kubernetes
/
kops
mirror of https://github.com/kubernetes/kops.git
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

Merge pull request #13280 from olemarkus/lbc-irsa 

Add missing permissions to aws lbc for irsa
This commit is contained in:
Kubernetes Prow Robot 2022-02-18 09:18:23 -08:00 committed by GitHub
parent eca996eabf cd247f0b3a
commit a8ceb305de
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
6 changed files with 346 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

59
pkg/model/iam/iam_builder.go
View File

@ -953,28 +953,61 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
// AddAWSLoadbalancerControllerPermissions adds the permissions needed for the aws load balancer controller to the givnen policy // AddAWSLoadbalancerControllerPermissions adds the permissions needed for the aws load balancer controller to the givnen policy
func AddAWSLoadbalancerControllerPermissions(p *Policy) { func AddAWSLoadbalancerControllerPermissions(p *Policy) {
p.unconditionalAction.Insert( p.unconditionalAction.Insert(
"ec2:DescribeAvailabilityZones",
"ec2:DescribeNetworkInterfaces",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:CreateRule",
"acm:ListCertificates",
"acm:DescribeCertificate", "acm:DescribeCertificate",
"acm:ListCertificates",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeVpcs",
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetHealth",
) )
p.clusterTaggedAction.Insert( p.clusterTaggedAction.Insert(
"ec2:AuthorizeSecurityGroupIngress", // aws.go "ec2:AuthorizeSecurityGroupIngress", // aws.go
"ec2:DeleteSecurityGroup", // aws.go "ec2:DeleteSecurityGroup", // aws.go
"ec2:RevokeSecurityGroupIngress", // aws.go "ec2:RevokeSecurityGroupIngress", // aws.go
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveTags", "elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets",
)
p.clusterTaggedCreateAction.Insert(
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup",
)
p.AddEC2CreateAction(
[]string{
"CreateSecurityGroup",
},
[]string{
"security-group",
},
) )
} }

76
tests/integration/update_cluster/aws-lb-controller/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy
View File

@ -1,16 +1,58 @@
{ {
"Statement": [ "Statement": [
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com",
"ec2:CreateAction": [
"CreateSecurityGroup"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Condition": {
"Null": {
"aws:RequestTag/KubernetesCluster": "true"
},
"StringEquals": {
"aws:ResourceTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{ {
"Action": [ "Action": [
"acm:DescribeCertificate", "acm:DescribeCertificate",
"acm:ListCertificates", "acm:ListCertificates",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones", "ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaces",
"elasticloadbalancing:CreateRule", "ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth" "elasticloadbalancing:DescribeTargetHealth"
], ],
"Effect": "Allow", "Effect": "Allow",
@ -22,10 +64,19 @@
"ec2:DeleteSecurityGroup", "ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyRule", "elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RemoveTags" "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets"
], ],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
@ -34,6 +85,27 @@
}, },
"Effect": "Allow", "Effect": "Allow",
"Resource": "*" "Resource": "*"
},
{
"Action": [
"ec2:CreateSecurityGroup",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateSecurityGroup",
"Effect": "Allow",
"Resource": "arn:aws-test:ec2:*:*:vpc/*"
} }
], ],
"Version": "2012-10-17" "Version": "2012-10-17"

76
tests/integration/update_cluster/many-addons-ccm-irsa/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy
View File

@ -1,16 +1,58 @@
{ {
"Statement": [ "Statement": [
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com",
"ec2:CreateAction": [
"CreateSecurityGroup"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Condition": {
"Null": {
"aws:RequestTag/KubernetesCluster": "true"
},
"StringEquals": {
"aws:ResourceTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{ {
"Action": [ "Action": [
"acm:DescribeCertificate", "acm:DescribeCertificate",
"acm:ListCertificates", "acm:ListCertificates",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones", "ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaces",
"elasticloadbalancing:CreateRule", "ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth" "elasticloadbalancing:DescribeTargetHealth"
], ],
"Effect": "Allow", "Effect": "Allow",
@ -22,10 +64,19 @@
"ec2:DeleteSecurityGroup", "ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyRule", "elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RemoveTags" "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets"
], ],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
@ -34,6 +85,27 @@
}, },
"Effect": "Allow", "Effect": "Allow",
"Resource": "*" "Resource": "*"
},
{
"Action": [
"ec2:CreateSecurityGroup",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateSecurityGroup",
"Effect": "Allow",
"Resource": "arn:aws-test:ec2:*:*:vpc/*"
} }
], ],
"Version": "2012-10-17" "Version": "2012-10-17"

76
tests/integration/update_cluster/many-addons-ccm-irsa23/data/aws_iam_role_policy_aws-load-balancer-controller.kube-system.sa.minimal.example.com_policy
View File

@ -1,16 +1,58 @@
{ {
"Statement": [ "Statement": [
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com",
"ec2:CreateAction": [
"CreateSecurityGroup"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Condition": {
"Null": {
"aws:RequestTag/KubernetesCluster": "true"
},
"StringEquals": {
"aws:ResourceTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{ {
"Action": [ "Action": [
"acm:DescribeCertificate", "acm:DescribeCertificate",
"acm:ListCertificates", "acm:ListCertificates",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAvailabilityZones", "ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaces",
"elasticloadbalancing:CreateRule", "ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth" "elasticloadbalancing:DescribeTargetHealth"
], ],
"Effect": "Allow", "Effect": "Allow",
@ -22,10 +64,19 @@
"ec2:DeleteSecurityGroup", "ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteRule", "elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:ModifyRule", "elasticloadbalancing:ModifyRule",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RemoveTags" "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets"
], ],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
@ -34,6 +85,27 @@
}, },
"Effect": "Allow", "Effect": "Allow",
"Resource": "*" "Resource": "*"
},
{
"Action": [
"ec2:CreateSecurityGroup",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "ec2:CreateSecurityGroup",
"Effect": "Allow",
"Resource": "arn:aws-test:ec2:*:*:vpc/*"
} }
], ],
"Version": "2012-10-17" "Version": "2012-10-17"

41
tests/integration/update_cluster/many-addons-ccm/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -163,6 +163,39 @@
"arn:aws-test:ec2:*:*:security-group/*" "arn:aws-test:ec2:*:*:security-group/*"
] ]
}, },
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com",
"ec2:CreateAction": [
"CreateSecurityGroup"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Condition": {
"Null": {
"aws:RequestTag/KubernetesCluster": "true"
},
"StringEquals": {
"aws:ResourceTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{ {
"Action": [ "Action": [
"ec2:CreateTags" "ec2:CreateTags"
@ -196,6 +229,7 @@
"ec2:DescribeAvailabilityZones", "ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions", "ec2:DescribeRegions",
@ -215,7 +249,6 @@
"ec2:UnassignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeListeners",
@ -271,8 +304,11 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveTags", "elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets"
], ],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
@ -289,6 +325,7 @@
"ec2:CreateVolume", "ec2:CreateVolume",
"elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup" "elasticloadbalancing:CreateTargetGroup"
], ],
"Condition": { "Condition": {

41
tests/integration/update_cluster/many-addons/data/aws_iam_role_policy_masters.minimal.example.com_policy
View File

@ -163,6 +163,39 @@
"arn:aws-test:ec2:*:*:snapshot/*" "arn:aws-test:ec2:*:*:snapshot/*"
] ]
}, },
{
"Action": "ec2:CreateTags",
"Condition": {
"StringEquals": {
"aws:RequestTag/KubernetesCluster": "minimal.example.com",
"ec2:CreateAction": [
"CreateSecurityGroup"
]
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{
"Action": [
"ec2:CreateTags",
"ec2:DeleteTags"
],
"Condition": {
"Null": {
"aws:RequestTag/KubernetesCluster": "true"
},
"StringEquals": {
"aws:ResourceTag/KubernetesCluster": "minimal.example.com"
}
},
"Effect": "Allow",
"Resource": [
"arn:aws-test:ec2:*:*:security-group/*"
]
},
{ {
"Action": [ "Action": [
"ec2:CreateTags" "ec2:CreateTags"
@ -196,6 +229,7 @@
"ec2:DescribeAvailabilityZones", "ec2:DescribeAvailabilityZones",
"ec2:DescribeInstanceTypes", "ec2:DescribeInstanceTypes",
"ec2:DescribeInstances", "ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeLaunchTemplateVersions", "ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNetworkInterfaces", "ec2:DescribeNetworkInterfaces",
"ec2:DescribeRegions", "ec2:DescribeRegions",
@ -215,7 +249,6 @@
"ec2:UnassignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses",
"elasticloadbalancing:AddTags", "elasticloadbalancing:AddTags",
"elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup", "elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeListeners",
@ -271,8 +304,11 @@
"elasticloadbalancing:RegisterInstancesWithLoadBalancer", "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets", "elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:RemoveTags", "elasticloadbalancing:RemoveTags",
"elasticloadbalancing:SetIpAddressType",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener" "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"elasticloadbalancing:SetSecurityGroups",
"elasticloadbalancing:SetSubnets"
], ],
"Condition": { "Condition": {
"StringEquals": { "StringEquals": {
@ -289,6 +325,7 @@
"ec2:CreateVolume", "ec2:CreateVolume",
"elasticloadbalancing:CreateListener", "elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:CreateTargetGroup" "elasticloadbalancing:CreateTargetGroup"
], ],
"Condition": { "Condition": {