Changelog
CLI Reference
- tensorkube account
- tensorkube cluster
- tensorkube configure
- tensorkube datasets
- tensorkube deploy
- tensorkube deployment
- tensorkube dev
- tensorkube domain
- tensorkube environment
- tensorkube get-permissions-command
- tensorkube get-principal-arn
- tensorkube give-cluster-access
- tensorkube install-prerequisites
- tensorkube job
- tensorkube list
- tensorkube login
- tensorkube reset
- tensorkube secret
- tensorkube sync
- tensorkube teardown
- tensorkube train
- tensorkube upgrade
- tensorkube version
- tensorkube volume
Permissions
Permissions
Permissions for Configure
AWS Permissions required for running tensorkube configure
For any IAM or Identity Center User running configure, they must have the following permissions.
Ensure that you replace <ACCOUNT_NO> with your AWS AccountId.
This policy might exceed the AWS Policy character limit so you might need to break it into multiple policies.
policy.json
Copy
Ask AI
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "PassRolePermission",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::<ACCOUNT_NO>:role/*tensorkube*"
]
},
{
"Sid": "CloudformationPermissions",
"Effect": "Allow",
"Action": [
"cloudformation:ListStacks",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStacks",
"cloudformation:UpdateStack",
"cloudformation:ValidateTemplate",
"cloudformation:TagResource",
"cloudformation:ListStackResources",
"cloudformation:DescribeStackEvents",
"cloudformation:CreateChangeSet"
],
"Resource": "*"
},
{
"Sid": "CodebuildPermissions",
"Effect": "Allow",
"Action" : [
"codebuild:CreateProject",
"codebuild:DeleteProject",
"codebuild:BatchGetProjects",
"codebuild:StartBuild",
"codebuild:BatchGetBuilds"
],
"Resource": "*"
},
{
"Sid": "IAMPermissions",
"Effect": "Allow",
"Action": [
"iam:SimulatePrincipalPolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:TagRole",
"iam:UntagRole",
"iam:ListAttachedRolePolicies",
"iam:CreatePolicy",
"iam:DeletePolicy",
"iam:GetPolicy",
"iam:CreatePolicyVersion",
"iam:DeletePolicyVersion",
"iam:SetDefaultPolicyVersion",
"iam:TagPolicy",
"iam:CreateOpenIDConnectProvider",
"iam:DeleteOpenIDConnectProvider",
"iam:GetOpenIDConnectProvider",
"iam:TagOpenIDConnectProvider",
"iam:UntagOpenIDConnectProvider",
"iam:ListPolicyVersions"
],
"Resource": "*"
},
{
"Sid": "SQSPermissions",
"Effect": "Allow",
"Action": [
"sqs:CreateQueue",
"sqs:DeleteQueue",
"sqs:GetQueueAttributes",
"sqs:GetQueueUrl",
"sqs:ReceiveMessage",
"sqs:DeleteMessage",
"sqs:SetQueueAttributes",
"sqs:TagQueue"
],
"Resource": "*"
},
{
"Sid": "EventBridgePermissions",
"Effect": "Allow",
"Action": [
"events:PutRule",
"events:DeleteRule",
"events:PutTargets",
"events:RemoveTargets",
"events:DescribeRule"
],
"Resource": "*"
},
{
"Sid": "EKSClusterPermissions",
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:CreateAddon",
"eks:DeleteAddon",
"eks:DescribeAddon",
"eks:ListAddons",
"eks:UpdateAddon",
"eks:AssociateIdentityProviderConfig",
"eks:DisassociateIdentityProviderConfig",
"eks:DescribeIdentityProviderConfig",
"eks:ListIdentityProviderConfigs",
"eks:CreateNodegroup",
"eks:DeleteNodegroup",
"eks:DescribeNodegroup",
"eks:UpdateNodegroupConfig",
"eks:TagResource",
"eks:UntagResource",
"eks:CreatePodIdentityAssociation",
"eks:DescribePodIdentityAssociation",
"eks:DeletePodIdentityAssociation",
"eks:CreateAccessEntry",
"eks:DeleteAccessEntry",
"eks:DescribeAccessEntry",
"eks:AssociateAccessPolicy",
"eks:ListAssociatedAccessPolicies"
],
"Resource": "*"
},
{
"Sid": "EC2PermissionsFullAccess",
"Effect": "Allow",
"Action": [
"ec2:CreateVpc",
"ec2:DeleteVpc",
"ec2:DescribeVpcs",
"ec2:ModifyVpcAttribute",
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DescribeInternetGateways",
"ec2:AttachInternetGateway",
"ec2:DetachInternetGateway",
"ec2:CreateNatGateway",
"ec2:DeleteNatGateway",
"ec2:DescribeNatGateways",
"ec2:AllocateAddress",
"ec2:ReleaseAddress",
"ec2:DescribeAddresses",
"ec2:CreateRoute",
"ec2:DeleteRoute",
"ec2:ReplaceRoute",
"ec2:DescribeRouteTables",
"ec2:CreateRouteTable",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DisassociateRouteTable",
"ec2:CreateSubnet",
"ec2:DeleteSubnet",
"ec2:DescribeSubnets",
"ec2:ModifySubnetAttribute",
"ec2:CreateSecurityGroup",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:DescribeLaunchTemplates",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:DescribeInstances",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeLaunchTemplateVersions"
],
"Resource": "*"
},
{
"Sid": "LambdaPermissions",
"Effect": "Allow",
"Action": [
"lambda:CreateFunction",
"lambda:DeleteFunction",
"lambda:InvokeFunction",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration",
"lambda:GetFunction",
"lambda:AddPermission",
"lambda:RemovePermission",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": "*"
},
{
"Sid": "CloudwatchPermissions",
"Effect": "Allow",
"Action": [
"cloudwatch:PutMetricAlarm",
"cloudwatch:DescribeAlarms",
"cloudwatch:ListTagsForResource",
"cloudwatch:DeleteAlarms",
"logs:CreateLogGroup",
"logs:DeleteLogGroup",
"logs:TagResource",
"logs:UntagResource",
"logs:DescribeLogGroups",
"logs:PutRetentionPolicy",
"logs:DescribeIndexPolicies",
"logs:ListTagsForResource",
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": "*"
},
{
"Sid": "ECRPermissions",
"Effect": "Allow",
"Action": [
"ecr:CreateRepository",
"ecr:DeleteRepository",
"ecr:DescribeRepositories",
"ecr:PutImage",
"ecr:BatchCheckLayerAvailability",
"ecr:BatchGetImage",
"ecr:GetAuthorizationToken",
"ecr:GetDownloadUrlForLayer",
"ecr:TagResource",
"ecr:UntagResource",
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy",
"ecr:InitiateLayerUpload"
],
"Resource": "*"
},
{
"Sid": "DynamoDBPermissions",
"Effect": "Allow",
"Action": [
"dynamodb:CreateTable",
"dynamodb:DeleteTable",
"dynamodb:DescribeTable",
"dynamodb:ListTables",
"dynamodb:TagResource",
"dynamodb:UntagResource"
],
"Resource": "*"
},
{
"Sid": "S3Permissions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject",
"s3:ListBucket",
"s3:PutBucketTagging"
],
"Resource": "*"
},
{
"Sid": "SNSPermissions",
"Effect": "Allow",
"Action": [
"sns:CreateTopic",
"sns:Subscribe",
"sns:SetTopicAttributes",
"sns:GetTopicAttributes",
"sns:ListSubscriptionsByTopic",
"sns:TagResource",
"sns:Unsubscribe",
"sns:UntagResource",
"sns:DeleteTopic"
],
"Resource": "*"
},
{
"Sid": "StateMachinePermissions",
"Effect": "Allow",
"Action": [
"states:CreateStateMachine",
"states:StartExecution",
"states:TagResource",
"states:UntagResource",
"states:DescribeStateMachine",
"states:DeleteStateMachine"
],
"Resource": "*"
},
{
"Sid": "XRayPermissions",
"Effect": "Allow",
"Action": [
"xray:PutTraceSegments",
"xray:PutTelemetryRecords",
"xray:GetSamplingRules",
"xray:GetSamplingTargets"
],
"Resource": "*"
}
]
}
Assistant
Responses are generated using AI and may contain mistakes.