IAM permissions boundary¶
A permissions boundary is an advanced AWS IAM feature in which the maximum permissions that an identity-based policy can grant to an IAM entity have been set; where those entities are either users or roles. When a permissions boundary is set for an entity, that entity can only perform the actions that are allowed by both its identity-based policies and its permissions boundaries.
You can provide your permissions boundary so that all identity-based entities created by eksctl are created within that boundary. This example demonstrates how a permissions boundary can be provided to the various identity-based entities that are created by eksctl:
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
name: cluster-17
region: us-west-2
withOIDC: true
serviceRolePermissionsBoundary: "arn:aws:iam:11111:policy/entity/boundary"
fargatePodExecutionRolePermissionsBoundary: "arn:aws:iam::11111:policy/entity/boundary"
- metadata:
name: s3-reader
- "arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess"
permissionsBoundary: "arn:aws:iam::11111:policy/entity/boundary"
- name: "ng-1"
desiredCapacity: 1
instanceRolePermissionsBoundary: "arn:aws:iam::11111:policy/entity/boundary"
It is not possible to provide both a role ARN and a permissions boundary!