Reduced permissions mode JSON IAM permissions policy template

To activate an AWS environment for Cloudera Data Warehouse (CDW) using reduced permissions mode, you can use this sample JSON template when you register an environment in CDP.

In this mode you must manually create your CloudFormation stack from a template that CDW pre-populates in the AWS console for you. When you are finished using the stack, you must manually delete its resources in your AWS account.

To use this JSON policy to create your cross-account IAM role for CDP, see the procedure "Create a cross-account IAM role" that is linked to at the bottom of this page. The following JSON policy can be used in Step 6 of that procedure:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "iam:SimulatePrincipalPolicy",
            "Resource": "arn:aws:iam::<aws_account_id>:role/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "eks:UpdateClusterVersion",
                "ec2:CreateKeyPair",
                "ec2:DescribeDhcpOptions",
                "s3:ListBucket",
                "eks:UpdateClusterConfig",
                "ec2:DescribeVpcAttribute",
                "cloudformation:DescribeStackEvents",
                "autoscaling:DescribeAutoScalingGroups",
                "acm:ListCertificates",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRouteTables",
                "s3:PutObjectAcl",
                "ec2:CreateTags",
                "autoscaling:SuspendProcesses",
                "cloudformation:DescribeStacks",
                "s3:PutObject",
                "s3:GetObject",
                "acm:DescribeCertificate",
                "ec2:DescribeVpcs",
                "eks:DescribeUpdate",
                "eks:TagResource",
                "eks:DescribeCluster",
                "ec2:DescribeSubNets",
                "logs:PutRetentionPolicy",
                "s3:GetBucketLocation",
                "ec2:DeleteKeyPair",
                "cloudformation:UpdateStack",
                "iam:GetRolePolicy",
                "iam:PutRolePolicy"
            ],
            "Resource": "*"
        }
    ]
}