Skip to main content
This document describes the IAM roles Porter provisions in your AWS account, how access is established, and what each role is used for. It is intended for security review, compliance documentation, and internal audit. Porter operates on the principles of least privilege and separation of duties. The roles listed below have the minimal permissions necessary to support all Porter product features. Additional controls to limit the reach of Porter-created roles (e.g. IAM permissions boundaries, service control policies) are out of scope of this document; guidance is published separately. If you have questions or need a more restricted permission set, contact us at support@porter.run.

How Porter gains access to your AWS account

Porter uses AWS IAM role assumption to operate in your account. No long-lived customer credentials are stored by Porter; access is obtained through the AWS Security Token Service (STS) AssumeRole API, authenticated by a role in your account that trusts Porter’s management infrastructure.

One-time bootstrap

When you first connect an AWS account to Porter:
1

Enter your AWS Account ID

You enter your AWS Account ID in Porter’s UI.
2

Launch CloudFormation

Porter opens the AWS CloudFormation console in a new tab, pre-populated with the template URL and required parameters.
3

Review and create the stack

You review the template, acknowledge that it creates IAM resources, and click Create Stack. This is a standard CloudFormation console interaction — you control the execution.
4

Initial role is provisioned

CloudFormation creates one IAM role in your account: porter-access-manager. Its trust policy allows Porter’s management role to assume it. Its inline policy grants IAM write access so Porter can programmatically provision the rest of the role structure.
The CloudFormation stack is named PorterRole and lives entirely in your account. You retain full control over it — you can inspect, modify, or delete it at any time via the AWS Console, CLI, or IaC tooling.

Ongoing access

For day-to-day operations, Porter’s infrastructure assumes into your account through a two-step chain: 
Porter's management infrastructure

        ▼  sts:AssumeRole
Porter's management role: arn:aws:iam::<porter-acct>:role/CAPIManagement

        ▼  sts:AssumeRole (with your project-specific ExternalId for porter-manager)
Your account: arn:aws:iam::<your-acct>:role/porter-<role-name>
All cross-account AssumeRole calls are logged in your AWS CloudTrail and attributed to Porter’s role.

Roles Porter provisions in your account

The table below lists every IAM role Porter creates in your account. Assumable from outside indicates whether the role can be assumed by a principal outside your AWS account (i.e. Porter’s management role). Roles trusted only by AWS service principals or in-cluster pod identities cannot be directly assumed from outside your account.
RoleCreated byAssumable from outsidePurpose
porter-access-managerCloudFormation (initial bootstrap)Yes (Porter’s CAPIManagement)Grants Porter the ability to provision and update the rest of the IAM roles and policies in your account. Used for IAM operations only.
porter-managerProvisioned by Porter after bootstrapYes (Porter’s CAPIManagement, gated by a per-project ExternalId)Primary operational role. Used by Porter’s control plane to manage EKS clusters, networking, storage, container registries, observability, and datastores.
porter-infra-managerProvisioned by Porter after bootstrapYes (Porter’s CAPIManagement)Used by AWS Controllers for Kubernetes (ACK) to reconcile Kubernetes resource definitions to AWS state. Handles CloudWatch, CloudTrail, EventBridge, KMS, S3, SNS, and other EC2/VPC infrastructure.
porter-controlplane-managerProvisioned by Porter after bootstrapNo (trusted by eks.amazonaws.com only)Assumed by the AWS EKS service to operate the EKS managed control plane on your cluster.
porter-node-managerProvisioned by Porter after bootstrapNo (trusted by ec2.amazonaws.com only)Instance profile role for EKS worker nodes. Used by kubelet and in-cluster controllers (cluster-autoscaler, aws-load-balancer-controller) running on nodes.
porter-karpenterProvisioned by Porter after bootstrapNo (Pod Identity, pods.eks.amazonaws.com, scoped to your account)Assumed by the Karpenter controller pod to provision and manage EC2 nodes for your cluster.
porter-telemetry-managerProvisioned by Porter after bootstrapNo (Pod Identity)Assumed by Porter’s OpenTelemetry collector pod to push cluster metrics to Amazon Managed Prometheus and Porter-managed S3 buckets.
porter-agent-compliance-managerProvisioned by Porter after bootstrapNo (Pod Identity)Assumed by the porter-agent pod to manage CloudWatch alarms and publish SOC2 compliance notifications.
porter-eso-secrets-managerProvisioned by Porter after creation of environment groupsNo (Pod Identity)Assumed by the External Secrets Operator pod to retrieve environment-group secrets from AWS Secrets Manager. Scoped to the /porter/env-groups/* path.
porter-s3-<hash>Provisioned dynamically per bucketNo (Pod Identity)One role per Porter-provisioned S3 bucket (logs buckets, release buckets, etc.). Each is scoped to objects in its specific bucket only, and can only be assumed by pods in your cluster.

Roles assumable from outside your account

Three roles — porter-access-manager, porter-manager, and porter-infra-manager — can be assumed from Porter’s management infrastructure outside your account.
  • porter-access-manager trust allows sts:AssumeRole from Porter’s CAPIManagement role. No ExternalId is used on this trust — the ACK IAM controller that assumes it does not support the sts:ExternalId parameter. This is a known constraint we are actively working to address with alternative attestation mechanisms.
  • porter-manager trust requires a per-project ExternalId. The ExternalId is generated per Porter project and is treated as a sensitive identifier.
  • porter-infra-manager trust has the same no-ExternalId constraint as porter-access-manager for the same ACK compatibility reason.
All three trust policies also permit certain AWS service principals (ec2.amazonaws.com, eks.amazonaws.com, pods.eks.amazonaws.com, vpc-flow-logs.amazonaws.com) to assume the role for specific AWS-initiated operations.

Permission inventory

Detailed permissions for each Porter-provisioned role. Click any role to expand its statements.

porter-access-manager

For creating, updating, and deleting the other Porter-provisioned roles and their attached policies. Assumable by Porter’s CAPIManagement role, and by EC2, EKS, and EKS Pod Identity service principals. This is the most security-critical role. To remove Porter’s IAM management permissions, you can delete the CloudFormation stack that sets it up. In your AWS Console, navigate to CloudFormation → PorterRole stack → Delete.
StatementResource pathActionsCondition
IAMController*iam:AttachRolePolicy
iam:CreatePolicy
iam:CreatePolicyVersion
iam:CreateRole
iam:DeletePolicy
iam:DeletePolicyVersion
iam:DeleteRole
iam:DeleteRolePolicy
iam:DetachRolePolicy
iam:GetPolicy
iam:GetPolicyVersion
iam:GetRole
iam:GetRolePolicy
iam:ListAttachedRolePolicies
iam:ListPolicyTags
iam:ListPolicyVersions
iam:ListRolePolicies
iam:ListRoleTags
iam:PutRolePermissionsBoundary
iam:PutRolePolicy
iam:TagPolicy
iam:TagRole
iam:UntagPolicy
iam:UntagRole
iam:UpdateAssumeRolePolicy
iam:UpdateRole

porter-manager

For managing EKS clusters, networking, storage, container registries, and datastores via the Porter control plane. Assumable by Porter’s CAPIManagement role with a per-project ExternalId required, and by EC2 and EKS service principals.
StatementResource pathActionsCondition
EksClusterManagement*ecr:CompleteLayerUpload
ecr:CreateRepository
ecr:InitiateLayerUpload
ecr:PutImage
ecr:TagResource
ecr:UploadLayerPart
eks:AssociateEncryptionConfig
eks:CreateAddon
eks:CreateCluster
eks:CreateNodegroup
eks:DeleteAddon
eks:DeleteCluster
eks:DeleteNodegroup
eks:DescribeAddon
eks:DescribeCluster
eks:DescribeNodegroup
eks:DescribeUpdate
eks:ListAddons
eks:ListFargateProfiles
eks:ListNodegroups
eks:ListUpdates
eks:TagResource
eks:UntagResource
eks:UpdateAddon
eks:UpdateClusterConfig
eks:UpdateClusterVersion
eks:UpdateNodegroupConfig
eks:UpdateNodegroupVersion
iam:AddClientIDToOpenIDConnectProvider
iam:CreateOpenIDConnectProvider
iam:CreateServiceLinkedRole
iam:DeleteOpenIDConnectProvider
iam:DeleteRole
iam:DetachRolePolicy
iam:GetOpenIDConnectProvider
iam:GetRole
iam:GetRolePolicy
iam:ListAttachedRolePolicies
iam:ListOpenIDConnectProviders
iam:PassRole
iam:TagOpenIDConnectProvider
iam:UpdateOpenIDConnectProviderThumbprint
secretsmanager:CreateSecret
secretsmanager:DeleteSecret
secretsmanager:TagResource
servicequotas:GetServiceQuota
servicequotas:ListRequestedServiceQuotaChangeHistoryByQuota
servicequotas:ListServiceQuotas
servicequotas:RequestServiceQuotaIncrease
CloudFormation*cloudformation:CreateStack
cloudformation:DescribeStacks
cloudformation:UpdateStack
IamPorterAssumeRolePolicyarn:aws:iam::*:role/porter*iam:UpdateAssumeRolePolicy
KmsAliasAndKeyarn:aws:kms:*:*:alias/*
arn:aws:kms:*:*:key/*		kms:CreateAlias
kms:CreateGrant
kms:EnableKeyRotation
kms:PutKeyPolicy
kms:TagResource
KmsCreateKey*kms:CreateKey
SsmGetParameter*ssm:GetParameter
Efs*elasticfilesystem:CreateFileSystem
elasticfilesystem:CreateMountTarget
elasticfilesystem:DeleteFileSystem
elasticfilesystem:DeleteMountTarget
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeMountTargets
elasticfilesystem:TagResource
elasticfilesystem:UntagResource
Soc2Requirements*ecr:GetRegistryScanningConfiguration
ecr:PutRegistryScanningConfiguration
inspector2:Enable
EksClusterOperations*account:ListRegions
autoscaling:DescribeScalingActivities
eks:CreatePodIdentityAssociation
eks:DeletePodIdentityAssociation
eks:DescribeCluster
eks:DescribeNodegroup
eks:DescribePodIdentityAssociation
eks:ListClusters
eks:ListPodIdentityAssociations
LoadBalancersRead*acm:AddTagsToCertificate
acm:DescribeCertificate
acm:ListCertificates
acm:RequestCertificate
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTags
IamRoles*iam:AttachRolePolicy
iam:CreateRole
iam:DeleteRole
iam:DeleteRolePolicy
iam:DetachRolePolicy
iam:GetPolicy
iam:GetRole
iam:GetRolePolicy
iam:ListAttachedRolePolicies
iam:ListRolePolicies
iam:PutRolePermissionsBoundary
iam:PutRolePolicy
iam:TagRole
S3Storage*s3:CreateBucket
s3:DeleteBucket
s3:DeleteObject
s3:GetBucketLocation
s3:GetBucketPolicy
s3:GetBucketTagging
s3:GetObject
s3:ListBucket
s3:PutBucketPolicy
s3:PutBucketPublicAccessBlock
s3:PutBucketTagging
s3:PutBucketVersioning
s3:PutObject
SsmParameterStore*ssm:AddTagsToResource
ssm:DeleteParameter
ssm:GetParameter
ssm:PutParameter
EnvGroupSecretsarn:*:secretsmanager:*:*:secret:/porter/env-groups/*secretsmanager:CreateSecret
secretsmanager:DeleteSecret
secretsmanager:GetSecretValue
secretsmanager:PutSecretValue
secretsmanager:TagResource
Datastores*elasticache:AddTagsToResource
elasticache:CreateCacheSubnetGroup
elasticache:CreateReplicationGroup
elasticache:DeleteCacheSubnetGroup
elasticache:DeleteReplicationGroup
elasticache:DescribeCacheClusters
elasticache:DescribeCacheSubnetGroups
elasticache:DescribeReplicationGroups
elasticache:ListTagsForResource
elasticache:ModifyCacheSubnetGroup
elasticache:ModifyReplicationGroup
rds:AddTagsToResource
rds:CreateDBCluster
rds:CreateDBInstance
rds:CreateDBSubnetGroup
rds:DeleteDBCluster
rds:DeleteDBInstance
rds:DeleteDBSubnetGroup
rds:DescribeDBClusterSnapshots
rds:DescribeDBClusters
rds:DescribeDBEngineVersions
rds:DescribeDBInstances
rds:DescribeDBSnapshots
rds:DescribeDBSubnetGroups
rds:FailoverDBCluster
rds:ListTagsForResource
rds:ModifyDBCluster
rds:ModifyDBInstance
rds:ModifyDBSubnetGroup
rds:RestoreDBClusterToPointInTime
rds:RestoreDBInstanceFromDBSnapshot
Telemetry*aps:*aws:ResourceTag/porter.run/managed = true
TelemetryAdmin*aps:ListWorkspaces
ReadOnlyBilling*ce:Get*
ce:List*
freetier:GetAccountPlanState
pricing:*
PorterInstanceProxy*ec2:AssociateAddress
ec2:ImportKeyPair
Sqs*sqs:CreateQueue
sqs:DeleteQueue
sqs:GetQueueAttributes
sqs:GetQueueUrl
sqs:SetQueueAttributes
sqs:TagQueue
KarpenterInterruptionEventBridge*events:DeleteRule
events:DescribeRule
events:PutRule
events:PutTargets
events:RemoveTargets
events:TagResource
CloudWatchObservability*cloudwatch:DeleteAlarms
cloudwatch:DescribeAlarms
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:PutMetricAlarm
cloudwatch:TagResource
logs:DescribeLogGroups
GuardDuty*guardduty:CreateDetector
guardduty:DeleteDetector
guardduty:GetAdministratorAccount
guardduty:GetDetector
guardduty:ListDetectors
guardduty:TagResource
guardduty:UpdateDetector
EcrPullImages*ecr:BatchCheckLayerAvailability
ecr:BatchGetImage
ecr:DescribeRepositories
ecr:GetAuthorizationToken
ecr:GetDownloadUrlForLayer
KmsClusterEncryption*kms:CreateGrant
kms:Decrypt
kms:DescribeKey
kms:Encrypt
CloudTrailLookup*cloudtrail:LookupEvents
Ec2NetworkingCore*autoscaling:DescribeAutoScalingGroups
ec2:AllocateAddress
ec2:AssociateRouteTable
ec2:AttachInternetGateway
ec2:CreateInternetGateway
ec2:CreateLaunchTemplate
ec2:CreateLaunchTemplateVersion
ec2:CreateNatGateway
ec2:CreateNetworkInterface
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSecurityGroup
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateVpc
ec2:DeleteInternetGateway
ec2:DeleteLaunchTemplate
ec2:DeleteLaunchTemplateVersions
ec2:DeleteNatGateway
ec2:DeleteRouteTable
ec2:DeleteSecurityGroup
ec2:DeleteSubnet
ec2:DeleteVpc
ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeAvailabilityZones
ec2:DescribeEgressOnlyInternetGateways
ec2:DescribeImages
ec2:DescribeInstanceTypes
ec2:DescribeInstances
ec2:DescribeInternetGateways
ec2:DescribeKeyPairs
ec2:DescribeLaunchTemplateVersions
ec2:DescribeLaunchTemplates
ec2:DescribeNatGateways
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:DescribeVpcAttribute
ec2:DescribeVpcs
ec2:DetachInternetGateway
ec2:DisassociateRouteTable
ec2:ModifyLaunchTemplate
ec2:ModifySubnetAttribute
ec2:ModifyVpcAttribute
ec2:ReleaseAddress
ec2:ReplaceRoute
ec2:RevokeSecurityGroupIngress
ec2:RunInstances
tag:GetResources
VpcPeering*ec2:AcceptVpcPeeringConnection
ec2:CreateVpcPeeringConnection
ec2:DeleteVpcPeeringConnection
ec2:DescribeVpcPeeringConnections
ec2:ModifyVpcPeeringConnectionOptions
VpcEndpoints*ec2:CreateVpcEndpoint
ec2:DeleteVpcEndpoints
ec2:DescribeVpcEndpointServiceConfigurations
ec2:DescribeVpcEndpoints
ec2:ModifyVpcEndpoint
VpcFlowLogs*ec2:CreateFlowLogs
ec2:DescribeFlowLogs

porter-infra-manager

For reconciling CloudWatch, CloudTrail, EventBridge, KMS, SNS, and other EC2/VPC infrastructure via AWS Controllers for Kubernetes (ACK). Assumable by Porter’s CAPIManagement role (no ExternalId), and by EC2, EKS, EKS Pod Identity, and VPC Flow Logs service principals.
StatementResource pathActionsCondition
KmsManagement*kms:CreateAlias
kms:CreateKey
kms:DeleteAlias
kms:Describe*
kms:EnableKeyRotation
kms:GenerateRandom
kms:Get*
kms:List*
kms:ScheduleKeyDeletion
kms:TagResource
kms:UntagResource
kms:UpdateAlias
IamReadOnly*iam:GetRolePolicy
iam:GetUser
iam:ListGroups
iam:ListRoles
iam:ListUsers
CloudTrailS3Bucketsarn:aws:s3:::aws-cloudtrail-logs*
arn:aws:s3:::porter-*
arn:aws:s3:::porter-*/*		s3:*
S3BucketsRead*s3:GetBucketLocation
s3:GetBucketPolicy
s3:ListAllMyBuckets
SecurityGroups*ec2:AuthorizeSecurityGroupEgress
ec2:AuthorizeSecurityGroupIngress
ec2:CreateSecurityGroup
ec2:DeleteSecurityGroup
ec2:DeleteTags
ec2:DescribeManagedPrefixLists
ec2:DescribeSecurityGroupRules
ec2:DescribeSecurityGroups
ec2:RevokeSecurityGroupEgress
ec2:RevokeSecurityGroupIngress
VpcManagement*ec2:AcceptVpcPeeringConnection
ec2:AssociateRouteTable
ec2:CreateFlowLogs
ec2:CreateRoute
ec2:CreateRouteTable
ec2:CreateSubnet
ec2:CreateTags
ec2:CreateVpc
ec2:CreateVpcEndpoint
ec2:CreateVpcEndpointServiceConfiguration
ec2:CreateVpcPeeringConnection
ec2:DeleteFlowLogs
ec2:DeleteRoute
ec2:DeleteRouteTable
ec2:DeleteSubnet
ec2:DeleteVpc
ec2:DeleteVpcEndpoint
ec2:DeleteVpcEndpointServiceConfigurations
ec2:DeleteVpcPeeringConnection
ec2:DescribeFlowLogs
ec2:DescribeRouteTables
ec2:DescribeSubnets
ec2:DescribeVpcAttribute
ec2:DescribeVpcEndpointServiceConfigurations
ec2:DescribeVpcEndpointServicePermissions
ec2:DescribeVpcEndpointServices
ec2:DescribeVpcEndpoints
ec2:DescribeVpcPeeringConnections
ec2:DescribeVpcs
ec2:DisassociateRouteTable
ec2:ModifySubnetAttribute
ec2:ModifyVpcAttribute
ec2:ModifyVpcEndpoint
ec2:ModifyVpcEndpointServiceConfiguration
ec2:ModifyVpcEndpointServicePermissions
CloudTrail*cloudtrail:*
CloudTrailLogGrouparn:aws:logs:*:*:log-group:aws-cloudtrail-logs*logs:CreateLogGroup
CloudTrailPassRole*iam:PassRoleiam:PassedToService = cloudtrail.amazonaws.com
S3ReplicationPassRole*iam:PassRoleiam:PassedToService = s3.amazonaws.com
PorterInfraManagerPassRolearn:aws:iam::<account-id>:role/porter-infra-manageriam:PassRole
Datastores*cloudwatch:DeleteAlarms
cloudwatch:DescribeAlarms
cloudwatch:GetMetricData
cloudwatch:GetMetricStatistics
cloudwatch:ListMetrics
cloudwatch:PutMetricAlarm
ec2:CreateTags
ec2:CreateVpcEndpoint
ec2:DescribeAccountAttributes
ec2:DescribeAvailabilityZones
ec2:DescribeCoipPools
ec2:DescribeInternetGateways
ec2:DescribeLocalGatewayRouteTablePermissions
ec2:DescribeLocalGatewayRouteTableVpcAssociations
ec2:DescribeLocalGatewayRouteTables
ec2:DescribeLocalGateways
ec2:DescribeSecurityGroups
ec2:DescribeVpcs
ec2:GetCoipPoolUsage
elasticache:*
kms:DescribeKey
kms:ListAliases
kms:ListKeys
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:GetLogEvents
rds:*
sns:ListSubscriptions
sns:ListTopics
sns:Publish
NodeGroupManagement*ec2:DescribeLaunchTemplatesaws:ResourceTag/porter.run/managed = true
Telemetry*aps:*aws:ResourceTag/porter.run/managed = true
DatastoreServiceLinkedRoles*iam:CreateServiceLinkedRoleiam:AWSServiceName in [elasticache.amazonaws.com, rds.amazonaws.com, rds.application-autoscaling.amazonaws.com]
CostExplorer*ce:GetCostAndUsage
PorterInstanceProxy*ec2:AllocateAddress
ec2:AssociateAddress
ec2:AttachInternetGateway
ec2:CreateInternetGateway
ec2:DescribeAddresses
ec2:DescribeInstances
ec2:DetachInternetGateway
ec2:ImportKeyPair
ec2:RunInstances
ec2:TerminateInstances
CloudWatchLogs*logs:CreateLogGroup
logs:CreateLogStream
logs:DeleteLogGroup
logs:DeleteRetentionPolicy
logs:DescribeLogGroups
logs:DescribeLogStreams
logs:DescribeSubscriptionFilters
logs:ListTagsForResource
logs:PutLogEvents
logs:PutRetentionPolicy
logs:TagResource
logs:UntagResource
Sns*sns:CreateTopic
sns:DeleteTopic
sns:GetTopicAttributes
sns:ListTagsForResource
sns:SetTopicAttributes
sns:Subscribe
sns:TagResource
sns:Unsubscribe
EventBridgeRules*events:DescribeEventBus
events:DescribeRule
events:ListTagsForResource
events:ListTargetsByRule
events:PutRule
events:TagResource

porter-controlplane-manager

For operating the EKS managed control plane. Assumable by EKS service principals (not by Porter). Statements prefixed with AmazonEKSClusterPolicy* are defined by AWS in the AmazonEKSClusterPolicy managed policy.
StatementResource pathActionsCondition
AmazonEKSClusterPolicy*autoscaling:DescribeAutoScalingGroups
autoscaling:UpdateAutoScalingGroup
ec2:AttachVolume
ec2:AuthorizeSecurityGroupIngress
ec2:CreateRoute
ec2:CreateSecurityGroup
ec2:CreateTags
ec2:CreateVolume
ec2:DeleteRoute
ec2:DeleteSecurityGroup
ec2:DeleteVolume
ec2:DescribeAccountAttributes
ec2:DescribeAddresses
ec2:DescribeAvailabilityZones
ec2:DescribeDhcpOptions
ec2:DescribeInstances
ec2:DescribeInstanceTopology
ec2:DescribeInternetGateways
ec2:DescribeNetworkInterfaces
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:DescribeVolumesModifications
ec2:DescribeVpcs
ec2:DetachVolume
ec2:ModifyInstanceAttribute
ec2:ModifyVolume
ec2:RevokeSecurityGroupIngress
elasticloadbalancing:AddTags
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
elasticloadbalancing:AttachLoadBalancerToSubnets
elasticloadbalancing:ConfigureHealthCheck
elasticloadbalancing:CreateListener
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:CreateLoadBalancerListeners
elasticloadbalancing:CreateLoadBalancerPolicy
elasticloadbalancing:CreateTargetGroup
elasticloadbalancing:DeleteListener
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:DeleteLoadBalancerListeners
elasticloadbalancing:DeleteTargetGroup
elasticloadbalancing:DeregisterInstancesFromLoadBalancer
elasticloadbalancing:DeregisterTargets
elasticloadbalancing:DescribeListeners
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancerPolicies
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeTargetGroupAttributes
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:DescribeTargetHealth
elasticloadbalancing:DetachLoadBalancerFromSubnets
elasticloadbalancing:ModifyListener
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:ModifyTargetGroup
elasticloadbalancing:ModifyTargetGroupAttributes
elasticloadbalancing:RegisterInstancesWithLoadBalancer
elasticloadbalancing:RegisterTargets
elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer
elasticloadbalancing:SetLoadBalancerPoliciesOfListener
kms:DescribeKey
AmazonEKSClusterPolicySLRCreate*iam:CreateServiceLinkedRoleiam:AWSServiceName = elasticloadbalancing.amazonaws.com
AmazonEKSClusterPolicyENIDelete*ec2:DeleteNetworkInterfaceec2:ResourceTag/eks:eni:owner = amazon-vpc-cni
LoadBalancers*acm:DescribeCertificate
acm:GetCertificate
acm:ListCertificates
acm:RequestCertificate
ec2:DeleteTags
elasticloadbalancing:AddListenerCertificates
elasticloadbalancing:AddTags
elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
elasticloadbalancing:ConfigureHealthCheck
elasticloadbalancing:CreateLoadBalancer
elasticloadbalancing:CreateRule
elasticloadbalancing:DeleteLoadBalancer
elasticloadbalancing:DeleteRule
elasticloadbalancing:DeleteTargetGroup
elasticloadbalancing:DeregisterInstancesFromLoadBalancer
elasticloadbalancing:DescribeListenerAttributes
elasticloadbalancing:DescribeListenerCertificates
elasticloadbalancing:DescribeLoadBalancerAttributes
elasticloadbalancing:DescribeLoadBalancers
elasticloadbalancing:DescribeRules
elasticloadbalancing:DescribeTags
elasticloadbalancing:DescribeTargetGroups
elasticloadbalancing:ModifyLoadBalancerAttributes
elasticloadbalancing:ModifyRule
elasticloadbalancing:RegisterInstancesWithLoadBalancer
elasticloadbalancing:RemoveListenerCertificates
elasticloadbalancing:RemoveTags
elasticloadbalancing:SetRulePriorities
elasticloadbalancing:SetSubnets
elasticloadbalancing:SetWebACL
wafv2:AssociateWebACL
wafv2:GetWebACL
wafv2:GetWebACLForResource
wafv2:ListResourcesForWebACL
wafv2:ListRuleGroups
wafv2:ListTagsForResource
wafv2:ListWebACLs
wafv2:TagResource
ClusterAutoscaling*autoscaling:DescribeAutoScalingGroups
autoscaling:DescribeAutoScalingInstances
autoscaling:DescribeLaunchConfigurations
autoscaling:DescribeScalingActivities
autoscaling:DescribeTags
autoscaling:SetDesiredCapacity
autoscaling:TerminateInstanceInAutoScalingGroup
ec2:DescribeImages
ec2:DescribeInstanceTypes
ec2:DescribeLaunchTemplateVersions
ec2:GetInstanceTypesFromInstanceRequirements
eks:DescribeNodegroup

porter-node-manager

Instance profile role for EKS worker nodes. Assumable by the EC2 service principal (not by Porter). Statements prefixed with Amazon* are defined by AWS in the corresponding AWS-managed policy. Statements prefixed with Ebs* are individual statements from the AWS-managed AmazonEBSCSIDriverPolicy; statement names below are descriptive and not part of the AWS-published policy.
StatementResource pathActionsCondition
CustomerCloudWatchLogs*logs:CreateLogGroup
logs:CreateLogStream
logs:DescribeLogStreams
logs:PutLogEvents
logs:PutRetentionPolicy
CustomerEcrAccess*ecr:BatchCheckLayerAvailability
ecr:BatchGetImage
ecr:DescribeImages
ecr:DescribeRegistry
ecr:DescribeRepositories
ecr:GetAuthorizationToken
ecr:GetDownloadUrlForLayer
ecr:ListImages
ecr:ListTagsForResource
CustomerEcrPublicAccess*ecr-public:GetAuthorizationToken
sts:GetServiceBearerToken
ParameterStoreAccess*ssm:GetParameter*
AmazonEKSCNIPolicy*ec2:AssignPrivateIpAddresses
ec2:AttachNetworkInterface
ec2:CreateNetworkInterface
ec2:DeleteNetworkInterface
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeNetworkInterfaces
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeTags
ec2:DetachNetworkInterface
ec2:ModifyNetworkInterfaceAttribute
ec2:UnassignPrivateIpAddresses
AmazonEKSCNIPolicyENITagarn:aws:ec2:*:*:network-interface/*ec2:CreateTags
AmazonEKSClusterPolicy*(same actions as in porter-controlplane-manager’s AmazonEKSClusterPolicy statement)
AmazonEKSClusterPolicySLRCreate*iam:CreateServiceLinkedRoleiam:AWSServiceName = elasticloadbalancing.amazonaws.com
AmazonEKSClusterPolicyENIDelete*ec2:DeleteNetworkInterfaceec2:ResourceTag/eks:eni:owner = amazon-vpc-cni
WorkerNodePermissions*ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeRouteTables
ec2:DescribeSecurityGroups
ec2:DescribeSubnets
ec2:DescribeVolumes
ec2:DescribeVolumesModifications
ec2:DescribeVpcs
eks:DescribeCluster
eks-auth:AssumeRoleForPodIdentity
AmazonEC2ContainerRegistryReadOnly*ecr:BatchCheckLayerAvailability
ecr:BatchGetImage
ecr:DescribeImages
ecr:DescribeImageScanFindings
ecr:DescribeRepositories
ecr:GetAuthorizationToken
ecr:GetDownloadUrlForLayer
ecr:GetLifecyclePolicy
ecr:GetLifecyclePolicyPreview
ecr:GetRepositoryPolicy
ecr:ListImages
ecr:ListTagsForResource
EbsDescribe*ec2:DescribeAvailabilityZones
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeSnapshots
ec2:DescribeTags
ec2:DescribeVolumes
ec2:DescribeVolumeStatus
ec2:DescribeVolumesModifications
EbsVolumeSnapshotModifyarn:aws:ec2:*:*:volume/*ec2:CreateSnapshot
ec2:ModifyVolume
EbsCopyVolumesarn:aws:ec2:*:*:volume/vol-*ec2:CopyVolumes
EbsAttachDetacharn:aws:ec2:*:*:volume/*
arn:aws:ec2:*:*:instance/*		ec2:AttachVolume
ec2:DetachVolume
EbsCreateVolumeFromSnapshotarn:aws:ec2:*:*:snapshot/*ec2:CreateVolume
ec2:EnableFastSnapshotRestores
EbsCreateTagsOnCreatearn:aws:ec2:*:*:volume/*
arn:aws:ec2:*:*:snapshot/*		ec2:CreateTagsec2:CreateAction in [CreateVolume, CreateSnapshot, CopyVolumes]
EbsDeleteTagsarn:aws:ec2:*:*:volume/*
arn:aws:ec2:*:*:snapshot/*		ec2:DeleteTags
EbsCreateVolumeClusterTagarn:aws:ec2:*:*:volume/*ec2:CreateVolume
ec2:CopyVolumes		aws:RequestTag/ebs.csi.aws.com/cluster like true
EbsCreateVolumeCsiNamearn:aws:ec2:*:*:volume/*ec2:CreateVolume
ec2:CopyVolumes		aws:RequestTag/CSIVolumeName like *
EbsDeleteVolumeClusterTagarn:aws:ec2:*:*:volume/*ec2:DeleteVolumeec2:ResourceTag/ebs.csi.aws.com/cluster like true
EbsDeleteVolumeCsiNamearn:aws:ec2:*:*:volume/*ec2:DeleteVolumeec2:ResourceTag/CSIVolumeName like *
EbsDeleteVolumePvcNamearn:aws:ec2:*:*:volume/*ec2:DeleteVolumeec2:ResourceTag/kubernetes.io/created-for/pvc/name like *
EbsCreateSnapshotCsiNamearn:aws:ec2:*:*:snapshot/*ec2:CreateSnapshotaws:RequestTag/CSIVolumeSnapshotName like *
EbsCreateSnapshotClusterTagarn:aws:ec2:*:*:snapshot/*ec2:CreateSnapshotaws:RequestTag/ebs.csi.aws.com/cluster like true
EbsDeleteSnapshotCsiNamearn:aws:ec2:*:*:snapshot/*ec2:DeleteSnapshot
ec2:LockSnapshot		ec2:ResourceTag/CSIVolumeSnapshotName like *
EbsDeleteSnapshotClusterTagarn:aws:ec2:*:*:snapshot/*ec2:DeleteSnapshot
ec2:LockSnapshot		ec2:ResourceTag/ebs.csi.aws.com/cluster like true
AllowDescribe*elasticfilesystem:DescribeAccessPoints
elasticfilesystem:DescribeFileSystems
elasticfilesystem:DescribeMountTargets
ec2:DescribeAvailabilityZones
AllowCreateAccessPoint*elasticfilesystem:CreateAccessPointaws:RequestTag/efs.csi.aws.com/cluster is not null; aws:TagKeys = efs.csi.aws.com/cluster
AllowTagNewAccessPoints*elasticfilesystem:TagResourceelasticfilesystem:CreateAction = CreateAccessPoint; aws:RequestTag/efs.csi.aws.com/cluster is not null; aws:TagKeys = efs.csi.aws.com/cluster
AllowDeleteAccessPoint*elasticfilesystem:DeleteAccessPointaws:ResourceTag/efs.csi.aws.com/cluster is not null
LoadBalancers*(same as porter-controlplane-manager’s LoadBalancers statement)
ClusterAutoscaling*(same as porter-controlplane-manager’s ClusterAutoscaling statement)

porter-karpenter

For provisioning and managing cost-optimized EKS worker nodes. Assumable by the Karpenter controller pod using EKS Pod Identities.
StatementResource pathActionsCondition
ScopedEc2InstanceAccessarn:aws:ec2:*::image/*
arn:aws:ec2:*::snapshot/*
arn:aws:ec2:*:*:security-group/*
arn:aws:ec2:*:*:subnet/*		ec2:CreateFleet
ec2:RunInstances
ScopedEc2LaunchTemplateAccessarn:aws:ec2:*:*:launch-template/*ec2:CreateFleet
ec2:RunInstances
ScopedEc2InstanceCreatearn:aws:ec2:*:*:fleet/*
arn:aws:ec2:*:*:instance/*
arn:aws:ec2:*:*:launch-template/*
arn:aws:ec2:*:*:network-interface/*
arn:aws:ec2:*:*:spot-instances-request/*
arn:aws:ec2:*:*:volume/*		ec2:CreateFleet
ec2:CreateLaunchTemplate
ec2:RunInstances
ScopedResourceCreationTagging(same resources as above)ec2:CreateTagsec2:CreateAction in [CreateFleet, CreateLaunchTemplate, RunInstances]; aws:RequestTag/karpenter.sh/nodepool like *
ScopedResourceTaggingarn:aws:ec2:*:*:instance/*ec2:CreateTags
ScopedEc2Deletionarn:aws:ec2:*:*:instance/*
arn:aws:ec2:*:*:launch-template/*		ec2:DeleteLaunchTemplate
ec2:TerminateInstances
RegionalEc2Read*ec2:DescribeImages
ec2:DescribeInstanceTypeOfferings
ec2:DescribeInstanceTypes
ec2:DescribeInstances
ec2:DescribeLaunchTemplates
ec2:DescribeSecurityGroups
ec2:DescribeSpotPriceHistory
ec2:DescribeSubnets
PricingRead*pricing:GetProducts
SsmParameterRead*ssm:GetParameter
SqsInterruptionQueuearn:aws:sqs:*:*:*sqs:CreateQueue
sqs:DeleteMessage
sqs:DeleteQueue
sqs:GetQueueAttributes
sqs:GetQueueUrl
sqs:ReceiveMessage
sqs:SetQueueAttributes
sqs:TagQueue
EventBridgeRulesarn:aws:events:*:*:rule/*events:DeleteRule
events:DescribeRule
events:PutRule
events:PutTargets
events:RemoveTargets
PassNodeInstanceRolearn:aws:iam::<account-id>:role/porter-node-manageriam:PassRoleiam:PassedToService in [ec2.amazonaws.com, ec2.amazonaws.com.cn]
InstanceProfileScopedarn:aws:iam::*:instance-profile/*iam:AddRoleToInstanceProfile
iam:CreateInstanceProfile
iam:DeleteInstanceProfile
iam:GetInstanceProfile
iam:RemoveRoleFromInstanceProfile
iam:TagInstanceProfile
InstanceProfileList*iam:ListInstanceProfiles
EksClusterDescribearn:aws:eks:*:*:cluster/*eks:DescribeCluster
ServiceLinkedRoleCreatearn:aws:iam::*:role/aws-service-role/*iam:CreateServiceLinkedRole

porter-telemetry-manager

For collecting and exporting OTLP metrics. Assumable by the OpenTelemetry Collector pod using EKS Pod Identities.
StatementResource pathActionsCondition
PorterMetrics*aps:GetLabels
aps:GetMetricMetadata
aps:GetSeries
aps:QueryMetrics
aps:RemoteWrite
PorterLogsarn:aws:s3:::porter-*
arn:aws:s3:::porter-*/*		s3:AbortMultipartUpload
s3:CreateBucket
s3:DeleteObject
s3:GetObject
s3:ListBucket
s3:ListBucketVersions
s3:PutObject

porter-agent-compliance-manager

For managing compliance alarms. Assumable by the Porter Agent pod using EKS Pod Identities.
StatementResource pathActionsCondition
CloudWatchAlarms*cloudwatch:DeleteAlarms
cloudwatch:DescribeAlarms
cloudwatch:ListTagsForResource
cloudwatch:PutMetricAlarm
cloudwatch:TagResource
SnsPublisharn:aws:sns:*:*:porter-soc2-notifications-*sns:Publish

porter-eso-secrets-manager

For managing environment group secrets in Secrets Manager. Assumable by the External Secrets Operator pod using EKS Pod Identities.
StatementResource pathActionsCondition
EnvGroupSecretsarn:*:secretsmanager:*:*:secret:/porter/env-groups/*secretsmanager:BatchGetSecretValue
secretsmanager:DescribeSecret
secretsmanager:GetSecretValue
ListSecretsCatalog*secretsmanager:ListSecrets

porter-s3-*

For creating, updating, and deleting S3 objects for specific buckets. Assumable by the Loki pod using EKS Pod Identities. One role is provisioned per Porter-managed bucket; scoping to a single bucket is enforced by the per-bucket EKS Pod Identity trust on the role itself.
StatementResource pathActionsCondition
S3ObjectAccessarn:aws:s3:::*/*s3:DeleteObject
s3:DeleteObjectVersion
s3:GetObject
s3:GetObjectVersion
s3:PutObject