Registering an AWS Account in gopaddle, provides gopaddle the required AWS Account credentials to provision and manage subnets, VPC, AWS EKS clusters, push or pull Docker Images to the ECR (Docker) Registry. Registering an AWS Account in gopaddle is a two step process. First an IAM User with the necessary access privileges need to be created. This IAM User credential is used to register the AWS Account in the gopaddle portal.
To register an AWS account, an IAM user with the following IAM policy and API access needs to be created in the AWS portal.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:DeleteSubnet",
"ec2:DescribeInstances",
"ec2:AttachInternetGateway",
"ecr:DeleteRepository",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"eks:DescribeNodegroup",
"cloudformation:DescribeStackEvents",
"autoscaling:DescribeAutoScalingGroups",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"iam:ListAttachedRolePolicies",
"ec2:DescribeVolumes",
"ec2:DeleteInternetGateway",
"ec2:DescribeKeyPairs",
"ec2:DescribeRouteTables",
"ecr:BatchCheckLayerAvailability",
"iam:GetRole",
"eks:ListNodegroups",
"ecr:CreateRepository",
"ec2:CreateTags",
"ecr:GetDownloadUrlForLayer",
"ec2:DeleteNetworkInterface",
"ec2:CreateRouteTable",
"ecr:GetAuthorizationToken",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable",
"ecr:PutImage",
"cloudformation:DescribeStacks",
"eks:DeleteCluster",
"eks:DeleteNodegroup",
"cloudformation:DeleteStack",
"ecr:BatchGetImage",
"eks:UpdateNodegroupConfig",
"eks:DescribeCluster",
"ec2:DeleteVpc",
"eks:ListClusters",
"ec2:CreateSubnet",
"ec2:ModifySubnetAttribute",
"ec2:DescribeSubnets",
"ecr:InitiateLayerUpload",
"ec2:DeleteTags",
"ec2:CreateVpc",
"ecr:UploadLayerPart",
"iam:PassRole",
"ec2:CreateSecurityGroup",
"ecr:CompleteLayerUpload",
"ec2:ModifyVpcAttribute",
"eks:CreateCluster",
"ec2:DetachNetworkInterface",
"eks:UntagResource",
"ec2:DescribeTags",
"ec2:DeleteRoute",
"iam:ListRoles",
"eks:CreateNodegroup",
"ec2:DescribeSecurityGroups",
"iam:CreateServiceLinkedRole",
"cloudformation:CreateStack",
"ec2:DescribeVpcs",
"ec2:CreateVpcEndpoint",
"ec2:DeleteVpcEndpoints",
"ec2:DescribeVpcEndpoints",
"ec2:DeleteSecurityGroup",
"eks:TagResource",
"sts:GetCallerIdentity",
"autoscaling:DescribeScalingActivities"
],
"Resource": "*"
}
]
}2. Once the IAM User is created, copy the Access Key and the Secret Key.
3. In the gopaddle portal, navigate to the Settings option in the top navigation bar and select Cloud Accounts.
4. Click on Create and Select the Provider as AWS in the drop-down option.
5. Provide a name to the Cloud Account, provide the Access Key and the Secret Key from step 2.
Policies to create Node Pool with Custom AMI
If you intend to use custom AMI instead of the default AMI provided for EKS, you need to add a role with the following policies and add it to the user created in step 1. This roles is required in addition to the role mentioned in step 1.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteLaunchTemplate",
"iam:GetInstanceProfile",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLaunchTemplateVersions",
"iam:RemoveRoleFromInstanceProfile",
"ec2:RunInstances",
"ssm:GetParameters",
"iam:AddRoleToInstanceProfile",
"ec2:CreateLaunchTemplateVersion",
"autoscaling:CreateLaunchConfiguration",
"ec2:RevokeSecurityGroupIngress",
"ec2:DescribeImages",
"ec2:CreateLaunchTemplate",
"autoscaling:DescribeScalingActivities",
"ec2:RevokeSecurityGroupEgress",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DeleteLaunchTemplateVersions",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "*"
}
]
}
Policies to create Storidge Node Pool
If you intend to provision a node pool with Storidge Cluster, in addition to adding the Custom AMI role mentioned above, you need to add a new role with the following policies and add it to the user created in step 1. Since Storidge Node Pool uses Custom AMI, the custom AMI role is also required.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingInstances",
"events:DescribeRule",
"ssm:DescribeDocument",
"cloudwatch:DeleteAlarms",
"events:PutRule",
"autoscaling:PutLifecycleHook",
"autoscaling:DeletePolicy",
"ssm:CreateDocument",
"autoscaling:DescribeLifecycleHooks",
"ssm:DescribeAutomationExecutions",
"ssm:PutParameter",
"cloudwatch:PutMetricAlarm",
"events:PutTargets",
"events:DeleteRule",
"ssm:DeleteParameter",
"ssm:DescribeAutomationStepExecutions",
"ssm:StartAutomationExecution",
"autoscaling:PutScalingPolicy",
"events:RemoveTargets",
"autoscaling:DeleteLifecycleHook",
"ssm:DeleteDocument"
],
"Resource": "*"
}
]
}
Policies to create an ALB based EKS Cluster
If you intend to create an EKS controller with ALB, in addition to adding the Custom AMI role mentioned above, you need to add a new role with the following policies and add it to the user created in step 1.
{
"Version":"2012-10-17",
"Statement":[
{
"Sid":"VisualEditor0",
"Effect":"Allow",
"Action":[
"iam:CreateOpenIDConnectProvider",
"acm.ImportCertificate",
"acm.DeleteCertificate",
"ec2:ReleaseAddress",
"ec2:DisassociateAddress",
"ec2:DescribeAddresses",
"ec2:CreateNatGateway",
"ec2:CreateTags",
"ec2:DescribeRegions",
"ec2:DescribeAccountAttributes",
"ec2:DeleteNatGateway",
"ec2:DescribeNatGateways",
"ec2:DescribeAddressesAttribute",
"ec2:AllocateAddress"
],
"Resource":"*"
}
]
}