Upcoming Astronomer Action: Required cross-account role updates
The upcoming policy changes include changes to both our cross account role policy and our operational boundary for service roles.
Operational boundary changes are required to allow the upcoming Karpenter-based node autoscaling controller to function. These changes are paired with changes to the cross account role policy to enable Astronomer to create and manage the requisite resources for the Karpenter controller as well as perform maintenance when needed. This includes SQS queues and EventBridge rule resources that are used for signalling node events to the Karpenter controller.
The bolded text is the addition.
{
"Name": "OperationalBoundary",
"Description": "Operational boundary for Astronomer generated roles",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CoreClusterManagement",
"Effect": "Allow",
"Action": [
"autoscaling:*",
"cloudformation:*",
"cloudwatch:*",
"ec2:*",
"ecr:*",
"eks:*",
"elasticloadbalancing:*",
"iam:*OpenID*",
"kms:DescribeKey",
"lambda:*",
"logs:*",
"route53:AssociateVPCWithHostedZone",
"s3:*",
"secretsmanager:*",
"servicequotas:*",
"sqs:DeleteMessage",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"ssm:*",
"tag:*"
],
"Resource": "*"
}
...
{
"Sid": "NodePassRole",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": "arn:aws:iam::*:role/*-NodeInstanceRole-*",
"Condition": {
"StringEquals": {
"iam:PassedToService": "ec2.amazonaws.com"
}
}
}
New permissions being added to the cross-account role as described above.
{
"Name": "AstronomerCrossAccountRole",
"Description": "Permissions boundary for Astronomer cross-account management role",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CoreDataPlaneManagement",
"Effect": "Allow",
"Action": [
"events:DeleteRule",
"events:DescribeRule",
"events:DisableRule",
"events:EnableRule",
"events:ListRuleNamesByTarget",
"events:ListRules",
"events:ListTargetsByRule",
"events:PutRule",
"events:PutTargets",
"events:RemoveTargets",
"sqs:AddPermission",
"sqs:ChangeMessageVisibility",
"sqs:CreateQueue",
"sqs:DeleteMessage",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ListQueues",
"sqs:ListQueueTags",
"sqs:PurgeQueue",
"sqs:ReceiveMessage",
"sqs:RemovePermission",
"sqs:SendMessage",
"sqs:SendMessage",
"sqs:SetQueueAttributes",
"sqs:TagQueue",
"sqs:UntagQueue"
],
"Resource": "*"
},
Astronomer is also taking this opportunity to increase the reliability and support of Data Plane cluster management providing our automation and support team the means to address Istio ingress and RDS performance issues. The below permissions will be added as a result.
{
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"pi:DescribeDimensionKeys",
"pi:GetDimensionKeyDetails",
"pi:GetPerformanceAnalysisReport",
"pi:GetResourceMetadata",
"pi:GetResourceMetrics",
"pi:ListAvailableResourceDimensions",
"pi:ListAvailableResourceMetrics",
"pi:ListPerformanceAnalysisReports",
"pi:ListTagsForResource"
}
Thank you for your cooperation. If you have any questions, please log a ticket.
