|
1 | 1 | { |
2 | | - "Version": "2012-10-17", |
3 | | - "Statement": [ |
| 2 | + "Version" : "2012-10-17", |
| 3 | + "Statement" : [ |
4 | 4 | { |
5 | | - "Effect": "Allow", |
6 | | - "Action": [ |
| 5 | + "Effect" : "Allow", |
| 6 | + "Action" : [ |
7 | 7 | "ec2:DescribeAvailabilityZones", |
8 | 8 | "ec2:DescribeInstances", |
9 | 9 | "ec2:DescribeSnapshots", |
10 | | - "ec2:DescribeTags", |
11 | 10 | "ec2:DescribeVolumes", |
12 | 11 | "ec2:DescribeVolumesModifications", |
13 | 12 | "ec2:DescribeVolumeStatus" |
14 | 13 | ], |
15 | | - "Resource": "*" |
| 14 | + "Resource" : "*" |
16 | 15 | }, |
17 | 16 | { |
18 | | - "Effect": "Allow", |
19 | | - "Action": [ |
| 17 | + "Effect" : "Allow", |
| 18 | + "Action" : [ |
20 | 19 | "ec2:CreateSnapshot", |
21 | 20 | "ec2:ModifyVolume" |
22 | 21 | ], |
23 | | - "Resource": "arn:aws:ec2:*:*:volume/*" |
| 22 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 23 | + "Condition" : { |
| 24 | + "StringLike" : { |
| 25 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
| 26 | + } |
| 27 | + } |
24 | 28 | }, |
25 | 29 | { |
26 | | - "Effect": "Allow", |
27 | | - "Action": [ |
| 30 | + "Effect" : "Allow", |
| 31 | + "Action" : [ |
28 | 32 | "ec2:CopyVolumes" |
29 | 33 | ], |
30 | | - "Resource": [ |
31 | | - "arn:aws:ec2:*:*:volume/vol-*" |
32 | | - ] |
| 34 | + "Resource" : "arn:aws:ec2:*:*:volume/vol-*", |
| 35 | + "Condition" : { |
| 36 | + "StringLike" : { |
| 37 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
| 38 | + } |
| 39 | + } |
33 | 40 | }, |
34 | 41 | { |
35 | | - "Effect": "Allow", |
36 | | - "Action": [ |
| 42 | + "Effect" : "Allow", |
| 43 | + "Action" : [ |
37 | 44 | "ec2:AttachVolume", |
38 | 45 | "ec2:DetachVolume" |
39 | 46 | ], |
40 | | - "Resource": [ |
41 | | - "arn:aws:ec2:*:*:volume/*", |
42 | | - "arn:aws:ec2:*:*:instance/*" |
43 | | - ] |
| 47 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 48 | + "Condition" : { |
| 49 | + "StringLike" : { |
| 50 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
| 51 | + } |
| 52 | + } |
44 | 53 | }, |
45 | 54 | { |
46 | | - "Effect": "Allow", |
47 | | - "Action": [ |
| 55 | + "Effect" : "Allow", |
| 56 | + "Action" : [ |
| 57 | + "ec2:AttachVolume", |
| 58 | + "ec2:DetachVolume" |
| 59 | + ], |
| 60 | + "Resource" : "arn:aws:ec2:*:*:instance/*" |
| 61 | + }, |
| 62 | + { |
| 63 | + "Effect" : "Allow", |
| 64 | + "Action" : [ |
48 | 65 | "ec2:CreateVolume", |
49 | 66 | "ec2:EnableFastSnapshotRestores" |
50 | 67 | ], |
51 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*" |
| 68 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 69 | + "Condition" : { |
| 70 | + "StringLike" : { |
| 71 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
| 72 | + } |
| 73 | + } |
52 | 74 | }, |
53 | 75 | { |
54 | | - "Effect": "Allow", |
55 | | - "Action": [ |
| 76 | + "Effect" : "Allow", |
| 77 | + "Action" : [ |
56 | 78 | "ec2:CreateTags" |
57 | 79 | ], |
58 | | - "Resource": [ |
| 80 | + "Resource" : [ |
59 | 81 | "arn:aws:ec2:*:*:volume/*", |
60 | 82 | "arn:aws:ec2:*:*:snapshot/*" |
61 | 83 | ], |
62 | | - "Condition": { |
63 | | - "StringEquals": { |
64 | | - "ec2:CreateAction": [ |
| 84 | + "Condition" : { |
| 85 | + "StringEquals" : { |
| 86 | + "ec2:CreateAction" : [ |
65 | 87 | "CreateVolume", |
66 | 88 | "CreateSnapshot", |
67 | 89 | "CopyVolumes" |
|
70 | 92 | } |
71 | 93 | }, |
72 | 94 | { |
73 | | - "Effect": "Allow", |
74 | | - "Action": [ |
| 95 | + "Effect" : "Allow", |
| 96 | + "Action" : [ |
75 | 97 | "ec2:DeleteTags" |
76 | 98 | ], |
77 | | - "Resource": [ |
| 99 | + "Resource" : [ |
78 | 100 | "arn:aws:ec2:*:*:volume/*", |
79 | 101 | "arn:aws:ec2:*:*:snapshot/*" |
80 | | - ] |
81 | | - }, |
82 | | - { |
83 | | - "Effect": "Allow", |
84 | | - "Action": [ |
85 | | - "ec2:CreateVolume", |
86 | | - "ec2:CopyVolumes" |
87 | 102 | ], |
88 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
89 | | - "Condition": { |
90 | | - "StringLike": { |
91 | | - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" |
| 103 | + "Condition" : { |
| 104 | + "StringLike" : { |
| 105 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
92 | 106 | } |
93 | 107 | } |
94 | 108 | }, |
95 | 109 | { |
96 | | - "Effect": "Allow", |
97 | | - "Action": [ |
98 | | - "ec2:CreateVolume", |
99 | | - "ec2:CopyVolumes" |
100 | | - ], |
101 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
102 | | - "Condition": { |
103 | | - "StringLike": { |
104 | | - "aws:RequestTag/CSIVolumeName": "*" |
105 | | - } |
106 | | - } |
107 | | - }, |
108 | | - { |
109 | | - "Effect": "Allow", |
110 | | - "Action": [ |
111 | | - "ec2:DeleteVolume" |
| 110 | + "Effect" : "Allow", |
| 111 | + "Action" : [ |
| 112 | + "ec2:CreateTags" |
112 | 113 | ], |
113 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
114 | | - "Condition": { |
115 | | - "StringLike": { |
116 | | - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" |
| 114 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 115 | + "Condition" : { |
| 116 | + "ForAnyValue:StringLike" : { |
| 117 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true", |
| 118 | + "ec2:ResourceTag/CSIVolumeName" : "*", |
| 119 | + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*" |
117 | 120 | } |
118 | 121 | } |
119 | 122 | }, |
120 | 123 | { |
121 | | - "Effect": "Allow", |
122 | | - "Action": [ |
123 | | - "ec2:DeleteVolume" |
| 124 | + "Effect" : "Allow", |
| 125 | + "Action" : [ |
| 126 | + "ec2:CreateVolume", |
| 127 | + "ec2:CopyVolumes" |
124 | 128 | ], |
125 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
126 | | - "Condition": { |
127 | | - "StringLike": { |
128 | | - "ec2:ResourceTag/CSIVolumeName": "*" |
| 129 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 130 | + "Condition" : { |
| 131 | + "ForAnyValue:StringLike" : { |
| 132 | + "aws:RequestTag/ebs.csi.aws.com/cluster" : "true", |
| 133 | + "aws:RequestTag/CSIVolumeName" : "*" |
129 | 134 | } |
130 | 135 | } |
131 | 136 | }, |
132 | 137 | { |
133 | | - "Effect": "Allow", |
134 | | - "Action": [ |
| 138 | + "Effect" : "Allow", |
| 139 | + "Action" : [ |
135 | 140 | "ec2:DeleteVolume" |
136 | 141 | ], |
137 | | - "Resource": "arn:aws:ec2:*:*:volume/*", |
138 | | - "Condition": { |
139 | | - "StringLike": { |
140 | | - "ec2:ResourceTag/kubernetes.io/created-for/pvc/name": "*" |
141 | | - } |
142 | | - } |
143 | | - }, |
144 | | - { |
145 | | - "Effect": "Allow", |
146 | | - "Action": [ |
147 | | - "ec2:CreateSnapshot" |
148 | | - ], |
149 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
150 | | - "Condition": { |
151 | | - "StringLike": { |
152 | | - "aws:RequestTag/CSIVolumeSnapshotName": "*" |
| 142 | + "Resource" : "arn:aws:ec2:*:*:volume/*", |
| 143 | + "Condition" : { |
| 144 | + "ForAnyValue:StringLike" : { |
| 145 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true", |
| 146 | + "ec2:ResourceTag/CSIVolumeName" : "*", |
| 147 | + "ec2:ResourceTag/kubernetes.io/created-for/pvc/name" : "*" |
153 | 148 | } |
154 | 149 | } |
155 | 150 | }, |
156 | 151 | { |
157 | | - "Effect": "Allow", |
158 | | - "Action": [ |
| 152 | + "Effect" : "Allow", |
| 153 | + "Action" : [ |
159 | 154 | "ec2:CreateSnapshot" |
160 | 155 | ], |
161 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
162 | | - "Condition": { |
163 | | - "StringLike": { |
164 | | - "aws:RequestTag/ebs.csi.aws.com/cluster": "true" |
165 | | - } |
166 | | - } |
167 | | - }, |
168 | | - { |
169 | | - "Effect": "Allow", |
170 | | - "Action": [ |
171 | | - "ec2:DeleteSnapshot" |
172 | | - ], |
173 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
174 | | - "Condition": { |
175 | | - "StringLike": { |
176 | | - "ec2:ResourceTag/CSIVolumeSnapshotName": "*" |
| 156 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 157 | + "Condition" : { |
| 158 | + "ForAnyValue:StringLike" : { |
| 159 | + "aws:RequestTag/CSIVolumeSnapshotName" : "*", |
| 160 | + "aws:RequestTag/ebs.csi.aws.com/cluster" : "true" |
177 | 161 | } |
178 | 162 | } |
179 | 163 | }, |
180 | 164 | { |
181 | | - "Effect": "Allow", |
182 | | - "Action": [ |
183 | | - "ec2:DeleteSnapshot" |
| 165 | + "Effect" : "Allow", |
| 166 | + "Action" : [ |
| 167 | + "ec2:DeleteSnapshot", |
| 168 | + "ec2:LockSnapshot" |
184 | 169 | ], |
185 | | - "Resource": "arn:aws:ec2:*:*:snapshot/*", |
186 | | - "Condition": { |
187 | | - "StringLike": { |
188 | | - "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true" |
| 170 | + "Resource" : "arn:aws:ec2:*:*:snapshot/*", |
| 171 | + "Condition" : { |
| 172 | + "ForAnyValue:StringLike" : { |
| 173 | + "ec2:ResourceTag/CSIVolumeSnapshotName" : "*", |
| 174 | + "ec2:ResourceTag/ebs.csi.aws.com/cluster" : "true" |
189 | 175 | } |
190 | 176 | } |
191 | 177 | } |
|
0 commit comments