From 2b172a658537c273023d05e3da3ff71724bcc26e Mon Sep 17 00:00:00 2001 From: Artem Nefedov Date: Thu, 22 Aug 2024 11:05:11 +0200 Subject: [PATCH 1/3] fix: "iam:PassRole" defined in CFN to work properly in AWS China --- .../getting-started-with-karpenter/cloudformation.yaml | 2 +- website/content/en/preview/reference/cloudformation.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml index 567808be5830..a688e863fe6e 100644 --- a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -212,7 +212,7 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } }, diff --git a/website/content/en/preview/reference/cloudformation.md b/website/content/en/preview/reference/cloudformation.md index 9fcfbf306a71..67d5e565d7b1 100644 --- a/website/content/en/preview/reference/cloudformation.md +++ b/website/content/en/preview/reference/cloudformation.md @@ -375,7 +375,7 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } } From 910a4a4d3040567162eb108477d4f1d14d33e583 Mon Sep 17 00:00:00 2001 From: Jonathan Innis Date: Thu, 22 Aug 2024 09:50:11 -0700 Subject: [PATCH 2/3] Add url suffix template to all docs --- .../getting-started-with-karpenter/cloudformation.yaml | 2 +- website/content/en/docs/reference/cloudformation.md | 2 +- .../getting-started-with-karpenter/cloudformation.yaml | 2 +- website/content/en/v0.32/reference/cloudformation.md | 2 +- .../getting-started-with-karpenter/cloudformation.yaml | 2 +- website/content/en/v0.36/reference/cloudformation.md | 2 +- .../getting-started-with-karpenter/cloudformation.yaml | 2 +- website/content/en/v0.37/reference/cloudformation.md | 2 +- .../getting-started-with-karpenter/cloudformation.yaml | 2 +- website/content/en/v1.0/reference/cloudformation.md | 2 +- 10 files changed, 10 insertions(+), 10 deletions(-) diff --git a/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml index 567808be5830..a688e863fe6e 100644 --- a/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -212,7 +212,7 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } }, diff --git a/website/content/en/docs/reference/cloudformation.md b/website/content/en/docs/reference/cloudformation.md index f9e0e7d4190b..9a69ce6bf638 100644 --- a/website/content/en/docs/reference/cloudformation.md +++ b/website/content/en/docs/reference/cloudformation.md @@ -375,7 +375,7 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } } diff --git a/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml index 29fb92ca3aaa..b870eaa227eb 100644 --- a/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -189,7 +189,7 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } }, diff --git a/website/content/en/v0.32/reference/cloudformation.md b/website/content/en/v0.32/reference/cloudformation.md index f62bbf238154..8f449cda27fb 100644 --- a/website/content/en/v0.32/reference/cloudformation.md +++ b/website/content/en/v0.32/reference/cloudformation.md @@ -341,7 +341,7 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } } diff --git a/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml index 62fd118afff0..433d42026f7d 100644 --- a/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -206,7 +206,7 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } }, diff --git a/website/content/en/v0.36/reference/cloudformation.md b/website/content/en/v0.36/reference/cloudformation.md index a93c285fe9ac..a747e20971b7 100644 --- a/website/content/en/v0.36/reference/cloudformation.md +++ b/website/content/en/v0.36/reference/cloudformation.md @@ -367,7 +367,7 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } } diff --git a/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml index 62fd118afff0..433d42026f7d 100644 --- a/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -206,7 +206,7 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } }, diff --git a/website/content/en/v0.37/reference/cloudformation.md b/website/content/en/v0.37/reference/cloudformation.md index 76b938c73eb4..3869b543be32 100644 --- a/website/content/en/v0.37/reference/cloudformation.md +++ b/website/content/en/v0.37/reference/cloudformation.md @@ -367,7 +367,7 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } } diff --git a/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml index 567808be5830..a688e863fe6e 100644 --- a/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -212,7 +212,7 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } }, diff --git a/website/content/en/v1.0/reference/cloudformation.md b/website/content/en/v1.0/reference/cloudformation.md index f9e0e7d4190b..9a69ce6bf638 100644 --- a/website/content/en/v1.0/reference/cloudformation.md +++ b/website/content/en/v1.0/reference/cloudformation.md @@ -375,7 +375,7 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.amazonaws.com" + "iam:PassedToService": "ec2.${AWS::URLSuffix}" } } } From 140f403054f65610dfecfa7e030b888d12b86b5d Mon Sep 17 00:00:00 2001 From: Artem Nefedov Date: Fri, 30 Aug 2024 01:32:54 +0200 Subject: [PATCH 3/3] Use hardcoded list of services for "iam:PassedToService" condition --- .../getting-started-with-karpenter/cloudformation.yaml | 5 ++++- website/content/en/docs/reference/cloudformation.md | 5 ++++- .../getting-started-with-karpenter/cloudformation.yaml | 5 ++++- website/content/en/preview/reference/cloudformation.md | 5 ++++- .../getting-started-with-karpenter/cloudformation.yaml | 5 ++++- website/content/en/v0.32/reference/cloudformation.md | 5 ++++- .../getting-started-with-karpenter/cloudformation.yaml | 5 ++++- website/content/en/v0.36/reference/cloudformation.md | 5 ++++- .../getting-started-with-karpenter/cloudformation.yaml | 5 ++++- website/content/en/v0.37/reference/cloudformation.md | 5 ++++- .../getting-started-with-karpenter/cloudformation.yaml | 5 ++++- website/content/en/v1.0/reference/cloudformation.md | 5 ++++- 12 files changed, 48 insertions(+), 12 deletions(-) diff --git a/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml index a688e863fe6e..c2ec08c2f067 100644 --- a/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/docs/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -212,7 +212,10 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } }, diff --git a/website/content/en/docs/reference/cloudformation.md b/website/content/en/docs/reference/cloudformation.md index 9a69ce6bf638..4ef73ba826fa 100644 --- a/website/content/en/docs/reference/cloudformation.md +++ b/website/content/en/docs/reference/cloudformation.md @@ -375,7 +375,10 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } } diff --git a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml index a688e863fe6e..c2ec08c2f067 100644 --- a/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/preview/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -212,7 +212,10 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } }, diff --git a/website/content/en/preview/reference/cloudformation.md b/website/content/en/preview/reference/cloudformation.md index 67d5e565d7b1..b8ae02dddf4d 100644 --- a/website/content/en/preview/reference/cloudformation.md +++ b/website/content/en/preview/reference/cloudformation.md @@ -375,7 +375,10 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } } diff --git a/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml index b870eaa227eb..6aba809fb213 100644 --- a/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v0.32/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -189,7 +189,10 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } }, diff --git a/website/content/en/v0.32/reference/cloudformation.md b/website/content/en/v0.32/reference/cloudformation.md index 8f449cda27fb..85345ab63f70 100644 --- a/website/content/en/v0.32/reference/cloudformation.md +++ b/website/content/en/v0.32/reference/cloudformation.md @@ -341,7 +341,10 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } } diff --git a/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml index 433d42026f7d..6bfc10fb7264 100644 --- a/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v0.36/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -206,7 +206,10 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } }, diff --git a/website/content/en/v0.36/reference/cloudformation.md b/website/content/en/v0.36/reference/cloudformation.md index a747e20971b7..a948d2af13ce 100644 --- a/website/content/en/v0.36/reference/cloudformation.md +++ b/website/content/en/v0.36/reference/cloudformation.md @@ -367,7 +367,10 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } } diff --git a/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml index 433d42026f7d..6bfc10fb7264 100644 --- a/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v0.37/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -206,7 +206,10 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } }, diff --git a/website/content/en/v0.37/reference/cloudformation.md b/website/content/en/v0.37/reference/cloudformation.md index 3869b543be32..74f40312f8b9 100644 --- a/website/content/en/v0.37/reference/cloudformation.md +++ b/website/content/en/v0.37/reference/cloudformation.md @@ -367,7 +367,10 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } } diff --git a/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml b/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml index a688e863fe6e..c2ec08c2f067 100644 --- a/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml +++ b/website/content/en/v1.0/getting-started/getting-started-with-karpenter/cloudformation.yaml @@ -212,7 +212,10 @@ Resources: "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } }, diff --git a/website/content/en/v1.0/reference/cloudformation.md b/website/content/en/v1.0/reference/cloudformation.md index 9a69ce6bf638..4ef73ba826fa 100644 --- a/website/content/en/v1.0/reference/cloudformation.md +++ b/website/content/en/v1.0/reference/cloudformation.md @@ -375,7 +375,10 @@ This gives EC2 permission explicit permission to use the `KarpenterNodeRole-${Cl "Action": "iam:PassRole", "Condition": { "StringEquals": { - "iam:PassedToService": "ec2.${AWS::URLSuffix}" + "iam:PassedToService": [ + "ec2.amazonaws.com", + "ec2.amazonaws.com.cn" + ] } } }