Skip to main content
This page explains every AWS IAM permission that Qovery requires to create and manage your EKS clusters, and what each permission is used for in our infrastructure engine.
Qovery follows the principle of least privilege where possible. S3 and SQS permissions are scoped to qovery* resources only. Some services require broad permissions because Qovery fully manages the lifecycle of those resources on your behalf.

Setup Overview

Qovery provides two methods to set up AWS credentials:
  1. STS Assume Role (recommended) — A CloudFormation stack creates an IAM role with temporary, auto-rotating credentials
  2. Static Credentials — An IAM user with an access key pair (requires manual rotation)
Both methods use the same IAM policy. You can review the full setup process in the AWS installation guide.

Policy Structure

The Qovery IAM policy has two statements:
  1. Statement 1 — Permissions on all resources ("Resource": "*") for services where AWS does not support resource-level restrictions, or where Qovery needs to create new resources.
  2. Statement 2 — Permissions scoped to qovery* resources only (S3 buckets and SQS queues).
You can download the full policy JSON here.

Statement 1 — Permissions on All Resources

IAM — iam:*

What Qovery doesWhy
Creates IAM roles for the EKS control planeAWS requires a service role for EKS to manage Kubernetes components
Creates IAM roles and instance profiles for worker nodesEC2 instances need roles to pull container images (ECR) and join the EKS cluster
Creates IAM roles for Karpenter (node provisioner)Karpenter needs permissions to launch/terminate EC2 instances and manage fleet requests
Creates IAM roles for the AWS Load Balancer ControllerThe ALB controller needs permissions to create and configure load balancers on your behalf
Creates IAM roles for the Cluster AutoscalerAutoscaler needs permissions to read and modify Auto Scaling groups
Creates IAM roles for the CloudWatch exporterExporter needs read access to CloudWatch metrics for monitoring
Creates IAM roles for Loki (log aggregation)Loki stores logs in S3 and needs a dedicated role with scoped bucket access
Creates IAM roles for External Secrets OperatorESO needs permissions to read from AWS Secrets Manager and Parameter Store
Manages OIDC providers for IRSAIAM Roles for Service Accounts (IRSA) enables fine-grained pod-level permissions without sharing node credentials
All IAM roles created by Qovery follow the IRSA pattern (IAM Roles for Service Accounts), meaning each Kubernetes workload gets its own scoped role rather than sharing a single broad role.

EC2 — ec2:*

What Qovery doesWhy
Creates a dedicated VPCIsolates your Qovery infrastructure from other workloads in your AWS account
Creates public and private subnets across 3 availability zonesMulti-AZ subnets provide high availability for your applications
Creates security groups for EKS and worker nodesControls inbound/outbound traffic to the cluster and its nodes
Creates Internet Gateways and NAT GatewaysInternet Gateway enables outbound connectivity; NAT Gateways provide static outbound IPs
Allocates Elastic IPs for NAT GatewaysRequired for static IP addresses when the Static IP feature is enabled
Creates route tables and associationsDirects traffic between subnets, internet, and NAT gateways
Launches EC2 instances via Karpenter (CreateFleet, RunInstances)Karpenter provisions compute capacity for your application workloads
Creates launch templatesDefines the AMI (Bottlerocket), instance configuration, and user data for worker nodes
Describes instance types, availability zones, images, and spot pricesKarpenter uses this information to select the most cost-effective instances
Manages network interfacesRequired for pod networking via the AWS VPC CNI plugin

EKS — eks:*

What Qovery doesWhy
Creates EKS clustersProvisions the Kubernetes control plane managed by AWS
Configures control plane logging (API, audit, authenticator, controller manager, scheduler)Sends EKS logs to CloudWatch for diagnostics and security auditing
Enables Kubernetes secrets encryption via KMSEncrypts sensitive data (secrets) stored in etcd at rest
Creates and manages EKS managed node groupsProvisions the initial node group before Karpenter takes over scaling
Installs EKS add-ons (CoreDNS, VPC-CNI, EBS-CSI)Core Kubernetes networking and storage plugins required for cluster operation

Elastic Load Balancing — elasticloadbalancing:*

What Qovery doesWhy
Creates Network Load Balancers (NLB)Routes incoming HTTPS traffic to the Nginx Ingress controller inside the cluster
Manages target groups and listenersConfigures how traffic is distributed to your application pods
Manages listener certificates and SSL policiesHandles TLS termination for your custom domains
Tags load balancers for cluster associationEnsures load balancers are tracked and cleaned up with the cluster lifecycle
Cleans up orphaned load balancersRemoves NLBs that are no longer referenced by any Kubernetes service

RDS — rds:*

What Qovery doesWhy
Creates RDS instances (PostgreSQL, MySQL)Provisions managed databases requested through the Qovery console
Configures Multi-AZ with automatic failoverEnsures database high availability across availability zones
Enables encryption at rest and in transitProtects your data with AES-256 encryption and TLS connections
Creates DB subnet groupsPlaces databases in dedicated private subnets for network isolation
Enables Performance Insights monitoringProvides database performance metrics in the Qovery dashboard
Manages snapshots and backup retentionEnables point-in-time recovery and scheduled backups
Creates enhanced monitoring rolesProvides OS-level metrics for database instances

ElastiCache — elasticache:*

What Qovery doesWhy
Creates ElastiCache replication groups (Redis)Provisions managed Redis instances requested through the Qovery console
Configures Multi-AZ with automatic failoverEnsures cache high availability
Creates cache subnet groupsPlaces cache nodes in dedicated private subnets
Enables transit encryption with auth tokensSecures data in motion between your application and Redis
Manages snapshots and maintenance windowsEnables backups and controlled maintenance

ECR — ecr:*

What Qovery doesWhy
Grants worker nodes read access to ECRKubernetes nodes need to pull container images from your ECR repositories
Manages ECR repositories for Qovery-built imagesWhen building from source, Qovery pushes built images to ECR
Worker nodes receive the AmazonEC2ContainerRegistryReadOnly managed policy via their IAM role.

CloudWatch — cloudwatch:*

What Qovery doesWhy
Creates CloudWatch log groups for EKSStores EKS control plane logs (API server, audit, authenticator, controller manager, scheduler)
Configures log retention policiesControls how long EKS logs are kept (configurable)
Reads metrics via CloudWatch Exporter (GetMetricData, GetMetricStatistics, ListMetrics)Collects AWS resource metrics for Qovery’s monitoring dashboard

CloudWatch Logs — logs:*

What Qovery doesWhy
Creates and manages log groupsRequired by EKS for control plane logging
Sets retention policiesPrevents unbounded log storage costs
Streams log eventsEnables viewing EKS control plane logs for debugging

Auto Scaling — autoscaling:*, application-autoscaling:*

What Qovery doesWhy
Reads Auto Scaling group state (Describe*)Cluster Autoscaler monitors current node capacity
Modifies desired capacity (SetDesiredCapacity, TerminateInstanceInAutoScalingGroup)Cluster Autoscaler scales nodes up/down based on pod scheduling pressure
Qovery primarily uses Karpenter for node provisioning, which manages EC2 instances directly. Auto Scaling permissions are retained for the initial managed node group and as a fallback.

KMS — kms:*

What Qovery doesWhy
Creates or uses KMS keys for EKS secrets encryptionEncrypts Kubernetes secrets in etcd at rest using envelope encryption
Encrypts S3 buckets (logs, Terraform state)Ensures all stored data is encrypted with AWS-managed or customer-managed keys

EventBridge — events:* (scoped actions)

The policy grants only specific EventBridge actions:
ActionWhy
PutRule, PutTargetsCreates event rules to capture EC2 spot interruption warnings, rebalance recommendations, and instance state changes
DescribeRule, ListRuleNamesByTarget, ListTargetsByRuleReads existing rules for idempotent Terraform management
DeleteRule, RemoveTargetsCleans up event rules when the cluster is deleted
TagResource, UntagResource, ListTagsForResourceTags event rules for cluster lifecycle tracking
These events are forwarded to an SQS queue that Karpenter monitors to gracefully drain nodes before spot interruptions or maintenance events.

Organizations — Read-Only Access

ActionWhy
DescribeAccount, DescribeOrganization, DescribeOrganizationalUnit, DescribePolicyReads AWS account metadata to validate the account context and detect organizational constraints
ListChildren, ListParents, ListPoliciesForTarget, ListRoots, ListPolicies, ListTargetsForPolicyEnumerates organizational structure to detect Service Control Policies (SCPs) that might restrict Qovery operations
These are read-only permissions. Qovery never modifies your AWS Organization structure.

DynamoDB — dynamodb:*

What Qovery doesWhy
Creates DynamoDB tables for Terraform state lockingPrevents concurrent Terraform operations from corrupting your infrastructure state

ECS — ecs:*

What Qovery doesWhy
Reserved for future use and hybrid ECS/EKS workloadsEnsures Qovery can manage ECS-based workloads if enabled on your cluster

Elasticsearch Service — es:* (scoped actions)

ActionWhy
CreateElasticsearchDomain, DeleteElasticsearchDomain, DescribeElasticsearchDomainProvisions and manages Elasticsearch domains when requested as a managed service
AddTags, RemoveTags, ListTagsTags Elasticsearch domains for cluster lifecycle tracking and cost allocation

CloudTrail — cloudtrail:LookupEvents

What Qovery doesWhy
Looks up recent API eventsUsed for debugging infrastructure provisioning failures by checking recent AWS API activity

Resource Groups Tagging — tag:GetResources

What Qovery doesWhy
Discovers resources by tag across all servicesUsed by the CloudWatch Exporter to find all resources belonging to your cluster for metrics collection

Statement 2 — Scoped to qovery* Resources

These permissions are restricted to resources whose names start with qovery. Qovery cannot access any S3 buckets or SQS queues that you created outside of Qovery.

S3 — s3:* (on arn:aws:s3:::qovery*)

What Qovery doesWhy
Creates S3 buckets for Terraform stateStores infrastructure state files needed to manage your cluster
Creates S3 buckets for VPC flow logsStores network traffic logs for security auditing (encrypted, with lifecycle policies)
Creates S3 buckets for Loki log storageStores application and infrastructure logs with configurable retention
Manages bucket encryption and access policiesEnsures all buckets have server-side encryption and public access blocking enabled
The s3:ListAllMyBuckets permission in Statement 1 is required to verify bucket existence before creation. It is read-only and does not grant access to bucket contents.

SQS — sqs:* (on arn:aws:sqs:*:*:qovery*)

What Qovery doesWhy
Creates SQS queues for Karpenter interruption eventsReceives EventBridge events for spot interruptions, health events, and instance state changes
Karpenter reads and deletes messages (ReceiveMessage, DeleteMessage, GetQueueUrl)Karpenter processes interruption events to gracefully drain workloads before node termination

What Qovery Creates in Your Account

Here’s a summary of all resources Qovery provisions per cluster:
ResourceCountPurpose
EKS cluster1Managed Kubernetes control plane
VPC1Network isolation for the cluster
Subnets63 public + 3 private across availability zones
NAT Gatewaysup to 3Static outbound IP addresses
Elastic IPsup to 3Fixed IPs for NAT Gateways
Security Groups3+Network access control for cluster, workers, databases
EC2 instancesvariesWorker nodes managed by Karpenter
S3 buckets3+Terraform state, VPC flow logs, Loki logs
SQS queues1Karpenter interruption events
IAM roles8+EKS, workers, Karpenter, ALB controller, Loki, ESO, etc.
Load Balancer1+Ingress traffic routing
CloudWatch log groups5EKS control plane logs

Security Best Practices

Some permissions can be scoped more narrowly for advanced use cases. Contact Qovery support for a minimal policy template tailored to your specific configuration (e.g., if you don’t use managed databases, RDS and ElastiCache permissions can be removed).
STS Assume Role provides temporary credentials that automatically rotate. Qovery never stores long-lived access keys, and you can revoke access instantly by deleting the CloudFormation stack. See the AWS installation guide for setup instructions.
No. S3 and SQS permissions are scoped to qovery* resources only. Other services (EC2, EKS, RDS, etc.) create new resources dedicated to your Qovery cluster. Qovery does not read or modify resources created outside of Qovery.
Enable AWS CloudTrail in your account to get a full audit log of every API call made by the Qovery IAM role. You can also review Qovery’s audit logs for a high-level view of operations.