Cloudera Docs

Attaching a managed policy ARN

For security reasons, if you do not want to provide PutRolePolicy permission in your cross account role, which would be used later to add an inline policy to the Node instance role, you must create a managed policy. Failure to do so results in an authorization error. You learn how to create the managed policy in a few steps.

If you are using the restricted policy, you need to add permission to the cross account role, so this policy can be attached to the Node role. The following example shows the noderole-inline-policy permission as shown on the last line.
{
            "Sid": "VisualEditor12",
            "Effect": "Allow",
            "Action": "iam:AttachRolePolicy",
            "Resource": [
                "arn:aws:iam::*:role/env-*-dwx-stack-EKSServiceRole-*",
                "arn:aws:iam::*:role/env-*-dwx-stack-NodeInstanceRole-*"
            ],
            "Condition": {
                "ForAnyValue:ArnEqualsIfExists": {
                    "iam:PolicyARN": [
                        "arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
                        "arn:aws:iam::aws:policy/AmazonEKSServicePolicy",
                        "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly",
                        "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy",
                        "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy",

                        "arn:aws:iam::<AWS_ACCOUNT>:policy/<noderole-inline-policy>"
                    ]
                }
            }
        }
  1. Follow instructions in steps 1-4 to activate your environment in Cloudera Data Warehouse, as described in the "Activating an AWS environment" above.
  2. Select Attach Managed policy ARN to Node Role, and pass the ARN.
    For example:
    When you remove the PutRolePolicy permission, which is one of the standard permissions needed, from your cross account role, the reduced permissions mode UI appears.
    For example:
    For more information about reduced permissions mode, see the topic below.
  3. In Environmental Activations, optionally do not select Reduced Permissions mode.
  4. Click Activate.
    The following managed policy noderole-inline-policy.json is attached to the Node Instance role instead of a inline policy requiring the PutRolePolicy permission in your cross account role:
    noderole-inline-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "clusterautoscaler",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeTags",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:SetDesiredCapacity",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:CreateTags"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Action": [
                "elasticfilesystem:DescribeAccessPoints",
                "elasticfilesystem:DescribeFileSystems",
                "elasticfilesystem:DescribeMountTargets",
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Action": [
                "elasticfilesystem:CreateAccessPoint"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/efs.csi.aws.com/cluster": "true"
                }
            },
            "Action": "elasticfilesystem:DeleteAccessPoint",
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:CreateSnapshot",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:ModifyVolume",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringEquals": {
                    "ec2:CreateAction": [
                        "CreateVolume",
                        "CreateSnapshot"
                    ]
                }
            },
            "Action": [
                "ec2:CreateTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:snapshot/*"
            ],
            "Effect": "Allow"
        },
        {
            "Action": [
                "ec2:DeleteTags"
            ],
            "Resource": [
                "arn:aws:ec2:*:*:volume/*",
                "arn:aws:ec2:*:*:snapshot/*"
            ],
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/ebs.csi.aws.com/cluster": "true"
                }
            },
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/CSIVolumeName": "*"
                }
            },
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "aws:RequestTag/kubernetes.io/cluster/*": "owned"
                }
            },
            "Action": [
                "ec2:CreateVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
                }
            },
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/CSIVolumeName": "*"
                }
            },
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/kubernetes.io/cluster/*": "owned"
                }
            },
            "Action": [
                "ec2:DeleteVolume"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/CSIVolumeSnapshotName": "*"
                }
            },
            "Action": [
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Condition": {
                "StringLike": {
                    "ec2:ResourceTag/ebs.csi.aws.com/cluster": "true"
                }
            },
            "Action": [
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:GenerateDataKeyWithoutPlaintext",
                "kms:CreateGrant"
            ],
            "Resource": "*",
            "Effect": "Allow"
        },
        {
            "Sid": "kms",
            "Effect": "Allow",
            "Action": [
                "kms:Encrypt",
                "kms:Decrypt",
                "kms:GenerateDatakey",
                "kms:ListAliases",
                "kms:DescribeKey"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "limitsmonitoring",
            "Effect": "Allow",
            "Action": [
                "servicequotas:ListServiceQuotas",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeLoadBalancers",
                "rds:DescribeAccountAttributes",
                "rds:DescribeDBInstances",
                "rds:DescribeDBSnapshots"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "s3listallbuckets",
            "Effect": "Allow",
            "Action": [
                "s3:ListAllMyBuckets",
      "s3:HeadBucket"

            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "s3readwriteownbuckets",
            "Effect": "Allow",
            "Action": [
                "s3:Get*",
                "s3:Delete*",
                "s3:Put*",
                "s3:ListBucket",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation"
            ],
            "Resource": [
                "arn:aws:s3:::*-dwx-managed",
                "arn:aws:s3:::*-dwx-managed/*",
                "arn:aws:s3:::*-dwx-external",
                "arn:aws:s3:::*-dwx-external/*",
                "arn:aws:s3:::<SDX_BUCKET>",
                "arn:aws:s3:::<SDX_BUCKET>/*"
            ]
        }
    ]
}