fix: restrict iam:PassRole to just the node role we create (#2008)

* fix: restrict iam:PassRole to just the node role we create
aws · Jun 30, 2022 · 6b73164 · 6b73164
1 parent 68fab0f
commit 6b73164
Show file tree

Hide file tree

Showing 2 changed files with 6 additions and 2 deletions.
diff --git a/website/content/en/preview/AWS/provisioning.md b/website/content/en/preview/AWS/provisioning.md
@@ -54,7 +54,8 @@ You can review these fields [in the code](https://github.com/aws/karpenter/blob{
 ### InstanceProfile
 An `InstanceProfile` is a way to pass a single IAM role to an EC2 instance. Karpenter will not create one automatically.
 A default profile may be specified on the controller, allowing it to be omitted here. If not specified as either a default
-or on the controller, node provisioning will fail.
+or on the controller, node provisioning will fail. The KarpenterControllerPolicy will also need to have permissions for 
+`iam:PassRole` to the role provided here or provisioning will fail.  
 
 ```
 spec:

diff --git a/website/content/en/preview/getting-started/getting-started-with-eksctl/cloudformation.yaml b/website/content/en/preview/getting-started/getting-started-with-eksctl/cloudformation.yaml
@@ -46,7 +46,6 @@ Resources:
               - ec2:CreateFleet
               - ec2:RunInstances
               - ec2:CreateTags
-              - iam:PassRole
               - ec2:TerminateInstances
               - ec2:DeleteLaunchTemplate
               # Read Operations
@@ -60,3 +59,7 @@ Resources:
               - ec2:DescribeSpotPriceHistory
               - ssm:GetParameter
               - pricing:GetProducts
+          - Effect: Allow
+            Action:
+              - iam:PassRole
+            Resource: !Sub "arn:${AWS::Partition}:iam::${AWS::AccountId}:role/KarpenterNodeRole-${ClusterName}"