4.2.5. IAM 角色所需的 AWS 权限

您可以选择定义自己的云身份和访问管理(IAM)角色,这些角色应用于安装程序创建的机器的实例配置集。您可以通过在 install-config.yaml 文件中定义 controlPlane.platform.aws.iamRolecompute.platform.aws.iamRoleThis 字段来指定现有的 IAM 角色。您可以使用这些字段与命名方案匹配,并为您的 IAM 角色包含预定义的权限界限。

control plane 和计算机器需要以下 IAM 角色权限:

例 4.14. control plane 实例配置集所需的 IAM 角色权限

  • sts:AssumeRole
  • ec2:AttachVolume
  • ec2:AuthorizeSecurityGroupIngress
  • ec2:CreateSecurityGroup
  • ec2:CreateTags
  • ec2:CreateVolume
  • ec2:DeleteSecurityGroup
  • ec2:DeleteVolume
  • ec2:Describe*
  • ec2:DetachVolume
  • ec2:ModifyInstanceAttribute
  • ec2:ModifyVolume
  • ec2:RevokeSecurityGroupIngress
  • elasticloadbalancing:AddTags
  • elasticloadbalancing:AttachLoadBalancerToSubnets
  • elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
  • elasticloadbalancing:CreateListener
  • elasticloadbalancing:CreateLoadBalancer
  • elasticloadbalancing:CreateLoadBalancerPolicy
  • elasticloadbalancing:CreateLoadBalancerListeners
  • elasticloadbalancing:CreateTargetGroup
  • elasticloadbalancing:ConfigureHealthCheck
  • elasticloadbalancing:DeleteListener
  • elasticloadbalancing:DeleteLoadBalancer
  • elasticloadbalancing:DeleteLoadBalancerListeners
  • elasticloadbalancing:DeleteTargetGroup
  • elasticloadbalancing:DeregisterInstancesFromLoadBalancer
  • elasticloadbalancing:DeregisterTargets
  • elasticloadbalancing:Describe*
  • elasticloadbalancing:DetachLoadBalancerFromSubnets
  • elasticloadbalancing:ModifyListener
  • elasticloadbalancing:ModifyLoadBalancerAttributes
  • elasticloadbalancing:ModifyTargetGroup
  • elasticloadbalancing:ModifyTargetGroupAttributes
  • elasticloadbalancing:RegisterInstancesWithLoadBalancer
  • elasticloadbalancing:RegisterTargets
  • elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
  • elasticloadbalancing:SetLoadBalancerPoliciesOfListener
  • kms:DescribeKey

例 4.15. 计算实例配置集所需的 IAM 角色权限

  • sts:AssumeRole
  • ec2:DescribeInstances
  • ec2:DescribeRegions