Configure
- Configure Gitpod
- Workspaces
- User settings
- Organizations
- Repositories
- Authentication
- Billing
References
Integrations
Enterprise
- Overview
- Installation process
- Setup and Preparation
- Deploying
- Configure your Gitpod Instance
- Add an SCM integration
- Insights
- Administration
- Updating
- Background
- Reference
- Archive
Help
On this page
Reference
AWS IAM permissions
AWS IAM permission requirements
For more information on how and when these permissions are used, please see Deployment
and Updates.
- Substrate: The control plane that manages Enterprise instances
- Bootstrap: Initial set up required to create an instance of Enterprise
- Cell: An instance of Enterprise
- Permissions needed to execute the CloudFormation template that installs the Gitpod Infrastructure
- Permissions needed by the instance to bootstrap and operate
- Debugging role that can be assumed by the customer only
Permissions needed to execute the CloudFormation template that installs the Gitpod Infrastructure
Permissions needed to execute the CloudFormation template that installs the Gitpod Infrastructure
The permissions needed for this are defined by a separate CloudFormation which is first applied in the AWS account that Gitpod is to be installed into. More information on this can be found in the Getting Started guide.
Permissions needed by the instance to bootstrap and operate
Permissions needed by the instance to bootstrap and operate
During operations, the following permissions are required for a Enterprise instance to run within a customer’s AWS account. No permission to assume a role/permission from outside is needed.
Permissions required by an instance named 'foobar'
Permissions required by an instance named 'foobar'
Copy
Ask AI
{
"key": "vpcflowlogsroleA49E581D",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "vpc-flow-logs.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/vpc-flow-logs-role/Resource"
}
}
}
{
"key": "vpcflowlogsroleDefaultPolicyAAD1B3D4",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents",
"logs:DescribeLogStreams"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"vpcflowlogsgroup4676BF4E",
"Arn"
]
}
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"vpcflowlogsroleA49E581D",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "vpcflowlogsroleDefaultPolicyAAD1B3D4",
"Roles": [
{
"Ref": "vpcflowlogsroleA49E581D"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/vpc-flow-logs-role/DefaultPolicy/Resource"
}
}
}
{
"key": "registryfacadepolicyD3B21BD1",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"baseimagebuildrepoD634AA75",
"Arn"
]
},
{
"Fn::GetAtt": [
"workspaceimagebuildrepo9C4DE89D",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"Description": "",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/registry-facade-policy/Resource"
}
}
}
{
"key": "imagebuilderpolicy98A11844",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken",
"ecr:TagResource",
"ecr:PutImage",
"ecr:InitiateLayerUpload",
"ecr:CompleteLayerUpload",
"ecr:UploadLayerPart"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"baseimagebuildrepoD634AA75",
"Arn"
]
},
{
"Fn::GetAtt": [
"workspaceimagebuildrepo9C4DE89D",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"Description": "",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/image-builder-policy/Resource"
}
}
}
{
"key": "ecrpullsecretpolicy3C12CB71",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetDownloadUrlForLayer",
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"baseimagebuildrepoD634AA75",
"Arn"
]
},
{
"Fn::GetAtt": [
"workspaceimagebuildrepo9C4DE89D",
"Arn"
]
}
]
},
{
"Action": [
"ecr:BatchImportUpstreamImage",
"ecr:DescribeRegistry",
"ecr:GetAuthorizationToken"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"Description": "",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/ecr-pull-secret-policy/Resource"
}
}
}
{
"key": "rdsdbconnectserver0C78DEEF",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "rds-db:connect",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:rds-db:${region}:${accountID}:dbuser:${dbInstance}/gitpod",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"dbInstance": {
"Ref": "gitpoddbAD7CE160"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
}
],
"Version": "2012-10-17"
},
"Description": "Policy used by webapp components to access the database",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/rds-db-connect-server/Resource"
}
}
}
{
"key": "contentserviceroleF6B3E425",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListObjects",
"s3:ListObjectsV2",
"s3:ListBucketMultipartUploads",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions",
"s3:GetObjectAttributes",
"s3:ListBucket",
"s3:GetObjectVersionAttributes",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:PutObjectVersionAcl",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"contentservicebucketD68A2057",
"Arn"
]
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"Description": "",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/content-service-role/Resource"
}
}
}
{
"key": "prometheuspolicy8961D7A5",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"aps:RemoteWrite",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricsMetadata"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"prometheus",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"Description": "",
"ManagedPolicyName": "foobar-prometheus",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/prometheus-policy/Resource"
}
}
}
{
"key": "grafanapolicy3E79243C",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"aps:QueryMetrics",
"aps:GetSeries",
"aps:GetLabels",
"aps:GetMetricsMetadata"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"prometheus",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"Description": "",
"ManagedPolicyName": "foobar-grafana",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/grafana-policy/Resource"
}
}
}
{
"key": "usagepolicy71D05CC3",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"s3:ListObjects",
"s3:ListObjectsV2",
"s3:ListBucketMultipartUploads",
"s3:DeleteObjectVersion",
"s3:ListBucketVersions",
"s3:GetObjectAttributes",
"s3:ListBucket",
"s3:GetObjectVersionAttributes",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:AbortMultipartUpload",
"s3:PutObjectVersionAcl",
"s3:DeleteObject",
"s3:PutObjectAcl",
"s3:GetObjectVersion"
],
"Effect": "Allow",
"Resource": {
"Fn::Join": [
"",
[
{
"Fn::GetAtt": [
"usagebucket853837BC",
"Arn"
]
},
"/*"
]
]
}
}
],
"Version": "2012-10-17"
},
"Description": "Read/write access to usage bucket",
"ManagedPolicyName": "foobar-usage",
"Path": "/"
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/usage-policy/Resource"
}
}
}
{
"key": "dynamodbaccessrw2116470B",
"value": {
"Type": "AWS::IAM::ManagedPolicy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"dynamodb:DescribeTable",
"dynamodb:Query",
"dynamodb:GetItem",
"dynamodb:PartiQLSelect",
"dynamodb:PutItem",
"dynamodb:UpdateItem",
"dynamodb:DescribeStream",
"dynamodb:GetRecords",
"dynamodb:GetShardIterator",
"dynamodb:ListStreams"
],
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"dynamotableresourcesF8FA6E47",
"Arn"
]
},
{
"Fn::GetAtt": [
"dynamotableresourcesF8FA6E47",
"StreamArn"
]
}
]
}
],
"Version": "2012-10-17"
},
"Description": "used by the Enterprise lambdas to access DynamoDB",
"Path": "/",
"Roles": [
{
"Ref": "lambdafunctioncontrollerroleF57C0FDD"
},
{
"Ref": "clustercontrollereksctlroleC1C3C3FD"
},
{
"Ref": "lambdaclusterctrldcroleAEB16FDF"
},
{
"Ref": "lambdaappcontrollerroleDE5D3901"
},
{
"Ref": "lambdacellstatecontrollerroleFAFF62D3"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/dynamodb-access-rw/Resource"
}
}
}
{
"key": "lambdaappcontrollerroleDE5D3901",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-app-controller-role/Resource"
}
}
}
{
"key": "lambdafunctioncontrollerroleF57C0FDD",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-function-controller-role/Resource"
}
}
}
{
"key": "functioncontrollercanaccessssmC9F8DA3A",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:ssm:${region}:${accountID}:parameter/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": "lambda:UpdateFunctionCode",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:lambda:${region}:${accountID}:function:*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "functioncontrollercanaccessssmC9F8DA3A",
"Roles": [
{
"Ref": "lambdafunctioncontrollerroleF57C0FDD"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/function-controller-can-access-ssm/Resource"
}
}
}
{
"key": "lambdaclusterctrlsfnrole9C1CFAD7",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": {
"Fn::FindInMap": [
"ServiceprincipalMap",
{
"Ref": "AWS::Region"
},
"states"
]
}
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-cluster-ctrl-sfn-role/Resource"
}
}
}
{
"key": "lambdaclusterctrlsfnrolepolicy957C7A7C",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogDelivery",
"logs:GetLogDelivery",
"logs:UpdateLogDelivery",
"logs:DeleteLogDelivery",
"logs:ListLogDeliveries",
"logs:PutLogEvents",
"logs:PutResourcePolicy",
"logs:DescribeResourcePolicies",
"logs:DescribeLogGroups"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"events:PutTargets",
"events:PutRule",
"events:DescribeRule"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:events:${region}:${accountID}:rule/StepFunctionsGetEventsForECSTaskRule",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": [
"states:DescribeExecution",
"states:StopExecution",
"states:StartExecution"
],
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "lambdaclusterctrlsfnrolepolicy957C7A7C",
"Roles": [
{
"Ref": "lambdaclusterctrlsfnrole9C1CFAD7"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-cluster-ctrl-sfn-role-policy/Resource"
}
}
}
{
"key": "clustercontrollertaskroleC42D05B1",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
}
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/cluster-controller-task-role/Resource"
}
}
}
{
"key": "clustercontrollertaskrolepolicy4515677B",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"clustercontrollertaskslogs3E649D7D",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "clustercontrollertaskrolepolicy4515677B",
"Roles": [
{
"Ref": "clustercontrollertaskroleC42D05B1"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/cluster-controller-task-role-policy/Resource"
}
}
}
{
"key": "clustercontrollereksctlroleC1C3C3FD",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "ecs-tasks.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
"arn:aws:iam::aws:policy/AmazonEC2FullAccess"
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/cluster-controller-eksctl-role/Resource"
}
}
}
{
"key": "clustercontrollereksctlroleDefaultPolicyC8CE6A0B",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:BatchGetImage"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:ecr:${region}:096840763576:repository/poc/lambda-cluster",
{
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": "ecr:GetAuthorizationToken",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Effect": "Allow",
"Resource": {
"Fn::GetAtt": [
"clustercontrollertaskslogs3E649D7D",
"Arn"
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "clustercontrollereksctlroleDefaultPolicyC8CE6A0B",
"Roles": [
{
"Ref": "clustercontrollereksctlroleC1C3C3FD"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/cluster-controller-eksctl-role/DefaultPolicy/Resource"
}
}
}
{
"key": "clustercontrollereksctlrolepolicy7884FB7E",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ssm:PutParameter",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:ssm:${region}:${accountID}:parameter/cell/foobar/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:ssm:${region}:${accountID}:parameter/aws/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": "cloudformation:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "eks:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"kms:CreateGrant",
"kms:DescribeKey"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "logs:PutRetentionPolicy",
"Effect": "Allow",
"Resource": "*"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:GetRole",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy",
"iam:GetOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:ListAttachedRolePolicies",
"iam:TagRole",
"iam:GetPolicy",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:ListPolicyVersions"
],
"Effect": "Allow",
"Resource": [
{
"Fn::Sub": [
"arn:aws:iam::${accountID}:instance-profile/eksctl-*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
},
{
"Fn::Sub": [
"arn:aws:iam::${accountID}:role/eksctl-*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
},
{
"Fn::Sub": [
"arn:aws:iam::${accountID}:policy/eksctl-*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
},
{
"Fn::Sub": [
"arn:aws:iam::${accountID}:oidc-provider/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
},
{
"Fn::Sub": [
"arn:aws:iam::${accountID}:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
},
{
"Fn::Sub": [
"arn:aws:iam::${accountID}:role/eksctl-managed-*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
},
{
"Fn::Sub": [
"arn:aws:iam::${accountID}:role/foobar*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
]
},
{
"Action": "iam:GetRole",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:iam::${accountID}:role/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "clustercontrollereksctlrolepolicy7884FB7E",
"Roles": [
{
"Ref": "clustercontrollereksctlroleC1C3C3FD"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/cluster-controller-eksctl-role-policy/Resource"
}
}
}
{
"key": "lambdaclusterctrlsfnroleexecpolicyA791C5AD",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": "ecs:RunTask",
"Effect": "Allow",
"Resource": {
"Ref": "clustercontrollertaskB80858A6"
}
},
{
"Action": "iam:PassRole",
"Effect": "Allow",
"Resource": [
{
"Fn::GetAtt": [
"clustercontrollertaskroleC42D05B1",
"Arn"
]
},
{
"Fn::GetAtt": [
"clustercontrollereksctlroleC1C3C3FD",
"Arn"
]
}
]
}
],
"Version": "2012-10-17"
},
"PolicyName": "lambdaclusterctrlsfnroleexecpolicyA791C5AD",
"Roles": [
{
"Ref": "lambdaclusterctrlsfnrole9C1CFAD7"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-cluster-ctrl-sfn-role-exec-policy/Resource"
}
}
}
{
"key": "lambdaclusterctrldcroleAEB16FDF",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-cluster-ctrl-dc-role/Resource"
}
}
}
{
"key": "lambdaclusterctrldcpolicyB13892E2",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:ssm:${region}:${accountID}:parameter/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": [
"ec2:DescribeVpcs",
"ec2:DescribeSubnets",
"ec2:DescribeImages"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Action": "states:StartExecution",
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:states:${region}:${accountID}:stateMachine:*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "lambdaclusterctrldcpolicyB13892E2",
"Roles": [
{
"Ref": "lambdaclusterctrldcroleAEB16FDF"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-cluster-ctrl-dc-policy/Resource"
}
}
}
{
"key": "lambdaappctrlpolicyF8E18B9E",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters",
"ssm:PutParameter"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:ssm:${region}:${accountID}:parameter/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": "s3:GetObject",
"Effect": "Allow",
"Resource": "arn:aws:s3:::foobar/*"
}
],
"Version": "2012-10-17"
},
"PolicyName": "lambdaappctrlpolicyF8E18B9E",
"Roles": [
{
"Ref": "lambdaappcontrollerroleDE5D3901"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-app-ctrl-policy/Resource"
}
}
}
{
"key": "lambdacellstatecontrollerroleFAFF62D3",
"value": {
"Type": "AWS::IAM::Role",
"Properties": {
"AssumeRolePolicyDocument": {
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"Service": "lambda.amazonaws.com"
}
}
],
"Version": "2012-10-17"
},
"ManagedPolicyArns": [
"arn:aws:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole"
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/lambda-cellstate-controller-role/Resource"
}
}
}
{
"key": "cellstatecontrollercanaccessssm288FE590",
"value": {
"Type": "AWS::IAM::Policy",
"Properties": {
"PolicyDocument": {
"Statement": [
{
"Action": [
"ssm:GetParameter",
"ssm:GetParameters"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:ssm:${region}:${accountID}:parameter/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
},
{
"Action": [
"secretsmanager:CreateSecret",
"secretsmanager:PutSecretValue",
"secretsmanager:GetSecretValue"
],
"Effect": "Allow",
"Resource": {
"Fn::Sub": [
"arn:aws:secretsmanager:${region}:${accountID}:secret:/gitpod/substrate/foobar/*",
{
"accountID": {
"Ref": "AWS::AccountId"
},
"region": {
"Ref": "AWS::Region"
}
}
]
}
}
],
"Version": "2012-10-17"
},
"PolicyName": "cellstatecontrollercanaccessssm288FE590",
"Roles": [
{
"Ref": "lambdacellstatecontrollerroleFAFF62D3"
}
]
},
"Metadata": {
"aws:cdk:path": "gitpod-cell/cellstate-controller-can-access-ssm/Resource"
}
}
}
Debugging role that can be assumed by the customer only
Debugging role that can be assumed by the customer only
In extraordinary circumstances, it may be necessary to perform certain operations within the AWS account of the Enterprise instance. Only the customer is able to access this, and thus a Gitpod employee may ask a Customer to assume this role. Please see Getting Access to the Instance for Debugging for more information.This role is called
gitpod-customer-debug-access-role and is created when applying the CloudFormation template to install Gitpod. This role includes two sets of permissions:- Read-only access to the AWS account a Enterprise instance is running: This read only access is defined by the default AWS managed policy
arn:aws:iam::aws:policy/ReadOnlyAccesswhich grants read-only access to all AWS resources and services within an account. - Read and write access to the Kubernetes clusters that are used to run Gitpod: Gives the customer (not Gitpod!)
kubectlaccess to the Kubernetes clusters used to run Gitpod.
Was this page helpful?
Assistant
Responses are generated using AI and may contain mistakes.