Metadata: Rok::StackName: {{ AUTOSCALER_EKS_IAM_CF }} Resources: ClusterAutoscalerRole: Type: AWS::IAM::Role Description: Cluster Autoscaler Role Properties: RoleName: {{ AUTOSCALER_EKS_IAM_ROLE }} AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: sts:AssumeRoleWithWebIdentity Principal: Federated: arn:aws:iam::{{ AWS_ACCOUNT_ID }}:oidc-provider/{{ EKS_CLUSTER_OIDC }} Condition: StringEquals: {{ EKS_CLUSTER_OIDC }}:sub: system:serviceaccount:kube-system:cluster-autoscaler ManagedPolicyArns: - Ref: ClusterAutoscalerPolicy ClusterAutoscalerPolicy: Type: AWS::IAM::ManagedPolicy Properties: ManagedPolicyName: {{ AUTOSCALER_EKS_IAM_POLICY }} PolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Action: - autoscaling:DescribeAutoScalingGroups - autoscaling:DescribeAutoScalingInstances - autoscaling:DescribeLaunchConfigurations - autoscaling:DescribeTags - autoscaling:SetDesiredCapacity - autoscaling:TerminateInstanceInAutoScalingGroup - ec2:DescribeLaunchTemplateVersions Resource: - "*"