Minimum set of IAM permissions required for reduced permissions mode
Review a list of the minimum IAM permissions required to activate AWS environments for Cloudera Data Warehouse in reduced permissions mode.
The following is a list of the minimum permissions that are required for your IAM policy to activate environments for Cloudera Data Warehouse in reduced permissions mode. In this mode you must manually create your CloudFormation stack from a template that Cloudera Data Warehouse pre-populates in the AWS console for you. When you are finished using the stack, you must manually delete its resources in your AWS account.
| AWS service | "Allow" actions | Description |
|---|---|---|
Certificate Manager
(acm) |
DescribeCertificate | Created by Cloud Formation to check the certification status during activation. |
| ListCertificates | ACM validation adds DNS records. | |
CloudFormation
(cloudformation) |
DescribeStackEvents | Get Cloud Formation stack events, identify cause of failed CF stack creation failure |
| DescribeStacks | Check the status of stack--error or completed, then install helm charts | |
| UpdateStack | Update Custom AMI, upgrade EKS | |
CloudWatch (logs) |
CreateLogGroup | Create/name cloudwatch log group |
| CreateLogStream | Create log stream of log group that originates from monitored application or resource | |
| DescribeLogStreams | List log streams for log groups | |
| PutLogEvents | Upload log events to log stream | |
| PutRetentionPolicy | Change number of days Cloudwatch retains | |
EC2 (ec2) |
CreateKeyPair |
Create ssh Public key pair, pass to ec2 instances. Not required if passed/set/reused via CloudBreak |
| CreateTags | Tag subnets and eks security group. Amazon EKS security group requirements and considerations | |
| DeleteKeyPair | Delete keypair while deactivating Cloudera Data Warehouse // needed if CB env ssh is not reused | |
| DeleteTags | ||
| DescribeDhcpOptions | See points 2-3 in AWS Requirements Checklist | |
| DescribeKeyPairs | Validate CloudBreak env ssh key pair exists, not deleted inbetween; check for duplicate keypair in case of Cloudera Data Warehouse created keypair | |
| DescribeRouteTables | ||
| DescribeSubNets | See Point 4 in AWS Requirements Checklist | |
| DescribeVpcAttribute | Validate enableDnsHostnames and enableDnsSupport VPC attributes; see 1 and 3 points in Footnote 3 URL | |
| DescribeVpcs | Validate ID of set of DHCP options associated with the VPC | |
EC2 Auto Scaling
(autoscaling) |
DescribeAutoScalingGroups | Get shared services/compute ASGs, update as part of AZRebalance |
| SuspendProcesses | Suspend AZRebalance for autoscaling group; include AZRebalance; cannot suspend AZRebalance in cloudformation; edit/update ASGs with AWS API to avoid AWS re-balancing nodes for AZ (most nodes run in stateful/critical pods) | |
| UpdateAutoScalingGroup | Calico overlaynetwork option requires no EKS nodes up on installation; with CF stack creation 3 nodes start up, autoscaling group updates desired capacity to Zero via AWS API; need latest SSH key from CloudBreak for EKS node updates; new Launch template passes SSH key and updates in ASG | |
EKS (eks) |
DescribeCluster | Calico overlaynetwork option requires no EKS nodes up on installation; with CF stack creation 3 nodes start up, autoscaling group updates desired capacity to Zero via AWS API; need latest SSH key from CloudBreak for EKS node updates; new Launch template passes SSH key and updates in ASG |
| DescribeUpdate | Check status of Updates--enable Private EKS and Cloudwatch on EKS | |
| TagResource | Tag eks cluster, e.g.: clusterId, envId, clustername, accountId... | |
| UpdateClusterConfig | Update EKScluster config Enable Private EKS and Cloudwatch on EKS | |
| UpdateClusterVersion | Updates an Amazon EKS cluster to the specified Kubernetes version | |
IAM (iam) |
DeleteRolePolicy | |
| GetRolePolicy | Delete inline policies like efs, ebs, cluster-autoscaler etc created/attached to Node instance role at deactivation | |
| ListAttachedRolePolicies* | List policies attached to Ranger RAZ role; attach to NodeInstanceRole for S3 access if RAZ enabled | |
| PutRolePolicy | Add inline policies like efs, ebs, cluster-autoscaler to Node Instance Role | |
| SimulatePrincipalPolicy | Simulate Cloud Formation stack formation policies | |
| RDS (rds) | StartDBInstance | |
| StopDBInstance | ||
| DescribeDBInstances | ||
S3 (s3) |
GetBucketLocation | Needed for external bucket feature via UI, where we validate the VPC and bucket region are the same |
| GetObject | Get Cloud Formatoin template while CF stack creation may not be needed for reduced mode | |
| ListBucket | ||
| PutObjectAcl | ||
| PutObject | Put Cloud Formation template in SDX bucket |
*Needed only in a Ranger Authorization (RAZ) environment.
