Add support for Tanzu Mission Control's required AWS IAM permissions #937

randomvariable · 2021-10-21T00:01:08Z

(This is used to request new product features)

Describe the feature request

Tanzu Mission Control's cluster agent requires extra read only permissions to AWS:

servicequotas:ListServiceQuotas
ec2:DescribeKeyPairs
ec2:DescribeInstanceTypeOfferings
ec2:DescribeInstanceTypes
ec2:DescribeAvailabiilityZones
ec2:DescribeRegions
ec2:DescribeSubnets
ec2:DescribeRouteTables
ec2:DescribeVpcs
ec2:DescribeNatGateways
ec2:DescribeAddresses
elasticloadbalancing:DescribeLoadBalancers

For consistency across cloud providers, the cluster agent does not use a node selector, so the IAM permissions need to be added to every node until such a time until some form of workload identity exists, so some mechanism to add it to the nodes role is required.

Proposal is to do the following:

Update tanzu management-cluster permissions aws set with a --enable-tmc-permissions flag to automatically add these or update an existing set of IAM roles for current 1.4.0 installs.
Respect TMC_REGISTRATION_URL or setting the TMC integration via the UI to automatically add the permissions
Update the print out of the UI command as per UI - AWS CLI command equivalent should include Cloudformation stack command if selected #848 when the above are set.

Describe alternatives you've considered

Affected product area (please put an X in all that apply)

Additional context

The text was updated successfully, but these errors were encountered:

randomvariable added kind/feature Categorizes issue or PR as related to a new feature needs-triage Indicates an issue or PR needs to be triaged area/cli provider/aws AWS Provider Issues labels Oct 21, 2021

randomvariable changed the title ~~Add support for Tanzu Mission Control for AWS IAM permissions~~ Add support for Tanzu Mission Control's required AWS IAM permissions Oct 21, 2021

yharish991 assigned randomvariable Oct 26, 2021

yharish991 removed the needs-triage Indicates an issue or PR needs to be triaged label Oct 26, 2021

randomvariable added the lifecycle/active label Nov 2, 2021

randomvariable mentioned this issue Nov 3, 2021

Extend AWS CloudFormation commands #1054

Merged

3 tasks

randomvariable closed this as completed in #1054 Nov 9, 2021

This was referenced Dec 9, 2021

Add extra read only IAM permissions to support Tanzu Mission Control #1343

Merged

Change TMC IAM permissions config var to DISABLE_TMC_CLOUD_PERMISSIONS #1375

Merged

navidshaikh mentioned this issue Dec 15, 2021

[release-0.13] Cherry-pick #1343: Add extra read only IAM permissions to support Tanzu Mission Control (#1343) #1381

Closed

3 tasks

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Add support for Tanzu Mission Control's required AWS IAM permissions #937

Add support for Tanzu Mission Control's required AWS IAM permissions #937

randomvariable commented Oct 21, 2021

Add support for Tanzu Mission Control's required AWS IAM permissions #937

Add support for Tanzu Mission Control's required AWS IAM permissions #937

Comments

randomvariable commented Oct 21, 2021