Skip to main content
Please read through Bring Your Own Cloud (BYOC) to understand BYOC in more detail.

Deployment Options

  • Turnkey / default - creates a VPN and cluster for a fully managed install
  • BYO-VPN - requires the customer to provide a VPN

Overview

This document guides you through giving Streamkap access to provision software to your AWS account by creating an IAM role that trusted Streamkap IAM principal. Access is limited to the permissions defined in the following IAM policies:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Resource": "*",
            "Action": [
                "ec2:DescribeAddressesAttribute",
                "ec2:CreateNetworkAclEntry",
                "ecr:UntagResource",
                "eks:ListAccessEntries",
                "eks:CreateAccessEntry",
                "eks:DescribeAccessEntry",
                "eks:UpdateAccessEntry",
                "eks:AssociateAccessPolicy",
                "eks:DisassociateAccessPolicy",
                "eks:CreateAddon",
                "eks:DescribeAddon",
                "eks:UpdateAddon",
                "eks:DeleteAddon",
                "eks:DescribeAddonConfiguration",
                "eks:DescribeAddonVersions",
                "eks:ListAddons",
                "eks:ListAssociatedAccessPolicies",
                "eks:CreateCluster",
                "eks:UpdateClusterVersion",
                "eks:DescribeCluster",
                "eks:CreateNodegroup",
                "eks:DescribeNodegroup",
                "eks:UpdateNodegroupVersion",
                "eks:TagResource",
                "eks:UntagResource",
                "eks:ListTagsForResource",
                "eks:DescribeUpdate",
                "eks:UpdateNodegroupConfig",
                "eks:CreatePodIdentityAssociation",
                "eks:Describe*",
                "ec2:CreateNetworkInterface",
                "ec2:Describe*",
                "iam:UntagPolicy",
                "iam:UntagRole",
                "kms:UntagResource",
                "logs:UntagResource",
                "logs:ListTagsForResource",
                "ec2:AllocateAddress",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateInternetGateway",
                "ec2:CreateLaunchTemplate",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:CreateNatGateway",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcs",
                "ec2:ModifyLaunchTemplate",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:TerminateInstances",
                "ec2:GetConsoleOutput",
                "ec2:DescribeInstances",
                "ec2:AttachNetworkInterface",
                "ec2:AssociateAddress",
                "ecr:CreateRepository",
                "ecr:DescribeRepositories",
                "ecr:ListTagsForResource",
                "ecr:TagResource",
                "iam:AttachRolePolicy",
                "iam:CreateOpenIDConnectProvider",
                "iam:CreatePolicy",
                "iam:CreatePolicyVersion",
                "iam:CreateRole",
                "iam:CreateServiceLinkedRole",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicy",
                "iam:GetPolicyVersion",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRolePolicies",
                "iam:ListPolicyVersions",
                "iam:PassRole",
                "iam:PutRolePolicy",
                "iam:TagOpenIDConnectProvider",
                "iam:TagPolicy",
                "iam:TagRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:AddRoleToInstanceProfile",
                "iam:UpdateRole",
                "iam:DetachRolePolicy",
                "iam:ListInstanceProfilesForRole",
                "kms:CreateAlias",
                "kms:CreateGrant",
                "kms:CreateKey",
                "kms:DescribeKey",
                "kms:GetKeyPolicy",
                "kms:GetKeyRotationStatus",
                "kms:ListAliases",
                "kms:ListResourceTags",
                "kms:PutKeyPolicy",
                "kms:TagResource",
                "kms:UpdateAlias",
                "kms:EnableKeyRotation",
                "logs:CreateLogGroup",
                "logs:DescribeLogGroups",
                "logs:ListTagsLogGroup",
                "logs:PutRetentionPolicy",
                "logs:TagLogGroup",
                "logs:TagResource",
                "logs:UntagResource",
                "acm:*",
                "elasticloadbalancing:*",
                "cloudformation:Describe*",
                "cloudformation:EstimateTemplateCost",
                "cloudformation:Get*",
                "cloudformation:List*",
                "cloudformation:ValidateTemplate",
                "cloudformation:Detect*",
                "route53:ChangeResourceRecordSets",
                "route53:ChangeTagsForResource",
                "route53:CreateHostedZone",
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListResourceRecordSets",
                "route53:ListTagsForResource",
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:CreateBucket",
                "s3:PutBucketPolicy",
                "s3:GetBucketPolicy",
                "s3:PutBucketTagging",
                "s3:GetBucketTagging",
                "s3:GetBucketAcl",
                "s3:PutBucketAcl",
                "s3:PutBucketOwnershipControls",
                "s3:GetBucketOwnershipControls",
                "s3:PutBucketVersioning",
                "s3:GetBucketVersioning",
                "s3:AbortMultipartUpload",
                "s3:GetBucketLocation",
                "s3:GetBucketCors",
                "s3:GetBucketWebsite",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketRequestPayment",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetReplicationConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:PutBucketPublicAccessBlock",
                "s3:GetBucketPublicAccessBlock",
                "s3:PutEncryptionConfiguration",
                "eks:ListNodegroups",
                "eks:ListInsights",
                "eks:ListPodIdentityAssociations",
                "eks:UpdatePodIdentityAssociation",
                "ec2:ModifyVolume",
                "sqs:CreateQueue",
                "sqs:SetQueueAttributes",
                "sqs:GetQueueAttributes",
                "sqs:GetQueueUrl",
                "sqs:TagQueue",
                "sqs:ListQueueTags",
                "sqs:ListQueues",
                "events:PutRule",
                "events:PutTargets",
                "events:RemoveTargets",
                "events:DescribeRule",
                "events:ListTargetsByRule",
                "events:ListRules",
                "events:ListTagsForResource",
                "events:TagResource",
                "iam:GetInstanceProfile",
                "iam:TagInstanceProfile",
                "iam:ListInstanceProfiles"
            ]
        }
    ]
}
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Resource": "*",
      "Action": [
        "ec2:DeleteNetworkAclEntry",
        "eks:DeleteAddon",
        "eks:DeleteCluster",
        "eks:DescribeCluster",
        "eks:DeleteNodegroup",
        "eks:DescribeNodegroup",
        "ec2:DeleteInternetGateway",
        "ec2:DeleteLaunchTemplate",
        "ec2:DeleteLaunchTemplateVersions",
        "ec2:DeleteNatGateway",
        "ec2:DeleteNetworkInterface",
        "ec2:DeleteRoute",
        "ec2:DeleteRouteTable",
        "ec2:DeleteSecurityGroup",
        "ec2:DeleteSubnet",
        "ec2:DeleteTags",
        "ec2:DeleteVpc",
        "ec2:DescribeAddresses",
        "ec2:DescribeInternetGateways",
        "ec2:DescribeLaunchTemplateVersions",
        "ec2:DescribeLaunchTemplates",
        "ec2:DescribeNatGateways",
        "ec2:DescribeNetworkAcls",
        "ec2:DescribeNetworkInterfaces",
        "ec2:DescribeRouteTables",
        "ec2:DescribeSecurityGroupRules",
        "ec2:DescribeSecurityGroups",
        "ec2:DescribeSubnets",
        "ec2:DescribeTags",
        "ec2:DescribeVpcAttribute",
        "ec2:DescribeVpcClassicLink",
        "ec2:DescribeVpcClassicLinkDnsSupport",
        "ec2:DescribeVpcs",
        "ec2:DetachInternetGateway",
        "ec2:DetachNetworkInterface",
        "ec2:DisassociateAddress",
        "ec2:DisassociateRouteTable",
        "ec2:ReleaseAddress",
        "ec2:RevokeSecurityGroupIngress",
        "ec2:ModifyNetworkInterfaceAttribute",
        "ec2:ModifyInstanceAttribute",
        "ec2:TerminateInstances",
        "ec2:GetConsoleOutput",
        "ec2:DescribeInstances",
        "ec2:AttachNetworkInterface",
        "ec2:AssociateAddress",
        "ecr:DeleteRepository",
        "ecr:DescribeRepositories",
        "ecr:ListTagsForResource",
        "iam:DeleteOpenIDConnectProvider",
        "iam:DeletePolicy",
        "iam:DeletePolicyVersion",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:DetachRolePolicy",
        "iam:GetOpenIDConnectProvider",
        "iam:GetPolicy",
        "iam:GetPolicyVersion",
        "iam:GetRole",
        "iam:GetRolePolicy",
        "iam:ListAttachedRolePolicies",
        "iam:ListInstanceProfilesForRole",
        "iam:ListPolicyVersions",
        "iam:ListRolePolicies",
        "kms:DeleteAlias",
        "kms:DescribeKey",
        "kms:GetKeyPolicy",
        "kms:GetKeyRotationStatus",
        "kms:ListAliases",
        "kms:ListResourceTags",
        "kms:RetireGrant",
        "kms:ScheduleKeyDeletion",
        "logs:DeleteLogGroup",
        "logs:DescribeLogGroups",
        "logs:ListTagsLogGroup",
        "route53:ChangeTagsForResource",
        "route53:DeleteHostedZone",
        "route53:GetDNSSEC",
        "route53:GetHostedZone",
        "route53:ListResourceRecordSets",
        "route53:ListTagsForResource",
        "s3:GetObject",
        "s3:ListBucket",
        "s3:DeleteBucket",
        "eks:DeletePodIdentityAssociation",
        "eks:DeleteAccessEntry",
        "iam:DeleteInstanceProfile",
        "sqs:DeleteQueue",
        "events:DeleteRule",
        "events:RemoveTargets"
      ]
    }
  ]
}
Please note that this will happen in a sub-account/subnet that is connected to your main hub.
Here are the steps:
  1. Create an IAM policy granting permission to provision an install.
  2. Create an IAM policy granting permision to deprovision an install.
  3. Create an IAM role that uses those policies, and grants access to the vendor via a trust policy.
  4. Share the IAM role’s ARN with Streamkap.
Once the role is created and acknowledged by Streamkap team, we will handle the deployment. In the final result, you should see the BYOC deployment is added as a new project in your Streamkap account.

Using AWS Console

1. Create the Provision Policy

  • In the AWS console, navigate to the IAM control panel.
  • Navigate to “Policies”.
  • Click the orange “Create Policy” policy button
  • Look for the “Policy editor”, where “visual” will be selected. Select “JSON”.
  • Replace the entire policy contents JSON with the contents of the StreamkapProvisionAccess.json mentioned above
  • Below the editor, click the orange “Next” button.
  • Name the policy StreamkapProvisionAccess, and click “Create policy” at the bottom.

2. Create the Deprovision Policy

  • In the AWS console, navigate to the IAM control panel.
Navigate to “Policies”.
Click the orange “Create Policy” policy button
Look for the “Policy editor” component group, where “visual” will be selected. Select “JSON”.
Replace the entire policy contents JSON with the IAM policy StreamkapDeprovisionAccess.jsonas mentioned above
  • Below the editor, click the orange “Next” button.
  • Name the policy StreamkapDeprovisionAccess, and click “Create policy” at the bottom.

3. Create the Access Role

  • Return to the IAM dashboard and navigate to “Roles
  • Click the orange “Create role” button.
  • Under “trusted entity type”, select “Custom trust policy
  • This will reveal a JSON editor field with the heading “Custom trust policy”.
  • Replace the entire trust policy contents with the following.
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Sid": "",
      "Effect": "Allow",
      "Principal": {
        "AWS": "arn:aws:iam::300973880807:root"
      },
      "Action": "sts:AssumeRole"
    }
  ]
}
  • Click “Next” at the bottom of the page.
  • Search for the StreamkapProvisionAccess and StreamkapDeprovisionAccess policies and check the boxes.
  • Click “Next
  • Name the role StreamkapInstallAccess (or another name of your choice). The page should look like this:
  • Click “Create role
  • On the role page, locate the ARN field and make note of the value. It should take the form arn:aws:iam::{some number}:role/StreamkapInstallAccess .
  • Copy the role ARN from earlier and sent it back to us.

Using Cloudformation

AWSTemplateFormatVersion: "2010-09-09"
Resources:
  StreamkapProvisionAccessPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "StreamkapProvisionAccess"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Action:
              - "ec2:DescribeAddressesAttribute"
              - "ec2:CreateNetworkAclEntry"
              - "ecr:UntagResource"
              - "eks:ListAccessEntries"
              - "eks:CreateAccessEntry"
              - "eks:DescribeAccessEntry"
              - "eks:UpdateAccessEntry"
              - "eks:AssociateAccessPolicy"
              - "eks:DisassociateAccessPolicy"
              - "eks:CreateAddon"
              - "eks:DescribeAddon"
              - "eks:UpdateAddon"
              - "eks:DeleteAddon"
              - "eks:DescribeAddonConfiguration"
              - "eks:DescribeAddonVersions"
              - "eks:ListAddons"
              - "eks:ListAssociatedAccessPolicies"
              - "eks:CreateCluster"
              - "eks:UpdateClusterVersion"
              - "eks:DescribeCluster"
              - "eks:CreateNodegroup"
              - "eks:DescribeNodegroup"
              - "eks:UpdateNodegroupVersion"
              - "eks:TagResource"
              - "eks:UntagResource"
              - "eks:ListTagsForResource"
              - "eks:DescribeUpdate"
              - "eks:UpdateNodegroupConfig"
              - "eks:CreatePodIdentityAssociation"
              - "eks:Describe*"
              - "ec2:CreateNetworkInterface"
              - "ec2:Describe*"
              - "iam:UntagPolicy"
              - "iam:UntagRole"
              - "kms:UntagResource"
              - "logs:UntagResource"
              - "logs:ListTagsForResource"
              - "ec2:AllocateAddress"
              - "ec2:AssociateRouteTable"
              - "ec2:AttachInternetGateway"
              - "ec2:AuthorizeSecurityGroupEgress"
              - "ec2:AuthorizeSecurityGroupIngress"
              - "ec2:CreateInternetGateway"
              - "ec2:CreateLaunchTemplate"
              - "ec2:CreateLaunchTemplateVersion"
              - "ec2:CreateNatGateway"
              - "ec2:CreateRoute"
              - "ec2:CreateRouteTable"
              - "ec2:CreateSecurityGroup"
              - "ec2:CreateSubnet"
              - "ec2:CreateTags"
              - "ec2:CreateVpc"
              - "ec2:DescribeAddresses"
              - "ec2:DescribeAvailabilityZones"
              - "ec2:DescribeInternetGateways"
              - "ec2:DescribeLaunchTemplateVersions"
              - "ec2:DescribeLaunchTemplates"
              - "ec2:DescribeNatGateways"
              - "ec2:DescribeNetworkAcls"
              - "ec2:DescribeRouteTables"
              - "ec2:DescribeSecurityGroupReferences"
              - "ec2:DescribeSecurityGroupRules"
              - "ec2:DescribeSecurityGroups"
              - "ec2:DescribeSubnets"
              - "ec2:DescribeTags"
              - "ec2:DescribeVpcAttribute"
              - "ec2:DescribeVpcClassicLink"
              - "ec2:DescribeVpcClassicLinkDnsSupport"
              - "ec2:DescribeVpcs"
              - "ec2:ModifyLaunchTemplate"
              - "ec2:ModifySubnetAttribute"
              - "ec2:ModifyVpcAttribute"
              - "ec2:RevokeSecurityGroupEgress"
              - "ec2:RunInstances"
              - "ec2:ModifyNetworkInterfaceAttribute"
              - "ec2:ModifyInstanceAttribute"
              - "ec2:TerminateInstances"
              - "ec2:GetConsoleOutput"
              - "ec2:DescribeInstances"
              - "ec2:AttachNetworkInterface"
              - "ec2:AssociateAddress"
              - "ecr:CreateRepository"
              - "ecr:DescribeRepositories"
              - "ecr:ListTagsForResource"
              - "ecr:TagResource"
              - "iam:AttachRolePolicy"
              - "iam:CreateOpenIDConnectProvider"
              - "iam:CreatePolicy"
              - "iam:CreatePolicyVersion"
              - "iam:CreateRole"
              - "iam:CreateServiceLinkedRole"
              - "iam:GetOpenIDConnectProvider"
              - "iam:GetPolicy"
              - "iam:GetPolicyVersion"
              - "iam:GetRole"
              - "iam:GetRolePolicy"
              - "iam:ListAttachedRolePolicies"
              - "iam:ListRolePolicies"
              - "iam:ListPolicyVersions"
              - "iam:PassRole"
              - "iam:PutRolePolicy"
              - "iam:TagOpenIDConnectProvider"
              - "iam:TagPolicy"
              - "iam:TagRole"
              - "iam:UpdateAssumeRolePolicy"
              - "iam:RemoveRoleFromInstanceProfile"
              - "iam:CreateInstanceProfile"
              - "iam:AddRoleToInstanceProfile"
              - "iam:UpdateRole"
              - "iam:DetachRolePolicy"
              - "iam:ListInstanceProfilesForRole"
              - "kms:CreateAlias"
              - "kms:CreateGrant"
              - "kms:CreateKey"
              - "kms:DescribeKey"
              - "kms:GetKeyPolicy"
              - "kms:GetKeyRotationStatus"
              - "kms:ListAliases"
              - "kms:ListResourceTags"
              - "kms:PutKeyPolicy"
              - "kms:TagResource"
              - "kms:UpdateAlias"
              - "kms:EnableKeyRotation"
              - "logs:CreateLogGroup"
              - "logs:DescribeLogGroups"
              - "logs:ListTagsLogGroup"
              - "logs:PutRetentionPolicy"
              - "logs:TagLogGroup"
              - "logs:TagResource"
              - "logs:UntagResource"
              - "acm:*"
              - "elasticloadbalancing:*"
              - "cloudformation:Describe*"
              - "cloudformation:EstimateTemplateCost"
              - "cloudformation:Get*"
              - "cloudformation:List*"
              - "cloudformation:ValidateTemplate"
              - "cloudformation:Detect*"
              - "route53:ChangeResourceRecordSets"
              - "route53:ChangeTagsForResource"
              - "route53:CreateHostedZone"
              - "route53:GetChange"
              - "route53:GetHostedZone"
              - "route53:ListResourceRecordSets"
              - "route53:ListTagsForResource"
              - "s3:GetObject"
              - "s3:ListBucket"
              - "s3:PutObject"
              - "s3:DeleteObject"
              - "s3:CreateBucket"
              - "s3:PutBucketPolicy"
              - "s3:GetBucketPolicy"
              - "s3:PutBucketTagging"
              - "s3:GetBucketTagging"
              - "s3:GetBucketAcl"
              - "s3:PutBucketAcl"
              - "s3:PutBucketOwnershipControls"
              - "s3:GetBucketOwnershipControls"
              - "s3:PutBucketVersioning"
              - "s3:GetBucketVersioning"
              - "s3:AbortMultipartUpload"
              - "s3:GetBucketLocation"
              - "s3:GetBucketCors"
              - "s3:GetBucketWebsite"
              - "s3:GetAccelerateConfiguration"
              - "s3:GetBucketLogging"
              - "s3:GetBucketObjectLockConfiguration"
              - "s3:GetBucketRequestPayment"
              - "s3:GetEncryptionConfiguration"
              - "s3:GetLifecycleConfiguration"
              - "s3:GetReplicationConfiguration"
              - "s3:PutLifecycleConfiguration"
              - "s3:PutBucketPublicAccessBlock"
              - "s3:GetBucketPublicAccessBlock"
              - "s3:PutEncryptionConfiguration"
              - "eks:ListNodegroups"
              - "eks:ListInsights"
              - "eks:ListPodIdentityAssociations"
              - "eks:UpdatePodIdentityAssociation"
              - "ec2:ModifyVolume"
              - "sqs:CreateQueue"
              - "sqs:SetQueueAttributes"
              - "sqs:GetQueueAttributes"
              - "sqs:GetQueueUrl"
              - "sqs:TagQueue"
              - "sqs:ListQueueTags"
              - "sqs:ListQueues"
              - "events:PutRule"
              - "events:PutTargets"
              - "events:RemoveTargets"
              - "events:DescribeRule"
              - "events:ListTargetsByRule"
              - "events:ListRules"
              - "events:ListTagsForResource"
              - "events:TagResource"
              - "iam:GetInstanceProfile"
              - "iam:TagInstanceProfile"
              - "iam:ListInstanceProfiles"
            Resource: "*"
  StreamkapDeprovisionAccessPolicy:
    Type: "AWS::IAM::ManagedPolicy"
    Properties:
      ManagedPolicyName: "StreamkapDeprovisionAccess"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Action:
              - "ec2:DeleteNetworkAclEntry"
              - "eks:DeleteAddon"
              - "eks:DeleteCluster"
              - "eks:DescribeCluster"
              - "eks:DeleteNodegroup"
              - "eks:DescribeNodegroup"
              - "ec2:DeleteInternetGateway"
              - "ec2:DeleteLaunchTemplate"
              - "ec2:DeleteLaunchTemplateVersions"
              - "ec2:DeleteNatGateway"
              - "ec2:DeleteNetworkInterface"
              - "ec2:DeleteRoute"
              - "ec2:DeleteRouteTable"
              - "ec2:DeleteSecurityGroup"
              - "ec2:DeleteSubnet"
              - "ec2:DeleteTags"
              - "ec2:DeleteVpc"
              - "ec2:DescribeAddresses"
              - "ec2:DescribeInternetGateways"
              - "ec2:DescribeLaunchTemplateVersions"
              - "ec2:DescribeLaunchTemplates"
              - "ec2:DescribeNatGateways"
              - "ec2:DescribeNetworkAcls"
              - "ec2:DescribeNetworkInterfaces"
              - "ec2:DescribeRouteTables"
              - "ec2:DescribeSecurityGroupRules"
              - "ec2:DescribeSecurityGroups"
              - "ec2:DescribeSubnets"
              - "ec2:DescribeTags"
              - "ec2:DescribeVpcAttribute"
              - "ec2:DescribeVpcClassicLink"
              - "ec2:DescribeVpcClassicLinkDnsSupport"
              - "ec2:DescribeVpcs"
              - "ec2:DetachInternetGateway"
              - "ec2:DetachNetworkInterface"
              - "ec2:DisassociateAddress"
              - "ec2:DisassociateRouteTable"
              - "ec2:ReleaseAddress"
              - "ec2:RevokeSecurityGroupIngress"
              - "ec2:ModifyNetworkInterfaceAttribute"
              - "ec2:ModifyInstanceAttribute"
              - "ec2:TerminateInstances"
              - "ec2:GetConsoleOutput"
              - "ec2:DescribeInstances"
              - "ec2:AttachNetworkInterface"
              - "ec2:AssociateAddress"
              - "ecr:DeleteRepository"
              - "ecr:DescribeRepositories"
              - "ecr:ListTagsForResource"
              - "iam:DeleteOpenIDConnectProvider"
              - "iam:DeletePolicy"
              - "iam:DeletePolicyVersion"
              - "iam:DeleteRole"
              - "iam:DeleteRolePolicy"
              - "iam:DetachRolePolicy"
              - "iam:GetOpenIDConnectProvider"
              - "iam:GetPolicy"
              - "iam:GetPolicyVersion"
              - "iam:GetRole"
              - "iam:GetRolePolicy"
              - "iam:ListAttachedRolePolicies"
              - "iam:ListInstanceProfilesForRole"
              - "iam:ListPolicyVersions"
              - "iam:ListRolePolicies"
              - "kms:DeleteAlias"
              - "kms:DescribeKey"
              - "kms:GetKeyPolicy"
              - "kms:GetKeyRotationStatus"
              - "kms:ListAliases"
              - "kms:ListResourceTags"
              - "kms:RetireGrant"
              - "kms:ScheduleKeyDeletion"
              - "logs:DeleteLogGroup"
              - "logs:DescribeLogGroups"
              - "logs:ListTagsLogGroup"
              - "route53:ChangeTagsForResource"
              - "route53:DeleteHostedZone"
              - "route53:GetDNSSEC"
              - "route53:GetHostedZone"
              - "route53:ListResourceRecordSets"
              - "route53:ListTagsForResource"
              - "s3:GetObject"
              - "s3:ListBucket"
              - "s3:DeleteBucket"
              - "eks:DeletePodIdentityAssociation"
              - "eks:DeleteAccessEntry"
              - "iam:DeleteInstanceProfile"
              - "sqs:DeleteQueue"
              - "events:DeleteRule"
              - "events:RemoveTargets"
            Resource: "*"
  StreamkapInstallAccessRole:
    Type: "AWS::IAM::Role"
    Properties:
      RoleName: "StreamkapInstallAccess"
      AssumeRolePolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: ""
            Effect: "Allow"
            Principal:
              AWS: "arn:aws:iam::300973880807:root"
            Action: "sts:AssumeRole"
      ManagedPolicyArns:
        - !Ref StreamkapProvisionAccessPolicy
        - !Ref StreamkapDeprovisionAccessPolicy