Skip to content

Permissions Setup Used In Cloud Providers (AWS / GCP / Azure)

When cluster is promoted to Phase 2 (cost optimisation is enabled) then CAST AI central system is able to perform operations on Cloud Provider (AWS / GCP / Azure) level (like for example request a node and add it to a cluster). Such operations require relevant Cloud Provider specific credentials and permissions. Below there is a description of the permission setup done for AWS and GCP Cloud Providers (similar description for Azure will be released shortly as well).

AWS

AWS User used by CAST AI

Phase 2 on-boarding script creates a dedicated AWS user used by CAST AI to request and manage AWS resources on customer's behalf. This user follows cast-eks-<cluster name> convention:

» aws iam list-users --output text|grep cast-eks-
USERS   arn:aws:iam::123456789012:user/cast-eks-some-cluster   2022-05-12T12:48:47+00:00   /   123456789012345678901   cast-eks-some-cluster

AWS permissions used by CAST AI

Once user is created, following policies are attached to the AWS user:

API Group Type Description
AmazonEC2ReadOnlyAccess AWS managed policy Used to fetch details about Virtual Machines
IAMReadOnlyAccess AWS managed policy Used to fetch required data from IAM
CastEKSPolicy Managed policy CAST AI policy for creating and removing Virtual Machines when managing Cluster nodes
CastEKSRestrictedAccess Inline policy CAST AI policy for Cluster Pause / Resume functionality

These policies may be validated by combining results from the following commands (please look up AWS documentation about the details how to used that):

aws iam list-user-policies --user-name <user name>
aws iam list-attached-user-policies --user-name <user name>
aws iam list-groups-for-user --user-name <user name>

The result also contains policies' arn's which is required for inspecting permissions, which can be done using following commands:

» aws iam list-policy-versions --policy-arn arn:aws:iam::123456789012:policy/CastEKSPolicy
{
    "Versions": [
        {
            "VersionId": "v83",
            "IsDefaultVersion": true,
            "CreateDate": "2022-05-12T12:49:01+00:00"
        },
        {
            "VersionId": "v82",
            "IsDefaultVersion": false,
            "CreateDate": "2022-05-12T09:53:58+00:00"
        }
    ]
}

... and then:

» aws iam get-policy-version --policy-arn arn:aws:iam::123456789012:policy/CastEKSPolicy --version-id v83
{
    "PolicyVersion": {
        "Document": {
            "Version": "2012-10-17",
            "Statement": [
                {
                    "Sid": "PassRoleEC2",
                    "Action": "iam:PassRole",
                    "Effect": "Allow",
                    "Resource": "arn:aws:iam::*:role/*",
                    "Condition": {
                        "StringEquals": {
                            "iam:PassedToService": "ec2.amazonaws.com"
                        }
                    }
                },
                {
                    "Sid": "NonResourcePermissions",
                    "Effect": "Allow",
                    "Action": [
                        "iam:DeleteInstanceProfile",
                        "iam:RemoveRoleFromInstanceProfile",
                        "iam:DeleteRole",
                        "iam:DetachRolePolicy",
                        "iam:CreateServiceLinkedRole",
                        "iam:DeleteServiceLinkedRole",
                        "ec2:CreateSecurityGroup",
                        "ec2:CreateKeyPair",
                        "ec2:DeleteKeyPair",
                        "ec2:CreateTags",
                        "ec2:ImportKeyPair"
                    ],
                    "Resource": "*"
                },
                {
                    "Sid": "RunInstancesPermissions",
                    "Effect": "Allow",
                    "Action": "ec2:RunInstances",
                    "Resource": [
                        "arn:aws:ec2:*:028075177508:network-interface/*",
                        "arn:aws:ec2:*:028075177508:security-group/*",
                        "arn:aws:ec2:*:028075177508:volume/*",
                        "arn:aws:ec2:*:028075177508:key-pair/*",
                        "arn:aws:ec2:*::image/*"
                    ]
                }
            ]
        },
        "VersionId": "v83",
        "IsDefaultVersion": true,
        "CreateDate": "2022-05-12T12:49:01+00:00"
    }
}

AWS permissions when access is granted using Cross-account IAM role

When enabling cost optimisation (Phase 2) for a connected cluster, there is an option to grant permissions using Cross-account IAM role. This feature allows creating a dedicated cluster user in CAST AI AWS account with a trust policy to be able to 'assume role' defined in customer's AWS account. Keeping role definition and users in separate AWS accounts allows keeping user's credentials on CAST AI side without handing them over when running on-boarding script, which provides higher security level. From customer perspective used role contains the same set of permissions as in case of regular flow (when user is created in customer's AWS account), this can be verified using following command:

aws iam list-attached-role-policies --role-name <role name>
aws iam list-role-policies --role-name <role name>

Additionally, a trust relationship is created as follows:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "AWS": "arn:aws:iam::123456789012:user/cast-crossrole-f8f82b9c-d375-40d2-9483-123456789012"
            },
            "Action": "sts:AssumeRole"
        }
    ]
}

GCP

Overview of GCP permissions used by CAST AI

Phase 2 on-boarding script performs several actions to get required permissions to manage GKE and GCP resources on customer's behalf:

  • Enables required GCP services and APIs for the project
  • Creates IAM service account and assigns required roles to it
  • Generates IAM service account key which is used by CAST AI components to manage GKE and GCP resources on customer's behalf

GCP Services and APIs used by CAST AI

CAST AI enables following GCP services and APIs for the project on which customer's GKE cluster is running:

GCP Service / API Group Description
serviceusage.googleapis.com API to list, enable and disable GCP services
iam.googleapis.com API to manage identity and access control for GCP resources
cloudresourcemanager.googleapis.com API to create, read, and update metadata for GCP resource containers
container.googleapis.com API to manage GKE
compute.googleapis.com API to manage GCP virtual machines

GCP Service Account used by CAST AI

Phase 2 on-boarding script creates a dedicated GCP service account used by CAST AI to request and manage GCP resources on customer's behalf. The Service Account follows castai-gke-<cluster-name-hash> convention. Service account can be verified by:

gcloud iam service-accounts describe castai-gke-<cluster-name-hash>@<your-gcp-project>.iam.gserviceaccount.com

CAST AI created Service Account has the following roles attached:

Role name Description
castai.gkeAccess CAST AI managed role used to manage CAST AI add/delete node operations, full list of permissions can be found below
container.developer GCP managed role for full access to Kubernetes API objects inside Kubernetes cluster
iam.serviceAccountUser GCP managed role to allow run operations as the service account

Full list of castai.gkeAccess role permissions:

» gcloud iam roles describe --project=<your-project-name> castai.gkeAccess

description: Role to manage GKE cluster via CAST AI
etag: example-tag
includedPermissions:
- compute.addresses.use
- compute.disks.create
- compute.disks.setLabels
- compute.disks.use
- compute.images.useReadOnly
- compute.instanceGroupManagers.get
- compute.instanceGroupManagers.update
- compute.instanceGroups.get
- compute.instanceTemplates.create
- compute.instanceTemplates.delete
- compute.instanceTemplates.get
- compute.instanceTemplates.list
- compute.instances.create
- compute.instances.delete
- compute.instances.get
- compute.instances.list
- compute.instances.setLabels
- compute.instances.setMetadata
- compute.instances.setServiceAccount
- compute.instances.setTags
- compute.instances.start
- compute.instances.stop
- compute.networks.use
- compute.networks.useExternalIp
- compute.subnetworks.get
- compute.subnetworks.use
- compute.subnetworks.useExternalIp
- compute.zones.get
- compute.zones.list
- container.certificateSigningRequests.approve
- container.clusters.get
- container.clusters.update
- container.operations.get
- serviceusage.services.list
name: projects/<your-project-name>/roles/castai.gkeAccess
stage: ALPHA
title: Role to manage GKE cluster via CAST AI