tpl b/modules/aws/files/bootstrap_role_iam_policy.json.tpl
@@ -89,7 +89,8 @@
       "Sid": "ResR53Z",
       "Effect": "Allow",
       "Action": [
-        "route53:ChangeResourceRecordSets"
+        "route53:ChangeResourceRecordSets",
+        "route53:DeleteHostedZone"
       ],
       "Resource": ${r53_zone_arns}
     },
@@ -318,7 +319,8 @@
         "iam:TagInstanceProfile",
         "iam:TagOpenIDConnectProvider",
         "iam:DeletePolicy",
-        "iam:DeletePolicyVersion"
+        "iam:DeletePolicyVersion",
+        "iam:PutRolePolicy"
       ],
       "Resource": [
         "arn:${partition}:iam::${account_id}:role/StreamNative/*",

diff --git a/modules/aws/files/permission_boundary_iam_policy.json.tpl b/modules/aws/files/permission_boundary_iam_policy.json.tpl
@@ -13,21 +13,8 @@
           "ecr:*",
           "eks:*",
           "elasticloadbalancing:*",
-          "iam:GetInstanceProfile",
-          "iam:GetOpenIDConnectProvider",
-          "iam:GetPolicy",
-          "iam:GetPolicyVersion",
-          "iam:GetRole",
-          "iam:GetServerCertificate",
-          "iam:ListAttachedRolePolicies",
-          "iam:ListEntitiesForPolicy",
-          "iam:ListInstanceProfile*",
-          "iam:ListOpenIDConnectProvider*",
-          "iam:ListPolicies",
-          "iam:ListPolicyTags",
-          "iam:ListPolicyVersions",
-          "iam:ListRole*",
-          "iam:ListServerCertificates",
+          "iam:Get*",
+          "iam:List*",
           "kms:*",
           "logs:*",
           "route53:*",
@@ -55,6 +42,7 @@
         "iam:DeleteRole",
         "iam:DeleteServiceLinkedRole",
         "iam:DetachRolePolicy",
+        "iam:PutRolePolicy",
         "iam:PutRolePermissionsBoundary",
         "iam:RemoveRoleFromInstanceProfile",
         "iam:SetDefaultPolicyVersion",
@@ -78,19 +66,6 @@
         "arn:${partition}:iam::${account_id}:server-certificate/*"
       ]
     },
-    {
-      "Sid": "RestrictPassRoleToEKS",
-      "Effect": "Allow",
-      "Action": [
-        "iam:PassRole"
-      ],
-      "Resource": "arn:${partition}:iam::${account_id}:role/${cluster_pattern}",
-      "Condition": {
-        "StringEquals": {
-          "iam:PassedToService": "eks.amazonaws.com"
-        }
-      }
-    },
     {
       "Sid": "AllowedIAMManagedPolicies",
       "Effect": "Allow",
@@ -118,7 +93,7 @@
       }
     },
     {
-      "Sid": "ResPsRlEKS",
+      "Sid": "RestrictPassRoleToEKS",
       "Effect": "Allow",
       "Action": [
         "iam:PassRole"