Additional permission TMC needs to register TKG AWS
Article ID: 327458
Updated On:
Products
VMware
Issue/Introduction
Symptoms:
TMC agent needs several permissions on the AWS account to manage TKG AWS Management cluster. If the management cluster was created using TKG version 1.5.x or higher, these permissions have already been included as part of AWS account set up. If the management cluster was created using TKG 1.4.1 or upgraded fromTKG 1.4.1, then please proceed to the next step.
These permissions must be added in the AWS policy "nodes.tkg.cloud.vmware.com"
TMC agent needs several permissions on the AWS account to manage TKG AWS Management cluster. If the management cluster was created using TKG version 1.5.x or higher, these permissions have already been included as part of AWS account set up. If the management cluster was created using TKG 1.4.1 or upgraded fromTKG 1.4.1, then please proceed to the next step.
These permissions must be added in the AWS policy "nodes.tkg.cloud.vmware.com"
"servicequotas:ListServiceQuotas" "ec2:DescribeKeyPairs" "ec2:DescribeInstanceTypeOfferings" "ec2:DescribeInstanceTypes" "ec2:DescribeAvailabilityZones" "ec2:DescribeRegions" "ec2:DescribeSubnets" "ec2:DescribeRouteTables" "ec2:DescribeVpcs" "ec2:DescribeNatGateways" "ec2:DescribeAddresses" "elasticloadbalancing:DescribeLoadBalancers"
Resolution
Pre req: AWS CLI on a machine which has access to the AWS account where the Management Cluster is.
Run this script from the same machine. This adds the permissions we need.
Run this script from the same machine. This adds the permissions we need.
#!/usr/bin/env bash
trap 'exit_code=$?; echo "Failed at ${LINENO}: $BASH_COMMAND (exit: $exit_code)"; exit $exit_code' ERR
set -ux
set -o pipefail
POLICY="$(aws iam list-policies | jq '.Policies | .[] | select (.PolicyName == "nodes.tkg.cloud.vmware.com")')"
POLICY_VERSION="$(echo "$POLICY" | jq '.DefaultVersionId' -r)"
POLICY_ARN="$(echo "$POLICY" | jq '.Arn' -r)"
OLD_DOCUMENT="$(aws iam get-policy-version --policy-arn=$POLICY_ARN --version-id=$POLICY_VERSION | jq .PolicyVersion.Document)"
NEW_PERM=$(cat <<CREDS
{
"Action": [
"servicequotas:ListServiceQuotas",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeRegions",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeVpcs",
"ec2:DescribeNatGateways",
"ec2:DescribeAddresses",
"elasticloadbalancing:DescribeLoadBalancers"
],
"Resource": [
"*"
],
"Effect": "Allow"
}
CREDS
)
NEW_DOCUMENT="$(jq -n --argjson old_doc "$OLD_DOCUMENT" --argjson new_perm "$NEW_PERM" '$old_doc | .Statement += [$new_perm]')"
aws iam create-policy-version --policy-arn $POLICY_ARN --policy-document "$NEW_DOCUMENT" --set-as-default
Feedback
Yes
No
Powered by
