Please refer to the “Access Policies” section for details of each access policy that is present in a truefoundry compute.

Access Policies Overview

If you are using terraform given by Truefoundry, the policies will be created automatically. If you are using an existing cluster, you will need to create the policies manually.

PolicyDescription
ELBControllerPolicyRole assumed by load balancer controller to provision ELB when a service of type LoadBalancer is created
KarpenterPolicy and SQSPolicyRole assumed by Karpenter to dynamically provision nodes and handle spot node termination
EFSPolicyRole assumed by EFS CSI to provision and attach EFS volumes
EBSPolicyRole assumed by EBS CSI to provision and attach EBS volumes
RolePolicy with policies for:
- ECR
- S3
- SSM
- EKS
Use the trust relationship. If you are using TrueFoundry’s control plane the role will be assumed by arn:aws:iam::416964291864:role/tfy-ctl-euwe1-production-truefoundry-deps otherwise it will be your control plane’s IAM role
Role assumed by TrueFoundry to allow access to ECR, S3, and SSM services
ClusterRole with policies:
- AmazonEKSClusterPolicy
- AmazonEKSVPCResourceControllerPolicy
- EncryptionPolicy
Role that provides Kubernetes permissions to manage the cluster lifecycle, networking, and encryption
NodeRole with policies:
- AmazonEC2ContainerRegistryReadOnlyPolicy
- AmazonEKS_CNI_Policy
- AmazonEKSWorkerNodePolicy
- AmazonSSMManagedInstanceCorePolicy
Role assumed by EKS nodes to work with AWS resources for ECR access, IP assignment, and cluster registration

EncryptionPolicy to create and manage key for encryption:

{  
    "Statement": [  
        {  
            "Action": [  
                "kms:Encrypt",  
                "kms:Decrypt",  
                "kms:ListGrants",  
                "kms:DescribeKey"  
            ],  
            "Effect": "Allow",  
            "Resource": "arn:aws:kms:<region>:<aws_account_id>:key/<key_id>"  
        }  
    ],  
    "Version": "2012-10-17"  
}