AWS IAM Policy for eksctl scale nodegroup

Question

Is it enough to give EKSCTL access only to

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeAutoScalingInstances",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeTags",
                "autoscaling:SetDesiredCapacity"
            ],
            "Resource": "*"
        }
    ]
}

in order to eksctl scale nodegroup --cluster cluster_name --nodes-min=1 --nodes-max=2 --nodes=1 nodegroup_name?

And how can I restrict the policy to scale only specific groups or clusters?

score 0 · Answer 1 · answered Jan 22 '21 at 16:32

eksctl operates on CloudFormation stacks. So your policy should be granting write access to cloudformation:, in addition to read-only access to autoscaling: (i believe the latter is needed to compare the current parameters of an ASG to the desired, but would need to test and confirm to be sure).

You should be able to use wildcards in the policy's Resource to limit write access to the CloudFormation stacks that match a specific naming pattern. e.g. eksctl-created stacks always have the cluster name in them.

AWS IAM Policy for eksctl scale nodegroup

1 Answers1