Permissions granted to the Datavolo Cross-account IAM Role
An IAM Role named “Datavolo-EKSCrossAccountAccessRole” is created in the customer’s AWS account by the CloudFormation template. This role allows Datavolo’s “arn:aws:iam::339712952347:role/DatavoloByocCrossAccountRole” role to assume a limited set of permissions needed to manage the Data Plane by the Control Plane. These permissions are:
EKS List Clusters, Describe Cluster, Access Kubernetes API
EC2 Describe VPCs
Purpose of each permission (please see the Appendix for additional detail)
EKS List Clusters + Describe Cluster - access metadata required for installing a Datavolo Data Plane within the EKS cluster
EC2 Describe VPCs - discover the VPC created by Datavolo’s CloudFormation template, potentially among others in the account, to provision the Load Balancer within its public subnets
EKS Access Kubernetes API - manage Runtimes from the Control Plane; upgrade Runtime Operator during scheduled and approved maintenance windows