Additional permission TMC needs to register TKG AWS
search cancel

Additional permission TMC needs to register TKG AWS

book

Article ID: 327458

calendar_today

Updated On:

Products

VMware Tanzu Kubernetes Grid

Issue/Introduction

Symptoms:
TMC agent needs several permissions on the AWS account to manage TKG AWS Management cluster. If the management cluster was created using TKG version 1.5.x or higher, these permissions have already been included as part of AWS account set up. If the management cluster was created using TKG 1.4.1 or upgraded fromTKG 1.4.1, then please proceed to the next step.

These permissions must be added in the AWS policy "nodes.tkg.cloud.vmware.com"
"servicequotas:ListServiceQuotas"
"ec2:DescribeKeyPairs"
"ec2:DescribeInstanceTypeOfferings"
"ec2:DescribeInstanceTypes"
"ec2:DescribeAvailabilityZones"
"ec2:DescribeRegions"
"ec2:DescribeSubnets"
"ec2:DescribeRouteTables"
"ec2:DescribeVpcs"
"ec2:DescribeNatGateways"
"ec2:DescribeAddresses"
"elasticloadbalancing:DescribeLoadBalancers"

 


Resolution

Pre req: AWS CLI on a machine which has access to the AWS account where the Management Cluster is.

Run this script from the same machine. This adds the permissions we need.
 
#!/usr/bin/env bash
trap 'exit_code=$?; echo "Failed at ${LINENO}: $BASH_COMMAND (exit: $exit_code)"; exit $exit_code' ERR
set -ux
set -o pipefail


POLICY="$(aws iam list-policies | jq '.Policies | .[] | select (.PolicyName == "nodes.tkg.cloud.vmware.com")')"
POLICY_VERSION="$(echo "$POLICY" | jq '.DefaultVersionId' -r)"
POLICY_ARN="$(echo "$POLICY" | jq '.Arn' -r)"
OLD_DOCUMENT="$(aws iam get-policy-version --policy-arn=$POLICY_ARN --version-id=$POLICY_VERSION | jq .PolicyVersion.Document)"
NEW_PERM=$(cat <<CREDS
 {
    "Action": [
        "servicequotas:ListServiceQuotas",
        "ec2:DescribeKeyPairs",
        "ec2:DescribeInstanceTypeOfferings",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeAvailabilityZones",
        "ec2:DescribeRegions",
        "ec2:DescribeSubnets",
        "ec2:DescribeRouteTables",
        "ec2:DescribeVpcs",
        "ec2:DescribeNatGateways",
        "ec2:DescribeAddresses",
        "elasticloadbalancing:DescribeLoadBalancers"
    ],
    "Resource": [
      "*"
    ],
    "Effect": "Allow"
  }
CREDS
)
NEW_DOCUMENT="$(jq -n --argjson old_doc "$OLD_DOCUMENT" --argjson new_perm "$NEW_PERM" '$old_doc | .Statement += [$new_perm]')"
aws iam create-policy-version --policy-arn $POLICY_ARN --policy-document "$NEW_DOCUMENT" --set-as-default