AWS Permissions required for Porter
Overview
Porter creates several roles and policies for use in the management of your AWS account. These may change over time, and will be automatically updated both here, and on your AWS account.
Make sure to check back here for updates, and if you have any questions, please reach out to us on support@porter.run
Initial Permissions
When signing up for Porter on AWS, you will be asked to create a cloudformation stack. This is only used for setting up the initial permissions required for Porter to manage your account. If you are operating in a regulated environment, these are the minimum permissions required to execute the initial cloudformation stack:
Roles
Porter Access Manager
Porter Access Manager is a role that Porter creates to manage the access given to the other roles in this document. If permissions are removed from this role, you will be unable to access new features of Porter.
{ "Statement": [ { "Action": [ "iam:GetGroup", "iam:CreateGroup", "iam:DeleteGroup", "iam:UpdateGroup", "iam:GetRole", "iam:CreateRole", "iam:DeleteRole", "iam:UpdateRole", "iam:PutRolePermissionsBoundary", "iam:GetUser", "iam:GetPolicy", "iam:CreatePolicy", "iam:DeletePolicy", "iam:GetPolicyVersion", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:ListPolicyVersions", "iam:ListPolicyTags", "iam:ListAttachedGroupPolicies", "iam:GetGroupPolicy", "iam:PutGroupPolicy", "iam:AttachGroupPolicy", "iam:DetachGroupPolicy", "iam:DeleteGroupPolicy", "iam:ListAttachedRolePolicies", "iam:ListRolePolicies", "iam:GetRolePolicy", "iam:PutRolePolicy", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:DeleteRolePolicy", "iam:ListAttachedUserPolicies", "iam:ListUserPolicies", "iam:ListRoleTags", "iam:TagPolicy", "iam:UntagPolicy", "iam:TagRole", "iam:UntagRole", "iam:RemoveClientIDFromOpenIDConnectProvider", "iam:ListOpenIDConnectProviderTags", "iam:UpdateOpenIDConnectProviderThumbprint", "iam:UntagOpenIDConnectProvider", "iam:AddClientIDToOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "iam:GetOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:CreateOpenIDConnectProvider", "iam:UpdateAssumeRolePolicy" ], "Effect": "Allow", "Resource": "*", "Sid": "IAMController" } ], "Version": "2012-10-17" }
Porter Manager
Porter Manager is used for all API operations from Porter, to your AWS account. This role is primarily used to read resources in your account to ensure that Porter is not creating duplicate resources, or using resources managed by a non-Porter process. This role may adopt policies from the other roles mentioned here, when managing their specific domains.
{ "Statement": [ { "Action": [ "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:DescribeImages", "ec2:GetInstanceTypesFromInstanceRequirements", "eks:DescribeNodegroup", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplateVersions" ], "Effect": "Allow", "Resource": [ "*" ], "Sid": "ManageClusterAutoscaling" }, { "Action": [ "elasticloadbalancing:RemoveListenerCertificates", "ec2:DeleteTags", "acm:ListCertificates", "acm:RequestCertificate", "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListTagsForCertificate", "acm:UpdateCertificateOptions", "acm:AddTagsToCertificate", "acm:RemoveTagsFromCertificate", "wafv2:GetWebACLForResource", "wafv2:AssociateWebACL", "wafv2:ListResourcesForWebACL", "wafv2:ListRuleGroups", "wafv2:ListWebACLs", "wafv2:GetWebACL", "wafv2:ListTagsForResource", "wafv2:TagResource", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:RemoveTags", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:CreateRule", "elasticloadbalancing:SetSubnets", "elasticloadbalancing:SetWebACL" ], "Effect": "Allow", "Resource": "*", "Sid": "ManageLoadBalancers" }, { "Action": [ "ec2:AcceptVpcPeeringConnection", "ec2:CreateVpcPeeringConnection", "ec2:DeleteVpcPeeringConnection", "ec2:ModifyVpcPeeringConnectionOptions" ], "Effect": "Allow", "Resource": "*", "Sid": "VpcPeering" }, { "Action": [ "ec2:CreateFlowLogs", "ec2:DeleteFlowLogs", "ec2:DescribeFlowLogs" ], "Effect": "Allow", "Resource": "*", "Sid": "VpcFlowLogs" }, { "Action": [ "ecr:GetAuthorizationToken", "ecr:BatchCheckLayerAvailability", "ecr:GetDownloadUrlForLayer", "ecr:GetRepositoryPolicy", "ecr:DescribeRepositories", "ecr:ListImages", "ecr:DescribeImages", "ecr:BatchGetImage", "ecr:GetLifecyclePolicy", "ecr:GetLifecyclePolicyPreview", "ecr:ListTagsForResource", "ecr:DescribeImageScanFindings" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonEC2ContainerRegistryReadOnly" }, { "Action": [ "sns:*" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonSNSFullAccess" }, { "Action": [ "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DescribeVpcs", "eks:DescribeCluster", "eks-auth:AssumeRoleForPodIdentity" ], "Effect": "Allow", "Resource": "*", "Sid": "AmazonEKSWorkerNodePolicy" } ], "Version": "2012-10-17" }
Porter EKS Manager
Porter EKS Manager is the role used by EKS to perform actions on your AWS account, for ongoing maintenance of your EKS cluster.
{ "Statement": [ { "Action": [ "sts:AssumeRole" ], "Effect": "Allow", "Principal": { "Service": [ "eks.amazonaws.com" ] } } ], "Version": "2012-10-17" }
{ "Statement": [ { "Action": [ "servicequotas:ListServiceQuotas", "servicequotas:GetServiceQuota", "servicequotas:RequestServiceQuotaIncrease", "servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota", "iam:ListAttachedRolePolicies", "iam:GetRole", "iam:GetRolePolicy", "iam:PassRole", "iam:DetachRolePolicy", "iam:DeleteRole", "iam:CreateServiceLinkedRole", "iam:ListOpenIDConnectProviders", "iam:GetOpenIDConnectProvider", "iam:CreateOpenIDConnectProvider", "iam:AddClientIDToOpenIDConnectProvider", "iam:UpdateOpenIDConnectProviderThumbprint", "iam:DeleteOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:ListPolicyVersions", "iam:CreatePolicyVersion", "autoscaling:CreateAutoScalingGroup", "autoscaling:UpdateAutoScalingGroup", "autoscaling:CreateOrUpdateTags", "autoscaling:StartInstanceRefresh", "autoscaling:DeleteAutoScalingGroup", "autoscaling:DeleteTags", "autoscaling:DescribeTags", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:TagResource", "secretsmanager:TagResource", "eks:DeleteFargateProfile", "eks:UpdateClusterVersion", "eks:DescribeFargateProfile", "eks:ListTagsForResource", "secretsmanager:CreateSecret", "eks:UpdateAddon", "secretsmanager:DeleteSecret", "eks:ListAddons", "eks:UpdateClusterConfig", "eks:CreateCluster", "eks:DescribeAddon", "eks:UpdateNodegroupVersion", "eks:DescribeNodegroup", "eks:AssociateEncryptionConfig", "eks:ListUpdates", "eks:ListIdentityProviderConfigs", "eks:ListNodegroups", "eks:DisassociateIdentityProviderConfig", "eks:UntagResource", "eks:CreateNodegroup", "eks:DeregisterCluster", "eks:DeleteCluster", "eks:CreateFargateProfile", "eks:ListFargateProfiles", "eks:DescribeIdentityProviderConfig", "eks:DeleteAddon", "eks:DeleteNodegroup", "eks:DescribeUpdate", "eks:TagResource", "eks:AccessKubernetesApi", "eks:CreateAddon", "eks:UpdateNodegroupConfig", "eks:DescribeCluster", "eks:AssociateIdentityProviderConfig", "ecr:CompleteLayerUpload", "ecr:CreateRepository", "ecr:InitiateLayerUpload", "ecr:PutImage", "ecr:UploadLayerPart" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "cloudformation:CreateStack", "cloudformation:DescribeStacks", "cloudformation:ListStackResources", "cloudformation:DescribeChangeSet", "cloudformation:DescribeStackEvents", "cloudformation:GetStackPolicy", "cloudformation:GetTemplate", "cloudformation:CreateChangeSet", "cloudformation:RollbackStack", "cloudformation:TagResource", "cloudformation:UpdateStack", "cloudformation:ContinueUpdateRollback", "cloudformation:CancelUpdateStack", "iam:ListPolicyVersions" ], "Effect": "Allow", "Resource": "*" }, { "Action": [ "iam:DeletePolicyVersion" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:policy/porter*" ] }, { "Action": [ "iam:UpdateAssumeRolePolicy" ], "Effect": "Allow", "Resource": [ "arn:aws:iam::*:role/porter*" ] }, { "Action": [ "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:AllocateAddress", "ec2:AssignIpv6Addresses", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateInternetGateway", "ec2:CreateEgressOnlyInternetGateway", "ec2:CreateNatGateway", "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", "ec2:ModifyVpcAttribute", "ec2:DeleteInternetGateway", "ec2:DeleteEgressOnlyInternetGateway", "ec2:DeleteNatGateway", "ec2:DeleteRouteTable", "ec2:ReplaceRoute", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteTags", "ec2:DeleteVpc", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeAvailabilityZones", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInternetGateways", "ec2:DescribeEgressOnlyInternetGateways", "ec2:DescribeInstanceTypes", "ec2:DescribeImages", "ec2:DescribeNatGateways", "ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaceAttribute", "ec2:DescribeRouteTables", "ec2:DescribeSecurityGroups", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeVolumes", "ec2:DescribeTags", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:DisassociateAddress", "ec2:ModifyInstanceAttribute", "ec2:ModifyNetworkInterfaceAttribute", "ec2:ModifySubnetAttribute", "ec2:ReleaseAddress", "ec2:RevokeSecurityGroupIngress", "ec2:RunInstances", "ec2:TerminateInstances", "tag:GetResources", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeInstanceRefreshes", "ec2:CreateLaunchTemplate", "ec2:CreateLaunchTemplateVersion", "ec2:DescribeLaunchTemplates", "ec2:DescribeLaunchTemplateVersions", "ec2:DeleteLaunchTemplate", "ec2:DeleteLaunchTemplateVersions", "ec2:DescribeKeyPairs", "ec2:ModifyInstanceMetadataOptions" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:TagResource" ], "Effect": "Allow", "Resource": [ "arn:*:secretsmanager:*:*:secret:aws.cluster.x-k8s.io/*" ] }, { "Action": [ "kms:CreateAlias", "kms:TagResource", "kms:CreateGrant" ], "Effect": "Allow", "Resource": [ "arn:aws:kms:*:*:alias/*", "arn:aws:kms:*:*:key/*" ] }, { "Action": [ "kms:CreateKey" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ssm:GetParameter" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "sts:DecodeAuthorizationMessage" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DeleteFileSystem", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DescribeMountTargetSecurityGroups", "elasticfilesystem:ListTagsForResource", "elasticfilesystem:ModifyMountTargetSecurityGroups", "elasticfilesystem:TagResource", "elasticfilesystem:UntagResource", "elasticfilesystem:UpdateFileSystem" ], "Effect": "Allow", "Resource": [ "*" ] }, { "Action": [ "ecr:GetRegistryScanningConfiguration", "ecr:PutRegistryScanningConfiguration", "inspector2:Disable", "inspector2:Enable" ], "Effect": "Allow", "Resource": [ "*" ], "Sid": "Soc2Requirements" } ], "Version": "2012-10-17" }
Porter Node Manager
Porter Node Manager is the role used by EKS worker nodes. This role also includes access to some AWS-provided roles such as:
AmazonEKS_CNI_Policy
AmazonEKSClusterPolicy
AmazonEKSWorkerNodePolicy
AmazonEC2ContainerRegistryReadOnly
service-role/AmazonEBSCSIDriverPolicy
service-role/AmazonEFSCSIDriverPolicy
{ "Statement": [ { "Action": [ "logs:CreateLogStream", "logs:CreateLogGroup", "logs:DescribeLogStreams", "logs:PutLogEvents", "logs:PutRetentionPolicy" ], "Effect": "Allow", "Resource": "*", "Sid": "CustomerCloudWatchLogs" } ], "Version": "2012-10-17" }
Porter Infra Manager
This is the role used to manage non-EKS resources such as RDS, Elasticache, S3, etc.
{ "Statement": [ { "Action": [ "kms:CreateAlias", "kms:CreateKey", "kms:DeleteAlias", "kms:Describe*", "kms:GenerateRandom", "kms:Get*", "kms:List*", "kms:ScheduleKeyDeletion", "kms:TagResource", "kms:UntagResource", "iam:ListGroups", "iam:ListRoles", "iam:ListUsers", "iam:GetRolePolicy", "iam:GetUser" ], "Effect": "Allow", "Resource": "*", "Sid": "KmsRecommendedInlinePolicy" }, { "Action": [ "s3:*" ], "Effect": "Allow", "Resource": [ "arn:aws:s3:::aws-cloudtrail-logs*" ], "Sid": "CloudTrailS3AllPermission" }, { "Action": [ "s3:ListAllMyBuckets", "s3:GetBucketLocation", "s3:GetBucketPolicy" ], "Effect": "Allow", "Resource": "*", "Sid": "CloudTrailListAndDescribeS3" }, { "Action": "cloudtrail:*", "Effect": "Allow", "Resource": "*", "Sid": "CloudTrailManager" }, { "Action": [ "logs:CreateLogGroup" ], "Effect": "Allow", "Resource": [ "arn:aws:logs:*:*:log-group:aws-cloudtrail-logs*" ], "Sid": "CloudTrailCreateLogGroup" }, { "Action": [ "iam:PassRole" ], "Condition": { "StringEquals": { "iam:PassedToService": "cloudtrail.amazonaws.com" } }, "Effect": "Allow", "Resource": "*", "Sid": "CloudTrailPassRole" }, { "Action": "iam:PassRole", "Condition": { "StringEquals": { "iam:PassedToService": "s3.amazonaws.com" } }, "Effect": "Allow", "Resource": "*", "Sid": "S3ReplicationPassRole" } ], "Version": "2012-10-17" }
Policies
On top of the roles above, the following policies are created which may be attached to one, or many of the roles above.
Cluster Autoscaler
Porter Cluster Autoscaler is used to allow Porter to scale your cluster up and down based on the load of your cluster.
{ "Statement": [ { "Action": [ "autoscaling:SetDesiredCapacity", "autoscaling:TerminateInstanceInAutoScalingGroup", "ec2:DescribeImages", "ec2:GetInstanceTypesFromInstanceRequirements", "eks:DescribeNodegroup", "autoscaling:DescribeAutoScalingGroups", "autoscaling:DescribeAutoScalingInstances", "autoscaling:DescribeLaunchConfigurations", "autoscaling:DescribeScalingActivities", "autoscaling:DescribeTags", "ec2:DescribeInstanceTypes", "ec2:DescribeLaunchTemplateVersions" ], "Effect": "Allow", "Resource": [ "*" ], "Sid": "ManageClusterAutoscaling" } ], "Version": "2012-10-17" }
Loadbalancer
Porter Loadbalancer is used to allow Porter to manage loadbalancers in your account.
{ "Statement": [ { "Action": [ "elasticloadbalancing:RemoveListenerCertificates", "ec2:DeleteTags", "acm:ListCertificates", "acm:RequestCertificate", "acm:DescribeCertificate", "acm:GetCertificate", "acm:ListTagsForCertificate", "acm:UpdateCertificateOptions", "acm:AddTagsToCertificate", "acm:RemoveTagsFromCertificate", "wafv2:GetWebACLForResource", "wafv2:AssociateWebACL", "wafv2:ListResourcesForWebACL", "wafv2:ListRuleGroups", "wafv2:ListWebACLs", "wafv2:GetWebACL", "wafv2:ListTagsForResource", "wafv2:TagResource", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:AddTags", "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:ConfigureHealthCheck", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:RemoveTags", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:CreateRule", "elasticloadbalancing:SetSubnets", "elasticloadbalancing:SetWebACL" ], "Effect": "Allow", "Resource": "*", "Sid": "ManageLoadBalancers" } ], "Version": "2012-10-17" }
Last Updated: