From c387a9eaf241c4d4050b2d8b507975192a98bd26 Mon Sep 17 00:00:00 2001
From: "Goyal, Pankaj" <pankaj.goyal@intel.com>
Date: Tue, 23 Sep 2025 17:06:15 +0530
Subject: [PATCH 1/2] Use IAM role instead of IAM User in KMS

Signed-off-by: Goyal, Pankaj <pankaj.goyal@intel.com>
---
 argocd/applications/custom/vault.tpl     |  22 ++---
 pod-configs/module/kms/main.tf           | 111 +++++++++++++++--------
 pod-configs/module/kms/variable.tf       |   5 +
 pod-configs/orchestrator/cluster/main.tf |   3 +-
 4 files changed, 92 insertions(+), 49 deletions(-)

diff --git a/argocd/applications/custom/vault.tpl b/argocd/applications/custom/vault.tpl
index 40cdfcab5..4788daca8 100644
--- a/argocd/applications/custom/vault.tpl
+++ b/argocd/applications/custom/vault.tpl
@@ -9,6 +9,13 @@ global:
   {{- end }}
 
 server:
+  # Configure service account for IRSA
+  serviceAccount:
+    create: false
+    name: "vault-service-account"
+    annotations:
+      eks.amazonaws.com/role-arn: "arn:aws:iam::{{.Values.argo.aws.accountId}}:role/{{.Values.argo.clusterName}}-vault-kms-role"
+
   {{- if .Values.argo.vault.ha}}
   # Run Vault in "HA" mode. There are no storage requirements unless the audit log
   # persistence is required.  In HA mode Vault will configure itself to use Consul
@@ -39,7 +46,10 @@ server:
         cluster_address = "[::]:8201"
       }
   {{- if and .Values.argo.vault.autoUnseal (ne .Values.argo.namespace "onprem")}}
-      seal "awskms" {}
+      seal "awskms" {
+         region     = "{{.Values.argo.aws.region}}"
+         kms_key_id = "alias/vault-kms-unseal-{{.Values.argo.clusterName}}"
+      }
 
   # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
   # used to include variables required for auto-unseal.
@@ -51,16 +61,6 @@ server:
     AWS_REGION: {{.Values.argo.aws.region}}
     VAULT_AWSKMS_SEAL_KEY_ID: alias/vault-kms-unseal-{{.Values.argo.clusterName}}
 
-  # extraSecretEnvironmentVars is a list of extra environment variables to set with the stateful set.
-  # These variables take value from existing Secret objects.
-  extraSecretEnvironmentVars:
-    - envName: AWS_ACCESS_KEY_ID
-      secretName: vault-kms-unseal
-      secretKey: AWS_ACCESS_KEY_ID
-    - envName: AWS_SECRET_ACCESS_KEY
-      secretName: vault-kms-unseal
-      secretKey: AWS_SECRET_ACCESS_KEY
-
   # https://jira.devtools.intel.com/browse/NEXENPL-1126
   # enable liveness probe such that pod is restarted when auto-unseal failed
   livenessProbe:
diff --git a/pod-configs/module/kms/main.tf b/pod-configs/module/kms/main.tf
index d18e465dd..1404ec93c 100644
--- a/pod-configs/module/kms/main.tf
+++ b/pod-configs/module/kms/main.tf
@@ -2,42 +2,27 @@
 #
 # SPDX-License-Identifier: Apache-2.0
 
-# Set up IAM user for Vault to access KMS
-resource "aws_iam_user" "vault" {
-  name = "vault-${var.cluster_name}"
+# Get OIDC from EKS cluster
+data "aws_eks_cluster" "eks" {
+  name = var.cluster_name
 }
 
-resource "aws_iam_access_key" "vault" {
-  user = aws_iam_user.vault.name
+# Define service accounts for Vault
+locals {
+  vault_service_accounts = [
+    "system:serviceaccount:orch-platform:vault-service-account",
+    "system:serviceaccount:orch-platform:vault"
+  ]
 }
 
-# Set up KMS key with alias
-resource "aws_kms_key" "vault" {
-  description             = "Vault unseal key"
-  deletion_window_in_days = 10
-}
-
-resource "aws_kms_alias" "vault" {
-  name          = "alias/vault-kms-unseal-${var.cluster_name}"
-  target_key_id = aws_kms_key.vault.key_id
-}
-
-resource "aws_kms_key_policy" "vault" {
-  key_id = aws_kms_key.vault.id
+# Create KMS policy
+resource "aws_iam_policy" "vault_kms_policy" {
+  description = "Policy that allows Vault access to KMS in ${var.cluster_name} cluster"
+  name        = "${var.cluster_name}-vault-kms-policy"
   policy = jsonencode({
-    Id = "vault"
+    Version = "2012-10-17"
     Statement = [
       {
-          "Sid": "Enable IAM User Permissions",
-          "Effect": "Allow",
-          "Principal": {
-              "AWS": "arn:aws:iam::${var.aws_account_number}:root"
-          },
-          "Action": "kms:*",
-          "Resource": "*"
-      },
-      {
-        "Sid": "Allow use of the key"
         "Action": [
           "kms:Encrypt",
           "kms:Decrypt",
@@ -46,23 +31,75 @@ resource "aws_kms_key_policy" "vault" {
           "kms:DescribeKey"
         ]
         "Effect": "Allow"
-        "Principal": {
-          "AWS": "arn:aws:iam::${var.aws_account_number}:user/${aws_iam_user.vault.name}"
-        }
-        "Resource": "*"
-      },
+        Resource = aws_kms_key.vault.arn
+      }
     ]
-    Version = "2012-10-17"
   })
 }
 
+# Create trust policy using OIDC
+data "aws_iam_policy_document" "vault_trust_policy" {
+  statement {
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    effect  = "Allow"
+    condition {
+      test     = "StringEquals"
+      variable = "${replace(data.aws_eks_cluster.eks.identity[0].oidc[0].issuer, "https://", "")}:sub"
+      values   = local.vault_service_accounts
+    }
+    principals {
+      identifiers = ["arn:aws:iam::${var.aws_account_number}:oidc-provider/${replace(data.aws_eks_cluster.eks.identity[0].oidc[0].issuer, "https://", "")}"]
+      type        = "Federated"
+    }
+  }
+}
+
+# Create role
+resource "aws_iam_role" "vault_kms" {
+  description         = "Role that allows Vault to access KMS in ${var.cluster_name} cluster"
+  name                = "${var.cluster_name}-vault-kms-role"
+  assume_role_policy  = data.aws_iam_policy_document.vault_trust_policy.json
+  managed_policy_arns = [aws_iam_policy.vault_kms_policy.arn]
+}
+
+# Create service account with role annotation
+resource "kubernetes_service_account" "vault" {
+  metadata {
+    name      = "vault-service-account"
+    namespace = "orch-platform"
+    annotations = {
+      "eks.amazonaws.com/role-arn" = aws_iam_role.vault_kms.arn
+    }
+  }
+}
+
+# KMS Key
+resource "aws_kms_key" "vault" {
+  description             = "Vault unseal key for ${var.cluster_name}"
+  deletion_window_in_days = 10
+
+  tags = {
+    Name        = "vault-kms-unseal-${var.cluster_name}"
+    Cluster     = var.cluster_name
+    Purpose     = "vault-unseal"
+    Application = "vault"
+  }
+}
+
+resource "aws_kms_alias" "vault" {
+  name          = "alias/vault-kms-unseal-${var.cluster_name}"
+  target_key_id = aws_kms_key.vault.key_id
+}
+
 resource "kubernetes_secret" "vault_kms_unseal" {
   metadata {
     name      = "vault-kms-unseal"
     namespace = "orch-platform"
   }
   data = {
-    "AWS_ACCESS_KEY_ID" = aws_iam_access_key.vault.id
-    "AWS_SECRET_ACCESS_KEY" = aws_iam_access_key.vault.secret
+    # Configuration values
+    "AWS_ROLE_ARN"  = aws_iam_role.vault_kms.arn
+    "KMS_KEY_ID"    = aws_kms_key.vault.key_id
+    "AWS_REGION"    = var.region
   }
 }
diff --git a/pod-configs/module/kms/variable.tf b/pod-configs/module/kms/variable.tf
index 9d7bb2fb3..2cce1642f 100644
--- a/pod-configs/module/kms/variable.tf
+++ b/pod-configs/module/kms/variable.tf
@@ -9,3 +9,8 @@ variable "cluster_name" {
 variable "aws_account_number" {
   type = string
 }
+
+variable "region" {
+  description = "AWS region"
+  type        = string
+}
\ No newline at end of file
diff --git a/pod-configs/orchestrator/cluster/main.tf b/pod-configs/orchestrator/cluster/main.tf
index 3abaf2591..e83aaa35f 100644
--- a/pod-configs/orchestrator/cluster/main.tf
+++ b/pod-configs/orchestrator/cluster/main.tf
@@ -149,10 +149,11 @@ module "aurora_import" {
 
 module "kms" {
   # kms module creates K8s secrets, which depends on the namespaces created in orch_init
-  depends_on         = [module.orch_init]
+  depends_on         = [module.orch_init, time_sleep.wait_eks]
   source             = "../../module/kms"
   cluster_name       = var.eks_cluster_name
   aws_account_number = var.aws_account_number
+  region             = var.aws_region
 }
 
 module "orch_init" {

From b9efb8ad3f459572b623154786d7fd48030c8c01 Mon Sep 17 00:00:00 2001
From: "Goyal, Pankaj" <pankaj.goyal@intel.com>
Date: Wed, 24 Sep 2025 17:24:18 +0530
Subject: [PATCH 2/2] Changes to handle permission boundary

Signed-off-by: Goyal, Pankaj <pankaj.goyal@intel.com>
---
 pod-configs/module/ec2log/save-log.tf                     | 1 +
 pod-configs/module/ec2log/variable.tf                     | 6 ++++++
 pod-configs/module/efs/main.tf                            | 1 +
 pod-configs/module/efs/variable.tf                        | 6 ++++++
 pod-configs/module/eks/main.tf                            | 4 ++++
 pod-configs/module/eks/variable.tf                        | 6 ++++++
 pod-configs/module/kms/main.tf                            | 1 +
 pod-configs/module/kms/variable.tf                        | 6 ++++++
 pod-configs/module/pull-through-cache-proxy/ecs.tf        | 2 ++
 pod-configs/module/pull-through-cache-proxy/variable.tf   | 6 ++++++
 pod-configs/module/s3/main.tf                             | 1 +
 pod-configs/module/s3/variable.tf                         | 6 ++++++
 pod-configs/module/vpc-jumphost/main.tf                   | 1 +
 pod-configs/module/vpc-jumphost/variable.tf               | 6 ++++++
 pod-configs/orchestrator/cluster/main.tf                  | 5 +++++
 pod-configs/orchestrator/cluster/variable.tf              | 5 +++++
 pod-configs/orchestrator/pull-through-cache-proxy/main.tf | 1 +
 .../orchestrator/pull-through-cache-proxy/variable.tf     | 6 ++++++
 pod-configs/orchestrator/vpc/main.tf                      | 1 +
 pod-configs/orchestrator/vpc/variable.tf                  | 6 ++++++
 pod-configs/utils/provision.sh                            | 8 ++++++++
 21 files changed, 85 insertions(+)

diff --git a/pod-configs/module/ec2log/save-log.tf b/pod-configs/module/ec2log/save-log.tf
index 7c5d50555..cb1a5e6e7 100644
--- a/pod-configs/module/ec2log/save-log.tf
+++ b/pod-configs/module/ec2log/save-log.tf
@@ -225,6 +225,7 @@ resource "aws_iam_role" "lambda" {
     ]
   })
 
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
   tags = {
     tag-key = "orch-ec2log-lambda-${var.cluster_name}"
   }
diff --git a/pod-configs/module/ec2log/variable.tf b/pod-configs/module/ec2log/variable.tf
index f5cc68cd6..f366445f4 100644
--- a/pod-configs/module/ec2log/variable.tf
+++ b/pod-configs/module/ec2log/variable.tf
@@ -35,4 +35,10 @@ variable "cloudwatch_expire" {
 variable "s3_prefix" {
   type    = string
   default = ""
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
 }
\ No newline at end of file
diff --git a/pod-configs/module/efs/main.tf b/pod-configs/module/efs/main.tf
index 6f41ef4d9..ee20b5a34 100644
--- a/pod-configs/module/efs/main.tf
+++ b/pod-configs/module/efs/main.tf
@@ -52,6 +52,7 @@ resource "aws_iam_role" "efs_role" {
   name                = "${var.cluster_name}-${var.role_name}"
   assume_role_policy  = data.aws_iam_policy_document.efs_assume_role_policy.json
   managed_policy_arns = var.generate_eks_policy ? [aws_iam_policy.efs_policy[0].arn] : []
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 # Create Security Group
diff --git a/pod-configs/module/efs/variable.tf b/pod-configs/module/efs/variable.tf
index 4f040e156..f694f7518 100644
--- a/pod-configs/module/efs/variable.tf
+++ b/pod-configs/module/efs/variable.tf
@@ -76,4 +76,10 @@ variable "access_points" {
 variable "throughput_mode" {
   type    = string
   default = "bursting"
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
 }
\ No newline at end of file
diff --git a/pod-configs/module/eks/main.tf b/pod-configs/module/eks/main.tf
index a2b1931e2..d5acec63e 100644
--- a/pod-configs/module/eks/main.tf
+++ b/pod-configs/module/eks/main.tf
@@ -22,6 +22,7 @@ resource "aws_iam_role" "iam_role_eks_cluster" {
   ]
  }
 EOF
+permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "eks_cluster_AmazonEKSClusterPolicy" {
@@ -149,6 +150,7 @@ resource "aws_iam_role" "eks_nodes" {
   ]
 }
 EOF
+permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "AmazonEKSWorkerNodePolicy" {
@@ -464,6 +466,7 @@ resource "aws_iam_role" "cas_controller" {
     ]
 }
   EOF
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "cas_controller" {
@@ -496,6 +499,7 @@ resource "aws_iam_role" "certmgr" {
   ]
 }
 EOF
+permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "certmgr_AmazonSSMManagedInstanceCore" {
diff --git a/pod-configs/module/eks/variable.tf b/pod-configs/module/eks/variable.tf
index 1ccc6fc22..083ccc960 100644
--- a/pod-configs/module/eks/variable.tf
+++ b/pod-configs/module/eks/variable.tf
@@ -174,3 +174,9 @@ variable "eks_cluster_dns_ip" {
   default = ""
   description = "IP address of the DNS server for the cluster, leave empty to use the default DNS server"
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/pod-configs/module/kms/main.tf b/pod-configs/module/kms/main.tf
index 1404ec93c..1f18fa6e9 100644
--- a/pod-configs/module/kms/main.tf
+++ b/pod-configs/module/kms/main.tf
@@ -60,6 +60,7 @@ resource "aws_iam_role" "vault_kms" {
   name                = "${var.cluster_name}-vault-kms-role"
   assume_role_policy  = data.aws_iam_policy_document.vault_trust_policy.json
   managed_policy_arns = [aws_iam_policy.vault_kms_policy.arn]
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 # Create service account with role annotation
diff --git a/pod-configs/module/kms/variable.tf b/pod-configs/module/kms/variable.tf
index 2cce1642f..6edd9abd3 100644
--- a/pod-configs/module/kms/variable.tf
+++ b/pod-configs/module/kms/variable.tf
@@ -13,4 +13,10 @@ variable "aws_account_number" {
 variable "region" {
   description = "AWS region"
   type        = string
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
 }
\ No newline at end of file
diff --git a/pod-configs/module/pull-through-cache-proxy/ecs.tf b/pod-configs/module/pull-through-cache-proxy/ecs.tf
index 08628b617..827cc3fff 100644
--- a/pod-configs/module/pull-through-cache-proxy/ecs.tf
+++ b/pod-configs/module/pull-through-cache-proxy/ecs.tf
@@ -42,6 +42,7 @@ data "aws_iam_policy_document" "ecs_task_execution_role" {
 resource "aws_iam_role" "ecs_task_execution_role" {
   name               = "${var.name}-ecs-execution-role"
   assume_role_policy = data.aws_iam_policy_document.ecs_task_execution_role.json
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_role_policy_attachment" "ecs_task_execution_role" {
@@ -90,6 +91,7 @@ resource "aws_iam_role_policy_attachment" "ecs_task_execution_secrets_policy_att
 resource "aws_iam_role" "ecs_task_role" {
   name               = "${var.name}-ecs-task"
   assume_role_policy = data.aws_iam_policy_document.ecs_task_role.json
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 resource "aws_iam_policy" "ecs_task_ecr_policy" {
diff --git a/pod-configs/module/pull-through-cache-proxy/variable.tf b/pod-configs/module/pull-through-cache-proxy/variable.tf
index 260967447..727bab463 100644
--- a/pod-configs/module/pull-through-cache-proxy/variable.tf
+++ b/pod-configs/module/pull-through-cache-proxy/variable.tf
@@ -77,3 +77,9 @@ variable "with_public_ip" {
   type        = bool
   default     = false
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
\ No newline at end of file
diff --git a/pod-configs/module/s3/main.tf b/pod-configs/module/s3/main.tf
index b52b2ea36..80f8a8d2c 100644
--- a/pod-configs/module/s3/main.tf
+++ b/pod-configs/module/s3/main.tf
@@ -64,6 +64,7 @@ resource "aws_iam_role" "s3_role" {
   name                = "${var.cluster_name}-s3-role"
   assume_role_policy  = data.aws_iam_policy_document.s3_policy.json
   managed_policy_arns = [aws_iam_policy.s3_policy.arn]
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
 }
 
 # S3
diff --git a/pod-configs/module/s3/variable.tf b/pod-configs/module/s3/variable.tf
index 659d13b50..78ba849de 100644
--- a/pod-configs/module/s3/variable.tf
+++ b/pod-configs/module/s3/variable.tf
@@ -26,4 +26,10 @@ variable "create_tracing" {
 variable "import_buckets" {
   type    = bool
   default = false
+}
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
 }
\ No newline at end of file
diff --git a/pod-configs/module/vpc-jumphost/main.tf b/pod-configs/module/vpc-jumphost/main.tf
index 515bc7b5f..6cca53c52 100644
--- a/pod-configs/module/vpc-jumphost/main.tf
+++ b/pod-configs/module/vpc-jumphost/main.tf
@@ -23,6 +23,7 @@ resource "aws_iam_role" "ec2" {
   ]
 }
 EOF
+  permissions_boundary = var.permissions_boundary != "" ? var.permissions_boundary : null
   tags = {
     Creator = "terraform"
     Module  = path.module
diff --git a/pod-configs/module/vpc-jumphost/variable.tf b/pod-configs/module/vpc-jumphost/variable.tf
index 1b913dec6..9789d3b66 100644
--- a/pod-configs/module/vpc-jumphost/variable.tf
+++ b/pod-configs/module/vpc-jumphost/variable.tf
@@ -47,3 +47,9 @@ variable "production" {
   description = "Whether it is a production environment, this will disable the metadata service and login shell"
   default = true
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
\ No newline at end of file
diff --git a/pod-configs/orchestrator/cluster/main.tf b/pod-configs/orchestrator/cluster/main.tf
index e83aaa35f..5f5c7f3c7 100644
--- a/pod-configs/orchestrator/cluster/main.tf
+++ b/pod-configs/orchestrator/cluster/main.tf
@@ -50,6 +50,7 @@ module "eks" {
   https_proxy                 = var.eks_https_proxy
   no_proxy                    = var.eks_no_proxy
   eks_cluster_dns_ip          = var.eks_cluster_dns_ip
+  permissions_boundary        = var.permissions_boundary
 }
 
 resource "time_sleep" "wait_eks" {
@@ -70,6 +71,7 @@ module "s3" {
   cluster_name   = var.eks_cluster_name
   create_tracing = var.s3_create_tracing
   import_buckets = var.import_s3_buckets
+  permissions_boundary = var.permissions_boundary
 }
 
 module "efs" {
@@ -87,6 +89,7 @@ module "efs" {
   cluster_name                        = var.eks_cluster_name
   vpc_id                              = local.vpc_id
   throughput_mode                     = var.efs_throughput_mode
+  permissions_boundary                = var.permissions_boundary
 }
 
 module "aurora" {
@@ -154,6 +157,7 @@ module "kms" {
   cluster_name       = var.eks_cluster_name
   aws_account_number = var.aws_account_number
   region             = var.aws_region
+  permissions_boundary = var.permissions_boundary
 }
 
 module "orch_init" {
@@ -205,6 +209,7 @@ module "ec2log" {
   s3_expire         = var.ec2log_s3_expire
   cloudwatch_expire = var.ec2log_cw_expire
   s3_prefix         = var.s3_prefix
+  permissions_boundary = var.permissions_boundary
 }
 
 module "aws_lb_controller" {
diff --git a/pod-configs/orchestrator/cluster/variable.tf b/pod-configs/orchestrator/cluster/variable.tf
index 386ed86fa..d18e95979 100644
--- a/pod-configs/orchestrator/cluster/variable.tf
+++ b/pod-configs/orchestrator/cluster/variable.tf
@@ -418,3 +418,8 @@ variable "eks_cluster_dns_ip" {
   description = "IP address of the DNS server for the cluster, leave empty to use the default DNS server"
 }
 
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
diff --git a/pod-configs/orchestrator/pull-through-cache-proxy/main.tf b/pod-configs/orchestrator/pull-through-cache-proxy/main.tf
index f33e06e21..f23682331 100644
--- a/pod-configs/orchestrator/pull-through-cache-proxy/main.tf
+++ b/pod-configs/orchestrator/pull-through-cache-proxy/main.tf
@@ -31,4 +31,5 @@ module "pull_through_cache_proxy" {
   no_proxy              = var.no_proxy
   route53_zone_name     = var.route53_zone_name
   with_public_ip        = var.with_public_ip
+  permissions_boundary  = var.permissions_boundary
 }
diff --git a/pod-configs/orchestrator/pull-through-cache-proxy/variable.tf b/pod-configs/orchestrator/pull-through-cache-proxy/variable.tf
index 8ee6f8697..7e51a9bc3 100644
--- a/pod-configs/orchestrator/pull-through-cache-proxy/variable.tf
+++ b/pod-configs/orchestrator/pull-through-cache-proxy/variable.tf
@@ -62,3 +62,9 @@ variable "with_public_ip" {
   type        = bool
   default     = false
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
\ No newline at end of file
diff --git a/pod-configs/orchestrator/vpc/main.tf b/pod-configs/orchestrator/vpc/main.tf
index 7eeed268e..66e8b222b 100644
--- a/pod-configs/orchestrator/vpc/main.tf
+++ b/pod-configs/orchestrator/vpc/main.tf
@@ -84,6 +84,7 @@ module "jumphost" {
   subnet                        = var.jumphost_subnet
   ip_allow_list                 = var.jumphost_ip_allow_list
   production                    = var.production
+  permissions_boundary          = var.permissions_boundary
 }
 
 # Prepare for output
diff --git a/pod-configs/orchestrator/vpc/variable.tf b/pod-configs/orchestrator/vpc/variable.tf
index 71fb336e6..0fea9bbf1 100644
--- a/pod-configs/orchestrator/vpc/variable.tf
+++ b/pod-configs/orchestrator/vpc/variable.tf
@@ -92,3 +92,9 @@ variable "customer_tag" {
   description = "For customers to specify a tag for AWS resources"
   default = ""
 }
+
+variable "permissions_boundary" {
+  description = "ARN of the permissions boundary policy to attach to IAM roles"
+  type        = string
+  default     = ""
+}
\ No newline at end of file
diff --git a/pod-configs/utils/provision.sh b/pod-configs/utils/provision.sh
index ac83848c7..1b3c96794 100755
--- a/pod-configs/utils/provision.sh
+++ b/pod-configs/utils/provision.sh
@@ -103,6 +103,7 @@ EKS_HTTPS_PROXY=""
 EKS_NO_PROXY=""
 EKS_USER_SCRIPT_PRE_CLOUD_INIT=""
 EKS_USER_SCRIPT_POST_CLOUD_INIT=""
+PERMISSIONS_BOUNDARY="${PERMISSIONS_BOUNDARY:-}"
 
 OPTIONS_LIST=(
     "auto"
@@ -145,6 +146,7 @@ OPTIONS_LIST=(
     "num-rds-instances:"
     "o11y-node-type:"
     "parent-domain:"
+    "permissions-boundary:"
     "profile:"
     "reduce-ns-ttl"
     "region:"
@@ -207,6 +209,7 @@ usage() {
         echo "    [ --num-rds-instance {Number of RDS instances} ] \\"
         echo "    [ --o11y-node-type {Observability node type} ] \\"
         echo "    [ --parent-domain {PARENT DOMAIN} ] \\"
+        echo "    [ --permissions-boundary {PERMISSIONS BOUNDARY ARN} ] \\"
         echo "    [ --profile {CLUSTER PROFILE TO DEPLOY} ] \\"
         echo "    [ --reduce-ns-ttl ] \\"
         echo "    --region {AWS REGION} \\"
@@ -296,6 +299,7 @@ parse_params() {
             --node-type) EKS_NODE_TYPE=$(eval echo $2); OVERRIDE_EKS_NODE_TYPE=true; shift;;
             --o11y-node-type) EKS_O11Y_NODE_TYPE=$(eval echo $2); OVERRIDE_EKS_O11Y_NODE_TYPE=true; shift;;
             -p|--parent-domain) PARENT_DOMAIN=$(eval echo $2); shift;;
+            --permissions-boundary) PERMISSIONS_BOUNDARY=$(eval echo $2); shift;;
             --profile) CLUSTER_PROFILE=$(eval echo $2); shift;;
             -r|--region) AWS_REGION=$(eval echo $2); shift;;
             --reduce-ns-ttl) REDUCE_NS_TTL=true;;
@@ -954,6 +958,10 @@ eks_no_proxy                           = "$EKS_NO_PROXY"
 eks_cluster_dns_ip                 = "$EKS_CLUSTER_DNS_IP"
 EOF
 
+    if [[ -n "$PERMISSIONS_BOUNDARY" ]]; then
+        echo "permissions_boundary = \"${PERMISSIONS_BOUNDARY}\""
+    fi
+    
     if [[ -n "$CUSTOMER_TAG" ]]; then
         echo "customer_tag = \"${CUSTOMER_TAG}\""
     fi