Skip to content

Instantly share code, notes, and snippets.

@ryanartecona

ryanartecona/role_alb-controller-inlchu3g6soa2x4gap9mzok4na.json

Last active May 22, 2025 01:34
Show Gist options
  • Save ryanartecona/95d4c485e2f725f59c06be580168f5d3 to your computer and use it in GitHub Desktop.
Save ryanartecona/95d4c485e2f725f59c06be580168f5d3 to your computer and use it in GitHub Desktop.
Download ZIP
Raw
role_alb-controller-inlchu3g6soa2x4gap9mzok4na.json
{
"Path": "/",
"RoleName": "alb-controller-inlchu3g6soa2x4gap9mzok4na",
"RoleId": "AROA6CVWHFY6JETXHJ734",
"Arn": "arn:aws:iam::967823535676:role/alb-controller-inlchu3g6soa2x4gap9mzok4na",
"CreateDate": "2025-05-21T00:28:08+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::967823535676:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598:aud": "sts.amazonaws.com",
"oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598:sub": "system:serviceaccount:alb-ingress-controller:alb-ingress-controller"
}
}
}
]
},
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Statement": [
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:DescribeTrustStores",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListenerAttributes",
"elasticloadbalancing:DescribeCapacityReservation",
"ec2:GetSecurityGroupsForVpc",
"ec2:GetCoipPoolUsage",
"ec2:DescribeVpcs",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeTags",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeIpamPools",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeCoipPools",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAddresses",
"ec2:DescribeAccountAttributes"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"wafv2:GetWebACLForResource",
"wafv2:GetWebACL",
"wafv2:DisassociateWebACL",
"wafv2:AssociateWebACL",
"waf-regional:GetWebACLForResource",
"waf-regional:GetWebACL",
"waf-regional:DisassociateWebACL",
"waf-regional:AssociateWebACL",
"shield:GetSubscriptionState",
"shield:DescribeProtection",
"shield:DeleteProtection",
"shield:CreateProtection",
"iam:ListServerCertificates",
"iam:GetServerCertificate",
"cognito-idp:DescribeUserPoolClient",
"acm:ListCertificates",
"acm:DescribeCertificate"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
},
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:security-group/*"
},
{
"Action": [
"ec2:DeleteTags",
"ec2:CreateTags"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:security-group/*"
},
{
"Action": [
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:AuthorizeSecurityGroupIngress"
],
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:AddTags"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:AddTags"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:AddTags"
],
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "true",
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
},
{
"Action": [
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:AddTags"
],
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:listener/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener/app/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/net/*/*/*",
"arn:aws:elasticloadbalancing:*:*:listener-rule/app/*/*/*"
]
},
{
"Action": [
"elasticloadbalancing:SetSubnets",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyListenerAttributes",
"elasticloadbalancing:ModifyIpPools",
"elasticloadbalancing:ModifyCapacityReservation",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeleteLoadBalancer"
],
"Condition": {
"Null": {
"aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "elasticloadbalancing:AddTags",
"Condition": {
"Null": {
"aws:RequestTag/elbv2.k8s.aws/cluster": "false"
},
"StringEquals": {
"elasticloadbalancing:CreateAction": [
"CreateTargetGroup",
"CreateLoadBalancer"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
"arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
]
},
{
"Action": [
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets"
],
"Effect": "Allow",
"Resource": "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*"
},
{
"Action": [
"elasticloadbalancing:SetWebAcl",
"elasticloadbalancing:SetRulePriorities",
"elasticloadbalancing:RemoveListenerCertificates",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:AddListenerCertificates"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17",
"policy_arn": "arn:aws:iam::967823535676:policy/AmazonEKS_AWS_Load_Balancer_Controller-20250521002808300500000001"
}
]
}
Raw
role_ebs-csi-inlchu3g6soa2x4gap9mzok4na.json
{
"Path": "/",
"RoleName": "ebs-csi-inlchu3g6soa2x4gap9mzok4na",
"RoleId": "AROA6CVWHFY6HF3KAYOE6",
"Arn": "arn:aws:iam::967823535676:role/ebs-csi-inlchu3g6soa2x4gap9mzok4na",
"CreateDate": "2025-05-20T23:20:08+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::967823535676:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598:aud": "sts.amazonaws.com",
"oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598:sub": "system:serviceaccount:ebs-csi-controller:ebs-csi-controller-sa"
}
}
}
]
},
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Statement": [
{
"Action": [
"ec2:ModifyVolume",
"ec2:EnableFastSnapshotRestores",
"ec2:DetachVolume",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumes",
"ec2:DescribeTags",
"ec2:DescribeSnapshots",
"ec2:DescribeInstances",
"ec2:DescribeAvailabilityZones",
"ec2:CreateSnapshot",
"ec2:AttachVolume"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Action": "ec2:DeleteTags",
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Action": "ec2:CreateVolume",
"Condition": {
"StringLike": {
"aws:RequestTag/ebs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:volume/*"
},
{
"Action": "ec2:CreateVolume",
"Condition": {
"StringLike": {
"aws:RequestTag/CSIVolumeName": "*"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:volume/*"
},
{
"Action": "ec2:CreateVolume",
"Condition": {
"StringLike": {
"aws:RequestTag/kubernetes.io/cluster/*": "owned"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateVolume",
"Effect": "Allow",
"Resource": "arn:aws:ec2:*:*:snapshot/*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeName": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteVolume",
"Condition": {
"StringLike": {
"ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"ec2:ResourceTag/CSIVolumeSnapshotName": "*"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:DeleteSnapshot",
"Condition": {
"StringLike": {
"ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
}
},
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17",
"policy_arn": "arn:aws:iam::967823535676:policy/AmazonEKS_EBS_CSI_Policy-20250520175051125200000003"
}
]
}
Raw
role_inlchu3g6soa2x4gap9mzok4na-eks-external-secrets-irsa.json
{
"Path": "/",
"RoleName": "inlchu3g6soa2x4gap9mzok4na-eks-external-secrets-irsa",
"RoleId": "AROA6CVWHFY6HJJFTKI46",
"Arn": "arn:aws:iam::967823535676:role/inlchu3g6soa2x4gap9mzok4na-eks-external-secrets-irsa",
"CreateDate": "2025-05-21T19:42:22+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::967823535676:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598:aud": "sts.amazonaws.com",
"oidc.eks.us-west-2.amazonaws.com/id/98193A85D4F59D436ED6A77BA0DFE598:sub": "system:serviceaccount:external-secrets:external-secrets"
}
}
}
]
},
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Statement": [
{
"Action": [
"secretsmanager:ListSecrets",
"secretsmanager:ListSecretVersionIds",
"secretsmanager:GetSecretValue",
"secretsmanager:GetResourcePolicy",
"secretsmanager:GetRandomPassword",
"secretsmanager:DescribeSecret",
"secretsmanager:BatchGetSecretValue"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17",
"policy_arn": "arn:aws:iam::967823535676:policy/inlchu3g6soa2x4gap9mzok4na-external-secrets"
}
]
}
Raw
role_inlchu3g6soa2x4gap9mzok4na-maintenance.json
{
"Path": "/",
"RoleName": "inlchu3g6soa2x4gap9mzok4na-maintenance",
"RoleId": "AROA6CVWHFY6HNGBNQPE6",
"Arn": "arn:aws:iam::967823535676:role/inlchu3g6soa2x4gap9mzok4na-maintenance",
"CreateDate": "2025-05-20T17:12:53+00:00",
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::967823535676:role/ra-test-kyruus-RunnerInstanceRole-jK9ieuI9QFfZ"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "",
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Statement": [
{
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:ecr:us-west-2:967823535676:repository/inlchu3g6soa2x4gap9mzok4na"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "replication.ecr.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ecr:us-west-2:967823535676:repository/inlchu3g6soa2x4gap9mzok4na"
}
],
"Version": "2012-10-17",
"policy_arn": "arn:aws:iam::967823535676:policy/ecr-access-inlchu3g6soa2x4gap9mzok4na"
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"rds:CreateDBSubnetGroup",
"rds:CreateTenantDatabase",
"acm:DescribeCertificate",
"acm:ListTagsForCertificate",
"acm:RequestCertificate",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateTags",
"ec2:CreateSecurityGroup",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:CompleteLayerUpload",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:InitiateLayerUpload",
"ecr:PutImage",
"ecr:UploadLayerPart",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:TagResource",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"iam:AttachRolePolicy",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DetachRolePolicy",
"iam:DeleteOpenIDConnectProvider",
"iam:CreateServiceLinkedRole",
"iam:GetRole",
"iam:GetOpenIDConnectProvider",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListOpenIDConnectProviders",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagOpenIDConnectProvider",
"iam:TagRole",
"iam:TagPolicy",
"kms:CreateGrant",
"kms:Decrypt",
"kms:DescribeKey",
"kms:GenerateDataKey",
"rds:AddTagsToResource",
"rds:CreateDBInstance",
"rds:CreateDBParameterGroup",
"rds:CreateTenantDatabase",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSubnetGroups",
"rds:ListTagsForResource",
"rds:ModifyDBParameterGroup",
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"s3:ListAllMyBuckets",
"s3:CreateBucket",
"s3:GetBucketTagging",
"s3:GetBucketPublicAccessBlock",
"s3:PutBucketTagging",
"secretsmanager:CreateSecret",
"secretsmanager:DescribeSecret",
"secretsmanager:TagResource",
"sts:AssumeRole",
"sts:GetCallerIdentity"
],
"Resource": "*",
"Effect": "Allow"
}
],
"policy_name": "inlchu3g6soa2x4gap9mzok4na-maintenance-minimal"
}
],
"permissions_boundary": {
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "*",
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"secretsmanager:GetSecretValue",
"rds-db:connect",
"rds-data:Execute*",
"elasticache:Connect",
"ec2-instance-connect:*",
"logs:GetLogEvents",
"logs:DescribeLogStreams",
"logs:FilterLogEvents"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": "s3:GetObject",
"NotResource": "arn:aws:s3:::inlchu3g6soa2x4gap9mzok4na-terraform-state/*"
},
{
"Effect": "Deny",
"Action": [
"iam:PutRolePermissionsBoundary",
"iam:CreateRole"
],
"Condition": {
"StringNotEquals": {
"iam:PermissionsBoundary": "arn:aws:iam::policy/inlchu3g6soa2x4gap9mzok4na-permissions-boundary"
}
},
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"sts:AssumeRole",
"iam:UpdateAssumeRolePolicy",
"lambda:UpdateFunctionCode",
"lambda:InvokeFunction",
"lambda:CreateEventSourceMapping",
"iam:UpdateLoginProfile",
"iam:DeleteRolePermissionsBoundary",
"iam:CreateLoginProfile",
"iam:CreateAccessKey",
"glue:UpdateDevEndpoint",
"datapipeline:CreatePipeline",
"cloudformation:CreateStack"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"eks:UpdateAccessEntry",
"eks:DisassociateAccessPolicy",
"eks:DeleteAccessEntry"
],
"Resource": "*"
},
{
"Effect": "Deny",
"Action": [
"iam:SetDefaultPolicyVersion",
"iam:DeletePolicyVersion",
"iam:DeletePolicy",
"iam:CreatePolicyVersion"
],
"Resource": "arn:aws:iam::policy/inlchu3g6soa2x4gap9mzok4na-permissions-boundary"
}
]
}
}
Raw
role_inlchu3g6soa2x4gap9mzok4na-provision.json
{
"Path": "/",
"RoleName": "inlchu3g6soa2x4gap9mzok4na-provision",
"RoleId": "AROA6CVWHFY6DMIESQ7EK",
"Arn": "arn:aws:iam::967823535676:role/inlchu3g6soa2x4gap9mzok4na-provision",
"CreateDate": "2025-05-20T17:12:54+00:00",
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::967823535676:role/ra-test-kyruus-RunnerInstanceRole-jK9ieuI9QFfZ"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "",
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Statement": [
{
"Action": [
"ecr:*",
"cloudtrail:LookupEvents"
],
"Effect": "Allow",
"Resource": "arn:aws:ecr:us-west-2:967823535676:repository/inlchu3g6soa2x4gap9mzok4na"
},
{
"Action": "iam:CreateServiceLinkedRole",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "replication.ecr.amazonaws.com"
}
},
"Effect": "Allow",
"Resource": "arn:aws:ecr:us-west-2:967823535676:repository/inlchu3g6soa2x4gap9mzok4na"
}
],
"Version": "2012-10-17",
"policy_arn": "arn:aws:iam::967823535676:policy/ecr-access-inlchu3g6soa2x4gap9mzok4na"
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:RevokeSecurityGroupEgress",
"ec2:RunInstances",
"ec2:RunInstances",
"ec2:RunInstances",
"ec2:RunInstances",
"ec2:RunInstances",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:ListTagsForResource",
"ecr:TagResource",
"eks:AssociateAccessPolicy",
"eks:CreateAccessEntry",
"eks:CreateAddon",
"eks:CreateCluster",
"eks:CreateNodegroup",
"eks:DescribeAccessEntry",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:DescribeCluster",
"eks:DescribeNodegroup",
"eks:TagResource",
"eks:ListAssociatedAccessPolicies",
"iam:AttachRolePolicy",
"iam:CreateOpenIDConnectProvider",
"iam:CreatePolicy",
"iam:CreateRole",
"iam:DetachRolePolicy",
"iam:DeleteOpenIDConnectProvider",
"iam:CreateServiceLinkedRole",
"iam:GetRole",
"iam:GetOpenIDConnectProvider",
"iam:GetRolePolicy",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:TagOpenIDConnectProvider",
"iam:TagRole",
"iam:TagPolicy",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DescribeKey",
"kms:GetKeyPolicy",
"kms:GetKeyRotationStatus",
"kms:ListResourceTags",
"kms:PutKeyPolicy",
"kms:TagResource",
"logs:CreateLogGroup",
"logs:DescribeLogGroups",
"logs:ListTagsForResource",
"logs:PutRetentionPolicy",
"logs:TagResource",
"ssm:GetParameters",
"sts:AssumeRole",
"sts:GetCallerIdentity"
],
"Resource": "*",
"Effect": "Allow"
}
],
"policy_name": "inlchu3g6soa2x4gap9mzok4na-provision-minimal"
}
]
}
Raw
role_ra-test-kyruus-cluster-20250520175051100300000001.json
{
"Path": "/",
"RoleName": "ra-test-kyruus-cluster-20250520175051100300000001",
"RoleId": "AROA6CVWHFY6G7ZJT7KD6",
"Arn": "arn:aws:iam::967823535676:role/ra-test-kyruus-cluster-20250520175051100300000001",
"CreateDate": "2025-05-20T17:50:51+00:00",
"AssumeRolePolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EKSClusterAssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": [
"sts:TagSession",
"sts:AssumeRole"
]
}
]
},
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Statement": [
{
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:ListGrants",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "arn:aws:kms:us-west-2:967823535676:key/710514c8-4b4f-4347-a533-6a8c1d3a1e62"
}
],
"Version": "2012-10-17",
"policy_arn": "arn:aws:iam::967823535676:policy/ra-test-kyruus-cluster-ClusterEncryption20250520175055381500000007"
},
{
"Statement": [
{
"Action": [
"ec2:RunInstances",
"ec2:CreateLaunchTemplate",
"ec2:CreateFleet"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
},
"StringLike": {
"aws:RequestTag/eks:kubernetes-node-class-name": "*",
"aws:RequestTag/eks:kubernetes-node-pool-name": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "Compute"
},
{
"Action": [
"ec2:CreateVolume",
"ec2:CreateSnapshot"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Sid": "Storage"
},
{
"Action": "ec2:CreateNetworkInterface",
"Condition": {
"StringEquals": {
"aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}",
"aws:RequestTag/eks:kubernetes-cni-node-name": "*"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "Networking"
},
{
"Action": [
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateListener",
"ec2:CreateSecurityGroup"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "LoadBalancer"
},
{
"Action": "shield:CreateProtection",
"Condition": {
"StringEquals": {
"aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
}
},
"Effect": "Allow",
"Resource": "*",
"Sid": "ShieldProtection"
},
{
"Action": "shield:TagResource",
"Condition": {
"StringEquals": {
"aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
}
},
"Effect": "Allow",
"Resource": "arn:aws:shield::*:protection/*",
"Sid": "ShieldTagResource"
}
],
"Version": "2012-10-17",
"policy_arn": "arn:aws:iam::967823535676:policy/ra-test-kyruus-cluster-20250520175051143200000005"
},
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AmazonEKSClusterPolicy",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:UpdateAutoScalingGroup",
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateRoute",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteRoute",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:DescribeInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcs",
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeAvailabilityZones",
"ec2:DetachVolume",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstanceTopology",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Sid": "AmazonEKSClusterPolicySLRCreate",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Sid": "AmazonEKSClusterPolicyENIDelete",
"Effect": "Allow",
"Action": "ec2:DeleteNetworkInterface",
"Resource": "*",
"Condition": {
"StringEquals": {
"ec2:ResourceTag/eks:eni:owner": "amazon-vpc-cni"
}
}
}
],
"policy_arn": "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy"
},
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": "ec2:CreateNetworkInterfacePermission",
"Resource": "*",
"Condition": {
"ForAnyValue:StringEquals": {
"ec2:ResourceTag/eks:eni:owner": "eks-vpc-resource-controller"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DeleteNetworkInterface",
"ec2:AttachNetworkInterface",
"ec2:UnassignPrivateIpAddresses",
"ec2:AssignPrivateIpAddresses"
],
"Resource": "*"
}
],
"policy_arn": "arn:aws:iam::aws:policy/AmazonEKSVPCResourceController"
}
]
}
Raw
role_ra-test-kyruus-RunnerInstanceRole-jK9ieuI9QFfZ.json
{
"Path": "/",
"RoleName": "ra-test-kyruus-RunnerInstanceRole-jK9ieuI9QFfZ",
"RoleId": "AROA6CVWHFY6BDLOQCSQJ",
"Arn": "arn:aws:iam::967823535676:role/ra-test-kyruus-RunnerInstanceRole-jK9ieuI9QFfZ",
"CreateDate": "2025-05-20T17:12:33+00:00",
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "Instance role for the runner ec2 instance and ASG. Used to assume Provision, Deprovision, and Maintenance roles as needed by the app.",
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:us-west-2:967823535676:log-group:runner-run71v31mb1w038twk9yskeray:*"
],
"Effect": "Allow"
}
],
"policy_name": "nuon-install-inlchu3g6soa2x4gap9mzok4na-cw-logs-access"
},
{
"Version": "2012-10-17",
"Statement": [
{
"Condition": {
"StringEquals": {
"aws:Ec2InstanceSourceVpc": "vpc-0cbf560d4bbc33c74"
}
},
"Action": [
"ec2:DescribeTags"
],
"Resource": "*",
"Effect": "Allow"
}
],
"policy_name": "nuon-install-inlchu3g6soa2x4gap9mzok4na-metadata"
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"sts:AssumeRole"
],
"Resource": "*",
"Effect": "Allow"
}
],
"policy_name": "RunnerInstancePolicy"
}
]
}
Raw
role_ra-test-kyruus-RunnerPhoneHomeRole-MbTDUR5HcsT1.json
{
"Path": "/",
"RoleName": "ra-test-kyruus-RunnerPhoneHomeRole-MbTDUR5HcsT1",
"RoleId": "AROA6CVWHFY6OGQXNVTYL",
"Arn": "arn:aws:iam::967823535676:role/ra-test-kyruus-RunnerPhoneHomeRole-MbTDUR5HcsT1",
"CreateDate": "2025-05-20T17:12:33+00:00",
"AssumeRolePolicyDocument": {
"Version": "2008-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
},
"Description": "",
"MaxSessionDuration": 3600,
"policy_docs": [
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
}
],
"policy_arn": "arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
},
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"logs:CreateLogGroup",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*",
"Effect": "Allow"
}
],
"policy_name": "CloudwatchPolicy"
}
]
}
@ryanartecona
Copy link
Author

ryanartecona commented May 22, 2025
edited
Loading

notes:

  • there is an ec2 "runner instance" which polls Retool's control plane servers for operations Retool staff initiates, and will assume the 'provision' role (at setup time) or the 'maintenance' role (all other times) to carry out those operations. this corresponds to our new egress-only remote access model, which no longer requires explicit cross-account access at the IAM level.
  • the 'provision' role is only required at setup time and can be disabled by Kyruus afterward with no loss of service.
  • the maintenance role also has a permission boundary which denies specific actions on specific resources. this is the primary mechanism by which Retool is prevented from accessing customer data (i.e. the database password secret) and also from elevating its own privileges to do so. (the explicit deny rules here override the allow: *, to be clear.)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment