Skip to content

Cloud Permissions

In order to manage your customer deployments, Omnistrate assumes certain roles in your account (for both BYOA and Hosted models). Specifically, Omnistrate separates the deployment process into two separate steps: - Service Bootstrap - Service Management

Service Bootstrap

Service bootstrap is the initial step Omnistrate takes to setup the platform to host your deployments. This is typically done only once per region for a given Cloud account. In the case of hosted deployments where you host your customer deployments, the base platform is shared in that region and the configured cloud account. In the case of BYOA (Bring Your Own Account) deployments, the base platform is shared for all deployments of that particular customer / tenant who is bringing their account in that region. This step sets up the following: - AWS VPC / GCP Network - EKS / GKE Cluster - NGINX-backed NLB / GCP L4 LB - Your Service Deployment Agent

AWS

Load Balancer Policy

In order to deploy the NGINX-backed NLB, we bootstrap the AWS Load Balancer Controller. The permissions necessary for this controller are detailed here. The policy includes:

  • Service-linked Role Creation:

    • Create service-linked roles for Elastic Load Balancing

  • Read-only EC2 Permissions:

    • Describe EC2 resources (VPCs, subnets, security groups, instances, etc.)
    • View network configurations and metadata

  • Read-only ELB Permissions:

    • Describe load balancers, target groups, listeners, and their attributes

  • Security-related Permissions:

    • Access to Cognito, ACM certificates, WAF, and Shield
    • Ability to view and manipulate security configurations

  • Security Group Management:

    • Create, modify, and delete security groups with specific tagging conditions
    • Manage security group ingress/egress rules

  • Load Balancer Resource Management:

    • Create and configure load balancers, target groups, and listeners
    • Register and deregister targets
    • Modify load balancer attributes and settings

Most permissions include conditional statements based on resource tags (especially elbv2.k8s.aws/cluster) to limit actions to resources managed by the controller. This policy enables the AWS Load Balancer Controller to automatically provision and manage Application Load Balancers (ALB) and Network Load Balancers (NLB) for Kubernetes services.

OmnistrateBootstrapPolicy

The OmnistrateBootstrapPolicy is a custom policy that grants the necessary permissions for Omnistrate to bootstrap the platform. This policy is assumed through the Control Plane deployed in your AWS account in the case of BYOA deployments ensuring the trust relationship is established between the Control Plane in your account and the Data Plane in your customer's account. The full policy is available here. The policy includes:

IAM Role Management
  • Role Creation with Boundary: Can create, modify, and delete IAM roles, but only when those roles use the specified permissions boundary (omnistrate-bootstrap-permissions-boundary)
  • Extensive IAM Administrative Actions: Includes a wide range of IAM operations for read-only permissions for roles, policies, instance profiles, and OIDC providers within the AWS account
Service-Linked Roles
  • Can create specific service-linked roles for:
    • Amazon EKS
    • Amazon EKS Node Groups
EKS Management
  • Administrative access to Amazon EKS services (eks:*)
PassRole Permissions
  • Can pass roles to other AWS services in two circumstances:
    • Any role tagged with omnistrate.com/managed-by: omnistrate
    • Specific roles including:
    • Roles starting with omnistrate-
    • Custom NAT roles
    • EKS nodegroup service roles

OmnistrateBootstrapPermissionsBoundary

This IAM managed policy (omnistrate-bootstrap-permissions-boundary) defines the maximum permissions available to roles created during the Omnistrate bootstrapping process. It functions as a guardrail that limits what actions these roles can perform. The full policy is available here. The policy includes:

  • IAM Management:

    • Comprehensive IAM administrative capabilities, with a requirement that newly created roles must use this same permissions boundary
    • Full role, policy, instance profile, and OIDC provider management

  • Core AWS Services (required):

    • Full access to EC2, EKS, Elastic Load Balancing, Auto Scaling, and CloudWatch
    • Limited KMS access (read-only)

  • Storage Services (optional):

    • S3 permissions to manage workload buckets
    • Access to Amazon EFS resources

  • Security & WAF (required for the Load Balancer Controller):

    • Full access to WAF, WAFv2, and Shield
    • Limited read access to Cognito, ACM, and IAM certificates

  • Role Assumption & Passing:

    • Can assume roles with omnistrate-* prefix
    • Can pass roles to services if they're tagged with omnistrate.com/managed-by: omnistrate
    • Can pass specific roles including EKS nodegroup roles

This policy establishes a security boundary for the Omnistrate platform, allowing it to provision and manage infrastructure while providing guardrails on what actions it can perform within the AWS account.

All the policies setup in this phase can be easily removed once the platform is bootstrapped and the customer deployments are up and running. They only need to be restored in case of updates or new regions / accounts that need to be bootstrapped.

Service Management

AWS

OmnistrateInfrastructureProvisioningPolicy

This IAM managed policy (omnistrate-infrastructure-provisioning-policy) defines permissions for the Service Deployment Agent to manage resources within the AWS account. This is necessary for deploying and managing customer workloads on the platform and is assumed ONLY by the Service Deployment Agent within the customer's account. The full policy is available here. The policy includes:

  • IAM Read Access:

    • Read-only access to all IAM resources in the account (Get* and List* actions)

  • Specific Role Management:

    • Permission to get, pass, and list policies for specific pre-defined roles:
    • EKS node group roles
    • Omnistrate EKS IAM roles
    • AWS service-linked roles for EKS

  • IAM Resource Creation:

    • Create and manage roles and policies within the /omnistrate/ path
    • All role creation must use the omnistrate-bootstrap-permissions-boundary
    • Includes permissions to create, update, tag, and delete IAM resources

  • Core Infrastructure Services:

    • Full access to EC2, Elastic Load Balancing, EKS, and Auto Scaling
    • S3 access to workload buckets (optional)
    • Management of Amazon EFS resources (optional)

  • Role Assumption:

    • Can assume roles with the omnistrate-* prefix

This policy enables Omnistrate's infrastructure provisioning component to create and manage AWS resources while operating within the constraints of the permissions boundary. It focuses on the core services needed for Kubernetes-based service deployment while maintaining appropriate security guardrails.

OmnistrateEC2NodeGroupIAMRole

This IAM role is designed to support Amazon EKS deployments and is used by EC2 instances that serve as worker nodes in EKS clusters. The full policy is available here.

Key Characteristics:

  • Trust Relationship: Can be assumed by the EC2 service
  • Attached Policies:
    • AmazonEC2ContainerRegistryReadOnly: Access to pull images from ECR
    • AmazonEKSWorkerNodePolicy: Core permissions for EKS worker nodes
    • AmazonEKS_CNI_Policy: Required for Kubernetes networking
    • AutoScalingFullAccess: Allows managing Auto Scaling groups
  • Custom Inline Policy: Allows describing EKS nodegroups
  • Session Limit: 1 hour (3600 seconds)
  • Tagged: omnistrate.com/managed-by: omnistrate

OmnistrateEKSIAMRole

This IAM role is designed to support Amazon EKS deployments and is used by the EKS control plane to manage AWS resources on behalf of the cluster. The full policy is available here.

Key Characteristics:

  • Trust Relationship: Can be assumed by the EKS service
  • Attached Policies:
    • AmazonEC2ContainerRegistryReadOnly: Access to pull images from ECR
    • AmazonEKSClusterPolicy: Core permissions for EKS control plane
    • AmazonEKSServicePolicy: Legacy permissions (now included in cluster policy)
    • AmazonEKSVPCResourceController: Allows EKS to manage VPC resources
  • Session Limit: 1 hour (3600 seconds)
  • Tagged: omnistrate.com/managed-by: omnistrate

Both roles are essential components for deploying and operating Amazon EKS clusters, with the first role supporting worker nodes and the second enabling the Kubernetes control plane to interact with AWS services.

The OmnistrateInfrastructureProvisioningPolicy can be removed once a customer deployment is up and running. It needs to be restored only in the case of any updates or new deployments that need to be managed.