Add karpenter IAM Roles to the S3 bucket policy so that karpenter nodes can read userdata (#618)

fiunchinho · fiunchinho · commit 0198e0fe4958 · 2025-02-20T10:11:33.000+01:00
diff --git a/pkg/cloud/services/s3/s3.go b/pkg/cloud/services/s3/s3.go
@@ -560,6 +560,26 @@ func (s *Service) bucketPolicy(bucketName string) (string, error) {
 					},
 					Action:   []string{"s3:GetObject"},
 					Resource: []string{fmt.Sprintf("arn:%s:s3:::%s/machine-pool/*", partition, bucketName)},
+				},
+				// At GiantSwarm we are creating karpenter node pools to manage the worker nodes.
+				// These nodes need access to the userdata stored in the folder created by karpenter.
+				iam.StatementEntry{
+					Sid:    iamInstanceProfile,
+					Effect: iam.EffectAllow,
+					Principal: map[iam.PrincipalType]iam.PrincipalID{
+						iam.PrincipalAWS: []string{fmt.Sprintf("arn:%s:iam::%s:role/%s", partition, *accountID.Account, iamInstanceProfile)},
+					},
+					Action:   []string{"s3:GetObject"},
+					Resource: []string{fmt.Sprintf("arn:%s:s3:::%s/karpenter-machine-pool/*", partition, bucketName)},
+				},
+				iam.StatementEntry{
+					Sid:    iamInstanceProfile,
+					Effect: iam.EffectAllow,
+					Principal: map[iam.PrincipalType]iam.PrincipalID{
+						iam.PrincipalAWS: []string{fmt.Sprintf("arn:%s:iam::%s:role/%s", partition, *accountID.Account, iamInstanceProfile)},
+					},
+					Action:   []string{"s3:ListBucket"},
+					Resource: []string{fmt.Sprintf("arn:%s:s3:::%s", partition, bucketName)},
 				})
 		}
 	}
