|
1 | 1 | { |
2 | | - "Version": "2012-10-17", |
3 | | - "Statement": [ |
| 2 | + "Version" : "2012-10-17", |
| 3 | + "Statement" : [ |
4 | 4 | { |
5 | | - "Effect": "Allow", |
6 | | - "Action": [ |
| 5 | + "Effect" : "Allow", |
| 6 | + "Action" : [ |
7 | 7 | "ec2:DescribeAvailabilityZones", |
8 | 8 | "ec2:DescribeInstances", |
9 | 9 | "ec2:DescribeSnapshots", |
10 | | - "ec2:DescribeTags", |
11 | 10 | "ec2:DescribeVolumes", |
12 | 11 | "ec2:DescribeVolumesModifications", |
13 | 12 | "ec2:DescribeVolumeStatus" |
14 | 13 | ], |
15 | | - "Resource": "*" |
| 14 | + "Resource" : "*" |
16 | 15 | }, |
17 | 16 | { |
18 | | - "Effect": "Allow", |
19 | | - "Action": [ |
20 | | - "ec2:CreateSnapshot", |
21 | | - "ec2:ModifyVolume" |
| 17 | + "Effect" : "Allow", |
| 18 | + "Action" : [ |
| 19 | + "ec2:CreateVolume", |
| 20 | + "ec2:CopyVolumes" |
22 | 21 | ], |
23 | | - "Resource": "arn:aws:ec2:*:*:volume/*" |
| 22 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 23 | + "Condition" : { |
| 24 | + "StringLike" : { |
| 25 | + "aws:RequestTag/ebs.csi.aws.com/cluster" : "true" |
| 26 | + } |
| 27 | + } |
24 | 28 | }, |
25 | 29 | { |
26 | | - "Effect": "Allow", |
27 | | - "Action": [ |
| 30 | + "Effect" : "Allow", |
| 31 | + "Action" : [ |
| 32 | + "ec2:CreateVolume", |
28 | 33 | "ec2:CopyVolumes" |
29 | 34 | ], |
30 | | - "Resource": [ |
31 | | - "arn:aws:ec2:*:*:volume/vol-*" |
32 | | - ] |
| 35 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 36 | + "Condition" : { |
| 37 | + "StringLike" : { |
| 38 | + "aws:RequestTag/CSIVolumeName" : "*" |
| 39 | + } |
| 40 | + } |
33 | 41 | }, |
34 | 42 | { |
35 | | - "Effect": "Allow", |
36 | | - "Action": [ |
37 | | - "ec2:AttachVolume", |
38 | | - "ec2:DetachVolume" |
| 43 | + "Effect" : "Allow", |
| 44 | + "Action" : [ |
| 45 | + "ec2:CopyVolumes" |
39 | 46 | ], |
40 | | - "Resource": [ |
41 | | - "arn:aws:ec2:*:*:volume/*", |
42 | | - "arn:aws:ec2:*:*:instance/*" |
43 | | - ] |
| 47 | + "Resource" : "arn:aws:ec2:*:*:volume/vol-*", |
| 48 | + "Condition" : { |
| 49 | + "StringLike" : { |
| 50 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
| 51 | + } |
| 52 | + } |
44 | 53 | }, |
45 | 54 | { |
46 | | - "Effect": "Allow", |
47 | | - "Action": [ |
48 | | - "ec2:CreateVolume", |
49 | | - "ec2:EnableFastSnapshotRestores" |
| 55 | + "Effect" : "Allow", |
| 56 | + "Action" : [ |
| 57 | + "ec2:CreateSnapshot" |
50 | 58 | ], |
51 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*" |
| 59 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 60 | + "Condition" : { |
| 61 | + "StringLike" : { |
| 62 | + "aws:RequestTag/CSIVolumeSnapshotName" : "*" |
| 63 | + } |
| 64 | + } |
52 | 65 | }, |
53 | 66 | { |
54 | | - "Effect": "Allow", |
55 | | - "Action": [ |
56 | | - "ec2:CreateTags" |
57 | | - ], |
58 | | - "Resource": [ |
59 | | - "arn:aws:ec2:*:*:volume/*", |
60 | | - "arn:aws:ec2:*:*:snapshot/*" |
| 67 | + "Effect" : "Allow", |
| 68 | + "Action" : [ |
| 69 | + "ec2:CreateSnapshot" |
61 | 70 | ], |
62 | | - "Condition": { |
63 | | - "StringEquals": { |
64 | | - "ec2:CreateAction": [ |
65 | | - "CreateVolume", |
66 | | - "CreateSnapshot", |
67 | | - "CopyVolumes" |
68 | | - ] |
| 71 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 72 | + "Condition" : { |
| 73 | + "StringLike" : { |
| 74 | + "aws:RequestTag/ebs.csi.aws.com/cluster" : "true" |
69 | 75 | } |
70 | 76 | } |
71 | 77 | }, |
72 | 78 | { |
73 | | - "Effect": "Allow", |
74 | | - "Action": [ |
75 | | - "ec2:DeleteTags" |
| 79 | + "Effect" : "Allow", |
| 80 | + "Action" : [ |
| 81 | + "ec2:CreateSnapshot", |
| 82 | + "ec2:ModifyVolume" |
76 | 83 | ], |
77 | | - "Resource": [ |
78 | | - "arn:aws:ec2:*:*:volume/*", |
79 | | - "arn:aws:ec2:*:*:snapshot/*" |
80 | | - ] |
| 84 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 85 | + "Condition" : { |
| 86 | + "StringLike" : { |
| 87 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
| 88 | + } |
| 89 | + } |
81 | 90 | }, |
82 | 91 | { |
83 | | - "Effect": "Allow", |
84 | | - "Action": [ |
| 92 | + "Effect" : "Allow", |
| 93 | + "Action" : [ |
85 | 94 | "ec2:CreateVolume", |
86 | | - "ec2:CopyVolumes" |
| 95 | + "ec2:EnableFastSnapshotRestores" |
87 | 96 | ], |
88 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
89 | | - "Condition": { |
90 | | - "StringLike": { |
91 | | - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" |
| 97 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 98 | + "Condition" : { |
| 99 | + "StringLike" : { |
| 100 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
92 | 101 | } |
93 | 102 | } |
94 | 103 | }, |
95 | 104 | { |
96 | | - "Effect": "Allow", |
97 | | - "Action": [ |
98 | | - "ec2:CreateVolume", |
99 | | - "ec2:CopyVolumes" |
| 105 | + "Effect" : "Allow", |
| 106 | + "Action" : [ |
| 107 | + "ec2:AttachVolume", |
| 108 | + "ec2:DetachVolume" |
100 | 109 | ], |
101 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
102 | | - "Condition": { |
103 | | - "StringLike": { |
104 | | - "aws:RequestTag/CSIVolumeName": "*" |
| 110 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 111 | + "Condition" : { |
| 112 | + "StringLike" : { |
| 113 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
105 | 114 | } |
106 | 115 | } |
107 | 116 | }, |
108 | 117 | { |
109 | | - "Effect": "Allow", |
110 | | - "Action": [ |
| 118 | + "Effect" : "Allow", |
| 119 | + "Action" : [ |
| 120 | + "ec2:AttachVolume", |
| 121 | + "ec2:DetachVolume" |
| 122 | + ], |
| 123 | + "Resource" : "arn:aws:ec2:*:*:instance/*" |
| 124 | + }, |
| 125 | + { |
| 126 | + "Effect" : "Allow", |
| 127 | + "Action" : [ |
111 | 128 | "ec2:DeleteVolume" |
112 | 129 | ], |
113 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
114 | | - "Condition": { |
115 | | - "StringLike": { |
116 | | - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" |
| 130 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 131 | + "Condition" : { |
| 132 | + "StringLike" : { |
| 133 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
117 | 134 | } |
118 | 135 | } |
119 | 136 | }, |
120 | 137 | { |
121 | | - "Effect": "Allow", |
122 | | - "Action": [ |
| 138 | + "Effect" : "Allow", |
| 139 | + "Action" : [ |
123 | 140 | "ec2:DeleteVolume" |
124 | 141 | ], |
125 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
126 | | - "Condition": { |
127 | | - "StringLike": { |
128 | | - "ec2:ResourceTag/CSIVolumeName": "*" |
| 142 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 143 | + "Condition" : { |
| 144 | + "StringLike" : { |
| 145 | + "ec2:ResourceTag/CSIVolumeName" : "*" |
129 | 146 | } |
130 | 147 | } |
131 | 148 | }, |
132 | 149 | { |
133 | | - "Effect": "Allow", |
134 | | - "Action": [ |
| 150 | + "Effect" : "Allow", |
| 151 | + "Action" : [ |
135 | 152 | "ec2:DeleteVolume" |
136 | 153 | ], |
137 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
138 | | - "Condition": { |
139 | | - "StringLike": { |
140 | | - "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" |
| 154 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 155 | + "Condition" : { |
| 156 | + "StringLike" : { |
| 157 | + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*" |
141 | 158 | } |
142 | 159 | } |
143 | 160 | }, |
144 | 161 | { |
145 | | - "Effect": "Allow", |
146 | | - "Action": [ |
147 | | - "ec2:CreateSnapshot" |
| 162 | + "Effect" : "Allow", |
| 163 | + "Action" : [ |
| 164 | + "ec2:DeleteSnapshot", |
| 165 | + "ec2:LockSnapshot" |
148 | 166 | ], |
149 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
150 | | - "Condition": { |
151 | | - "StringLike": { |
152 | | - "aws:RequestTag/CSIVolumeSnapshotName": "*" |
| 167 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 168 | + "Condition" : { |
| 169 | + "StringLike" : { |
| 170 | + "ec2:ResourceTag/CSIVolumeSnapshotName" : "*" |
| 171 | + } |
| 172 | + } |
| 173 | + }, |
| 174 | + { |
| 175 | + "Effect" : "Allow", |
| 176 | + "Action" : [ |
| 177 | + "ec2:DeleteSnapshot", |
| 178 | + "ec2:LockSnapshot" |
| 179 | + ], |
| 180 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 181 | + "Condition" : { |
| 182 | + "StringLike" : { |
| 183 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
153 | 184 | } |
154 | 185 | } |
155 | 186 | }, |
156 | 187 | { |
157 | | - "Effect": "Allow", |
158 | | - "Action": [ |
159 | | - "ec2:CreateSnapshot" |
| 188 | + "Effect" : "Allow", |
| 189 | + "Action" : [ |
| 190 | + "ec2:CreateTags" |
160 | 191 | ], |
161 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
162 | | - "Condition": { |
163 | | - "StringLike": { |
164 | | - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" |
| 192 | + "Resource" : [ |
| 193 | + "arn:aws:ec2:*:*:volume/*", |
| 194 | + "arn:aws:ec2:*:*:snapshot/*" |
| 195 | + ], |
| 196 | + "Condition" : { |
| 197 | + "StringEquals" : { |
| 198 | + "ec2:CreateAction" : [ |
| 199 | + "CreateVolume", |
| 200 | + "CreateSnapshot", |
| 201 | + "CopyVolumes" |
| 202 | + ] |
165 | 203 | } |
166 | 204 | } |
167 | 205 | }, |
168 | 206 | { |
169 | | - "Effect": "Allow", |
170 | | - "Action": [ |
171 | | - "ec2:DeleteSnapshot" |
| 207 | + "Effect" : "Allow", |
| 208 | + "Action" : [ |
| 209 | + "ec2:CreateTags" |
172 | 210 | ], |
173 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
174 | | - "Condition": { |
175 | | - "StringLike": { |
176 | | - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" |
| 211 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 212 | + "Condition" : { |
| 213 | + "StringLike" : { |
| 214 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
177 | 215 | } |
178 | 216 | } |
179 | 217 | }, |
180 | 218 | { |
181 | | - "Effect": "Allow", |
182 | | - "Action": [ |
183 | | - "ec2:DeleteSnapshot" |
| 219 | + "Effect" : "Allow", |
| 220 | + "Action" : [ |
| 221 | + "ec2:DeleteTags" |
| 222 | + ], |
| 223 | + "Resource" : [ |
| 224 | + "arn:aws:ec2:*:*:volume/*", |
| 225 | + "arn:aws:ec2:*:*:snapshot/*" |
184 | 226 | ], |
185 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
186 | | - "Condition": { |
187 | | - "StringLike": { |
188 | | - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" |
| 227 | + "Condition" : { |
| 228 | + "StringLike" : { |
| 229 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
189 | 230 | } |
190 | 231 | } |
191 | 232 | } |
|
0 commit comments