From 74e7e4ba41c1e4205bcc5de2e5b5087fb89d1218 Mon Sep 17 00:00:00 2001
From: yissachar <ydradcliffe@gmail.com>
Date: Sun, 29 Jan 2017 01:46:10 -0500
Subject: [PATCH] Add some more detail to additionalPolicies docs

---
 docs/iam_roles.md | 22 ++++++++++++++++++++++
 1 file changed, 22 insertions(+)

diff --git a/docs/iam_roles.md b/docs/iam_roles.md
index f6c29d9a69..789e715649 100644
--- a/docs/iam_roles.md
+++ b/docs/iam_roles.md
@@ -103,3 +103,25 @@ Now you can update to have the changes take effect:
 ```
 kops update cluster ${CLUSTER_NAME} --yes
 ```
+
+You can have an additional policy for each kops role (node, master, bastion). For instance, if you wanted to apply one set of additional permissions to the master instances, and another to the nodes, you could do the following:
+
+```
+  additionalPolicies:
+    node: |
+      [
+        {
+          "Effect": "Allow",
+          "Action": ["es:*"],
+          "Resource": ["*"]
+        }
+      ]
+    master: |
+      [
+        {
+          "Effect": "Allow",
+          "Action": ["dynamodb:*"],
+          "Resource": ["*"]
+        }
+      ]
+```