Registering an AWS Account in gopaddle, provides gopaddle the required  AWS Account credentials to provision and manage subnets, VPC, AWS EKS clusters, push or pull Docker Images to the ECR (Docker) Registry.  Registering an AWS Account in gopaddle is a two step process. First an IAM User with the necessary access privileges need to be created. This IAM User credential is used to register the AWS Account in the gopaddle portal.

  1. To register an AWS account, an IAM user with the following IAM policy and API access needs to be created in the AWS portal. 

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteSubnet",
                "ec2:DescribeInstances",
                "ec2:AttachInternetGateway",
                "ecr:DeleteRepository",
                "ec2:DeleteRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "eks:DescribeNodegroup",
                "cloudformation:DescribeStackEvents",
                "autoscaling:DescribeAutoScalingGroups",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "iam:ListAttachedRolePolicies",
                "ec2:DescribeVolumes",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRouteTables",
                "ecr:BatchCheckLayerAvailability",
                "iam:GetRole",
                "eks:ListNodegroups",
                "ecr:CreateRepository",
                "ec2:CreateTags",
                "ecr:GetDownloadUrlForLayer",
                "ec2:DeleteNetworkInterface",
                "ec2:CreateRouteTable",
                "ecr:GetAuthorizationToken",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ecr:PutImage",
                "cloudformation:DescribeStacks",
                "eks:DeleteCluster",
                "eks:DeleteNodegroup",
                "cloudformation:DeleteStack",
                "ecr:BatchGetImage",
                "eks:UpdateNodegroupConfig",
                "eks:DescribeCluster",
                "ec2:DeleteVpc",
                "eks:ListClusters",
                "ec2:CreateSubnet",
"ec2:ModifySubnetAttribute",
                "ec2:DescribeSubnets",
                "ecr:InitiateLayerUpload",
                "ec2:DeleteTags",
                "ec2:CreateVpc",
                "ecr:UploadLayerPart",
                "iam:PassRole",
                "ec2:CreateSecurityGroup",
                "ecr:CompleteLayerUpload",
                "ec2:ModifyVpcAttribute",
                "eks:CreateCluster",
                "ec2:DetachNetworkInterface",
                "eks:UntagResource",
                "ec2:DescribeTags",
                "ec2:DeleteRoute",
                "iam:ListRoles",
                "eks:CreateNodegroup",
                "ec2:DescribeSecurityGroups",
                "iam:CreateServiceLinkedRole",
                "cloudformation:CreateStack",
                "ec2:DescribeVpcs",
                "ec2:DeleteSecurityGroup",
                "eks:TagResource",
                "sts:GetCallerIdentity"
            ],
            "Resource": "*"
        }
    ]
}

2. Once the IAM User is created, copy the Access Key and the Secret Key.
3. In the gopaddle portal, navigate to the Infrastructure option in the left panel and select Cloud Accounts.
4. Select the Cloud Account as AWS in the drop down option and Register
5. Provide a name to the Cloud Account, provide the Access Key and the Secret Key from step 2.

Policies to create Node Pool with Custom AMI

If you intend to use custom AMI instead of the default AMI provided for EKS, you need to add a role with the following policies and add it to the user created in step 1. This roles is required in addition to the role mentioned in step 1.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteLaunchTemplate",
"iam:GetInstanceProfile",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"iam:RemoveRoleFromInstanceProfile",
"ec2:RunInstances",
"ssm:GetParameters",
"iam:AddRoleToInstanceProfile",
"ec2:CreateLaunchTemplateVersion",
"autoscaling:CreateLaunchConfiguration",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:CreateLaunchTemplate",
"autoscaling:DescribeScalingActivities",
"ec2:RevokeSecurityGroupEgress",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DeleteLaunchTemplateVersions",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*"
}
]
}

Policies to create Storidge Node Pool

If you intend to provision a node pool with Storidge Cluster, in addition to adding the Custom AMI role mentioned above, you need to add a new role with the following policies and add it to the user created in step 1. Since Storidge Node Pool uses Custom AMI, the custom AMI role is also required.

{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingInstances",
"events:DescribeRule",
"ssm:DescribeDocument",
"cloudwatch:DeleteAlarms",
"events:PutRule",
"autoscaling:PutLifecycleHook",
"autoscaling:DeletePolicy",
"ssm:CreateDocument",
"autoscaling:DescribeLifecycleHooks",
"ssm:DescribeAutomationExecutions",
"ssm:PutParameter",
"cloudwatch:PutMetricAlarm",
"events:PutTargets",
"events:DeleteRule",
"ssm:DeleteParameter",
"ssm:DescribeAutomationStepExecutions",
"ssm:StartAutomationExecution",
"autoscaling:PutScalingPolicy",
"events:RemoveTargets",
"autoscaling:DeleteLifecycleHook",
"ssm:DeleteDocument"
],
"Resource": "*"
}
]
}

Did this answer your question?