diff --git a/modules/rosa-sts-account-wide-roles-and-policies.adoc b/modules/rosa-sts-account-wide-roles-and-policies.adoc index 3ac8e26b36..5a3e5b7316 100644 --- a/modules/rosa-sts-account-wide-roles-and-policies.adoc +++ b/modules/rosa-sts-account-wide-roles-and-policies.adoc @@ -7,12 +7,12 @@ This section provides details about the account-wide IAM roles and policies that are required for ROSA deployments that use STS, including the Operator policies. It also includes the JSON files that define the policies. -The account-wide roles and policies are specific to an OpenShift minor release version, for example OpenShift 4.17, and are backward compatible. You can minimize the required STS resources by reusing the account-wide roles and policies for multiple clusters of the same minor version, regardless of their patch version. +The account-wide roles and policies are specific to an {product-title} minor release version, for example {product-title} 4.17, and are compatible with earlier versions. You can minimize the required STS resources by reusing the account-wide roles and policies for multiple clusters of the same minor version, regardless of their patch version. [id="rosa-sts-account-wide-roles-and-policies-creation-methods_{context}"] == Methods of account-wide role creation -You can create account-wide roles by using the {product-title} (ROSA) CLI, `rosa`, or the {cluster-manager-url} guided installation. You can create the roles manually or by using an automatic process that uses pre-defined names for these roles and polices. +You can create account-wide roles by using the {product-title} (ROSA) CLI, `rosa`, or the {cluster-manager-url} guided installation. You can create the roles manually or by using an automatic process that uses predefined names for these roles and polices. [discrete] [id="rosa-sts-account-wide-roles-and-policies-creation-methods-manual_{context}"] @@ -52,22 +52,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_installer_trust_policy.json[] ---- ==== @@ -76,216 +61,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "ec2:AllocateAddress", - "ec2:AssociateAddress", - "ec2:AssociateDhcpOptions", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:AttachNetworkInterface", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CopyImage", - "ec2:CreateDhcpOptions", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateNetworkInterface", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:CreateVpc", - "ec2:CreateVpcEndpoint", - "ec2:DeleteDhcpOptions", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteNetworkInterface", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSnapshot", - "ec2:DeleteSubnet", - "ec2:DeleteTags", - "ec2:DeleteVolume", - "ec2:DeleteVpc", - "ec2:DeleteVpcEndpoints", - "ec2:DeregisterImage", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeDhcpOptions", - "ec2:DescribeImages", - "ec2:DescribeInstanceAttribute", - "ec2:DescribeInstanceCreditSpecifications", - "ec2:DescribeInstances", - "ec2:DescribeInstanceStatus", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInternetGateways", - "ec2:DescribeKeyPairs", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePrefixLists", - "ec2:DescribeRegions", - "ec2:DescribeReservedInstancesOfferings", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:GetConsoleOutput", - "ec2:GetEbsDefaultKmsKeyId", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ReleaseAddress", - "ec2:ReplaceRouteTableAssociation", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:StartInstances", - "ec2:StopInstances", - "ec2:TerminateInstances", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeAccountLimits", - "elasticloadbalancing:DescribeInstanceHealth", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:GetInstanceProfile", - "iam:TagInstanceProfile", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetUser", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfiles", - "iam:ListInstanceProfilesForRole", - "iam:ListRolePolicies", - "iam:ListRoles", - "iam:ListUserPolicies", - "iam:ListUsers", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "iam:SimulatePrincipalPolicy", - "iam:TagRole", - "iam:UntagRole", - "route53:ChangeResourceRecordSets", - "route53:ChangeTagsForResource", - "route53:CreateHostedZone", - "route53:DeleteHostedZone", - "route53:GetAccountLimit", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListHostedZonesByName", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "route53:UpdateHostedZoneComment", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteObject", - "s3:DeleteObjectVersion", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLocation", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetObjectAcl", - "s3:GetObjectTagging", - "s3:GetObjectVersion", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutBucketAcl", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutEncryptionConfiguration", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectTagging", - "servicequotas:GetServiceQuota", - "servicequotas:ListAWSDefaultServiceQuotas", - "sts:AssumeRole", - "sts:AssumeRoleWithWebIdentity", - "sts:GetCallerIdentity", - "tag:GetResources", - "tag:UntagResources", - "ec2:CreateVpcEndpointServiceConfiguration", - "ec2:DeleteVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServicePermissions", - "ec2:DescribeVpcEndpointServices", - "ec2:ModifyVpcEndpointServicePermissions", - "kms:DescribeKey", - "cloudwatch:GetMetricData" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/red-hat-managed": "true" - } - } - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_installer_permission_policy.json[] ---- ==== @@ -308,22 +84,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ec2.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_instance_controlplane_trust_policy.json[] ---- ==== @@ -332,55 +93,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:Describe*", - "ec2:DetachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyVolume", - "ec2:RevokeSecurityGroupIngress", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerPolicy", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DeleteListener", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:Describe*", - "elasticloadbalancing:DetachLoadBalancerFromSubnets", - "elasticloadbalancing:ModifyListener", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "kms:DescribeKey" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_instance_controlplane_permission_policy.json[] ---- ==== @@ -403,22 +116,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "Service": [ - "ec2.amazonaws.com" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_instance_worker_trust_policy.json[] ---- ==== @@ -427,19 +125,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:DescribeInstances" - "ec2:DescribeRegions" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_instance_worker_permission_policy.json[] ---- ==== @@ -462,22 +148,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": [ - "arn:aws:iam::710019948333:role/RH-Technical-Support-Access" - ] - }, - "Action": [ - "sts:AssumeRole" - ] - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_support_trust_policy.json[] ---- ==== @@ -486,175 +157,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "cloudtrail:DescribeTrails", - "cloudtrail:LookupEvents", - "cloudwatch:GetMetricData", - "cloudwatch:GetMetricStatistics", - "cloudwatch:ListMetrics", - "ec2-instance-connect:SendSerialConsoleSSHPublicKey", - "ec2:CopySnapshot", - "ec2:CreateNetworkInsightsPath", - "ec2:CreateSnapshot", - "ec2:CreateSnapshots", - "ec2:CreateTags", - "ec2:DeleteNetworkInsightsAnalysis", - "ec2:DeleteNetworkInsightsPath", - "ec2:DeleteTags", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAddressesAttribute", - "ec2:DescribeAggregateIdFormat", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeByoipCidrs", - "ec2:DescribeCapacityReservations", - "ec2:DescribeCarrierGateways", - "ec2:DescribeClassicLinkInstances", - "ec2:DescribeClientVpnAuthorizationRules", - "ec2:DescribeClientVpnConnections", - "ec2:DescribeClientVpnEndpoints", - "ec2:DescribeClientVpnRoutes", - "ec2:DescribeClientVpnTargetNetworks", - "ec2:DescribeCoipPools", - "ec2:DescribeCustomerGateways", - "ec2:DescribeDhcpOptions", - "ec2:DescribeEgressOnlyInternetGateways", - "ec2:DescribeIamInstanceProfileAssociations", - "ec2:DescribeIdentityIdFormat", - "ec2:DescribeIdFormat", - "ec2:DescribeImageAttribute", - "ec2:DescribeImages", - "ec2:DescribeInstanceAttribute", - "ec2:DescribeInstances", - "ec2:DescribeInstanceStatus", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInternetGateways", - "ec2:DescribeIpv6Pools", - "ec2:DescribeKeyPairs", - "ec2:DescribeLaunchTemplates", - "ec2:DescribeLocalGatewayRouteTables", - "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations", - "ec2:DescribeLocalGatewayRouteTableVpcAssociations", - "ec2:DescribeLocalGateways", - "ec2:DescribeLocalGatewayVirtualInterfaceGroups", - "ec2:DescribeLocalGatewayVirtualInterfaces", - "ec2:DescribeManagedPrefixLists", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInsightsAnalyses", - "ec2:DescribeNetworkInsightsPaths", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePlacementGroups", - "ec2:DescribePrefixLists", - "ec2:DescribePrincipalIdFormat", - "ec2:DescribePublicIpv4Pools", - "ec2:DescribeRegions", - "ec2:DescribeReservedInstances", - "ec2:DescribeRouteTables", - "ec2:DescribeScheduledInstances", - "ec2:DescribeSecurityGroupReferences", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSnapshotAttribute", - "ec2:DescribeSnapshots", - "ec2:DescribeSpotFleetInstances", - "ec2:DescribeStaleSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeTransitGatewayAttachments", - "ec2:DescribeTransitGatewayConnectPeers", - "ec2:DescribeTransitGatewayConnects", - "ec2:DescribeTransitGatewayMulticastDomains", - "ec2:DescribeTransitGatewayPeeringAttachments", - "ec2:DescribeTransitGatewayRouteTables", - "ec2:DescribeTransitGateways", - "ec2:DescribeTransitGatewayVpcAttachments", - "ec2:DescribeVolumeAttribute", - "ec2:DescribeVolumeStatus", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcEndpointConnectionNotifications", - "ec2:DescribeVpcEndpointConnections", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServicePermissions", - "ec2:DescribeVpcEndpointServices", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeVpcs", - "ec2:DescribeVpnConnections", - "ec2:DescribeVpnGateways", - "ec2:GetAssociatedIpv6PoolCidrs", - "ec2:GetConsoleOutput", - "ec2:GetManagedPrefixListEntries", - "ec2:GetSerialConsoleAccessStatus", - "ec2:GetTransitGatewayAttachmentPropagations", - "ec2:GetTransitGatewayMulticastDomainAssociations", - "ec2:GetTransitGatewayPrefixListReferences", - "ec2:GetTransitGatewayRouteTableAssociations", - "ec2:GetTransitGatewayRouteTablePropagations", - "ec2:ModifyInstanceAttribute", - "ec2:RebootInstances", - "ec2:RunInstances", - "ec2:SearchLocalGatewayRoutes", - "ec2:SearchTransitGatewayMulticastGroups", - "ec2:SearchTransitGatewayRoutes", - "ec2:StartInstances", - "ec2:StartNetworkInsightsAnalysis", - "ec2:StopInstances", - "ec2:TerminateInstances", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DescribeAccountLimits", - "elasticloadbalancing:DescribeInstanceHealth", - "elasticloadbalancing:DescribeListenerCertificates", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeRules", - "elasticloadbalancing:DescribeSSLPolicies", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "iam:GetRole", - "iam:ListRoles", - "kms:CreateGrant", - "route53:GetHostedZone", - "route53:GetHostedZoneCount", - "route53:ListHostedZones", - "route53:ListHostedZonesByName", - "route53:ListResourceRecordSets", - "s3:GetBucketTagging", - "s3:GetObjectAcl", - "s3:GetObjectTagging", - "s3:ListAllMyBuckets" - "sts:DecodeAuthorizationMessage", - "tiros:CreateQuery", - "tiros:GetQueryAnswer", - "tiros:GetQueryExplanation" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": "s3:ListBucket", - "Resource": [ - "arn:aws:s3:::managed-velero*", - "arn:aws:s3:::*image-registry*" - ] - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_support_permission_policy.json[] ---- ==== @@ -674,23 +177,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_ocm_trust_policy.json[] ---- ==== @@ -710,23 +197,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Principal": { - "AWS": "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer" - }, - "Action": "sts:AssumeRole", - "Condition": { - "StringEquals": { - "sts:ExternalId": "" - } - } - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_installer_trust_policy.json[] ---- ==== @@ -784,21 +255,7 @@ I: Attached policy 'arn:aws:iam::000000000000:policy/testrole-Worker-Role-Policy ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DescribeLoadBalancers", - "route53:ListHostedZones", - "route53:ChangeResourceRecordSets", - "tag:GetResources" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/openshift_ingress_operator_cloud_credentials_policy.json[] ---- ==== @@ -818,31 +275,7 @@ I: Attached policy 'arn:aws:iam::000000000000:policy/testrole-Worker-Role-Policy ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:CreateSnapshot", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:DeleteSnapshot", - "ec2:DeleteTags", - "ec2:DeleteVolume", - "ec2:DescribeInstances", - "ec2:DescribeSnapshots", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVolumesModifications", - "ec2:DetachVolume", - "ec2:ModifyVolume" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json[] ---- ==== @@ -862,61 +295,7 @@ I: Attached policy 'arn:aws:iam::000000000000:policy/testrole-Worker-Role-Policy ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeDhcpOptions", - "ec2:DescribeImages", - "ec2:DescribeInstances", - "ec2:DescribeInternetGateways", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeVpcs", - "ec2:RunInstances", - "ec2:TerminateInstances", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:DeregisterTargets", - "iam:PassRole", - "iam:CreateServiceLinkedRole" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "kms:Decrypt", - "kms:Encrypt", - "kms:GenerateDataKey", - "kms:GenerateDataKeyWithoutPlainText", - "kms:DescribeKey" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "kms:RevokeGrant", - "kms:CreateGrant", - "kms:ListGrants" - ], - "Resource": "*", - "Condition": { - "Bool": { - "kms:GrantIsForAWSResource": true - } - } - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/openshift_machine_api_aws_cloud_credentials_policy.json[] ---- ==== @@ -936,20 +315,7 @@ I: Attached policy 'arn:aws:iam::000000000000:policy/testrole-Worker-Role-Policy ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ListAccessKeys" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json[] ---- ==== @@ -969,34 +335,6 @@ I: Attached policy 'arn:aws:iam::000000000000:policy/testrole-Worker-Role-Policy ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:PutBucketTagging", - "s3:GetBucketTagging", - "s3:PutBucketPublicAccessBlock", - "s3:GetBucketPublicAccessBlock", - "s3:PutEncryptionConfiguration", - "s3:GetEncryptionConfiguration", - "s3:PutLifecycleConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetBucketLocation", - "s3:ListBucket", - "s3:GetObject", - "s3:PutObject", - "s3:DeleteObject", - "s3:ListBucketMultipartUploads", - "s3:AbortMultipartUpload", - "s3:ListMultipartUploadParts" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/openshift_image_registry_installer_cloud_credentials_policy.json[] ---- ==== diff --git a/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc b/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc index 1e1d9eca4a..a7cd960941 100644 --- a/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc +++ b/modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc @@ -42,193 +42,7 @@ This example procedure is applicable for an installer role and policy with the m ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "ec2:AllocateAddress", - "ec2:AssociateAddress", - "ec2:AttachNetworkInterface", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CopyImage", - "ec2:CreateNetworkInterface", - "ec2:CreateSecurityGroup", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:DeleteNetworkInterface", - "ec2:DeleteSecurityGroup", - "ec2:DeleteSnapshot", - "ec2:DeleteTags", - "ec2:DeleteVolume", - "ec2:DeregisterImage", - "ec2:DescribeAccountAttributes", - "ec2:DescribeAddresses", - "ec2:DescribeAvailabilityZones", - "ec2:DescribeDhcpOptions", - "ec2:DescribeImages", - "ec2:DescribeInstanceAttribute", - "ec2:DescribeInstanceCreditSpecifications", - "ec2:DescribeInstances", - "ec2:DescribeInstanceStatus", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeInstanceTypes", - "ec2:DescribeInternetGateways", - "ec2:DescribeKeyPairs", - "ec2:DescribeNatGateways", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribePrefixLists", - "ec2:DescribeRegions", - "ec2:DescribeReservedInstancesOfferings", - "ec2:DescribeRouteTables", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSecurityGroupRules", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVolumes", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcClassicLinkDnsSupport", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcs", - "ec2:GetConsoleOutput", - "ec2:GetEbsDefaultKmsKeyId", - "ec2:ModifyInstanceAttribute", - "ec2:ModifyNetworkInterfaceAttribute", - "ec2:ReleaseAddress", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:StartInstances", - "ec2:StopInstances", - "ec2:TerminateInstances", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", - "elasticloadbalancing:AttachLoadBalancerToSubnets", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:CreateListener", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:CreateTargetGroup", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteTargetGroup", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DeregisterTargets", - "elasticloadbalancing:DescribeInstanceHealth", - "elasticloadbalancing:DescribeListeners", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeTags", - "elasticloadbalancing:DescribeTargetGroupAttributes", - "elasticloadbalancing:DescribeTargetGroups", - "elasticloadbalancing:DescribeTargetHealth", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:ModifyTargetGroup", - "elasticloadbalancing:ModifyTargetGroupAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:RegisterTargets", - "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:GetInstanceProfile", - "iam:TagInstanceProfile", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetUser", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfiles", - "iam:ListInstanceProfilesForRole", - "iam:ListRolePolicies", - "iam:ListRoles", - "iam:ListUserPolicies", - "iam:ListUsers", - "iam:PassRole", - "iam:RemoveRoleFromInstanceProfile", - "iam:SimulatePrincipalPolicy", - "iam:TagRole", - "iam:UntagRole", - "route53:ChangeResourceRecordSets", - "route53:ChangeTagsForResource", - "route53:CreateHostedZone", - "route53:DeleteHostedZone", - "route53:GetAccountLimit", - "route53:GetChange", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListHostedZonesByName", - "route53:ListResourceRecordSets", - "route53:ListTagsForResource", - "route53:UpdateHostedZoneComment", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteObject", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLocation", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetObjectAcl", - "s3:GetObjectTagging", - "s3:GetObjectVersion", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:ListBucketVersions", - "s3:PutBucketAcl", - "s3:PutBucketTagging", - "s3:PutEncryptionConfiguration", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:PutObjectTagging", - "servicequotas:GetServiceQuota", - "servicequotas:ListAWSDefaultServiceQuotas", - "sts:AssumeRole", - "sts:AssumeRoleWithWebIdentity", - "sts:GetCallerIdentity", - "tag:GetResources", - "tag:UntagResources", - "kms:DescribeKey", - "cloudwatch:GetMetricData", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:CreateVpcEndpoint", - "ec2:DeleteVpcEndpoints", - "ec2:CreateVpcEndpointServiceConfiguration", - "ec2:DeleteVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServiceConfigurations", - "ec2:DescribeVpcEndpointServicePermissions", - "ec2:DescribeVpcEndpointServices", - "ec2:ModifyVpcEndpointServicePermissions" - ], - "Resource": "*" - }, - { - "Effect": "Allow", - "Action": [ - "secretsmanager:GetSecretValue" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "aws:ResourceTag/red-hat-managed": "true" - } - } - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_installer_core_permission_boundary_policy.json[] ---- ==== @@ -314,24 +128,7 @@ For more examples of PL and VPC permission boundary policies see: ==== [source,json] ---- -{ -"Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:ModifyVpcEndpointServiceConfiguration", - "route53:ListHostedZonesByVPC", - "route53:CreateVPCAssociationAuthorization", - "route53:AssociateVPCWithHostedZone", - "route53:DeleteVPCAssociationAuthorization", - "route53:DisassociateVPCFromHostedZone", - "route53:ChangeResourceRecordSets" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_installer_privatelink_permission_boundary_policy.json[] ---- ==== + @@ -340,36 +137,6 @@ For more examples of PL and VPC permission boundary policies see: ==== [source,json] ---- -{ - "Version": "2012-10-17", - "Statement": [ - { - "Effect": "Allow", - "Action": [ - "ec2:AssociateDhcpOptions", - "ec2:AssociateRouteTable", - "ec2:AttachInternetGateway", - "ec2:CreateDhcpOptions", - "ec2:CreateInternetGateway", - "ec2:CreateNatGateway", - "ec2:CreateRouteTable", - "ec2:CreateSubnet", - "ec2:CreateVpc", - "ec2:DeleteDhcpOptions", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteRouteTable", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DetachInternetGateway", - "ec2:DisassociateRouteTable", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ReplaceRouteTableAssociation" - ], - "Resource": "*" - } - ] -} +include::https://raw.githubusercontent.com/openshift/managed-cluster-config/refs/heads/master/resources/sts/4.17/sts_installer_vpc_permission_boundary_policy.json[] ---- ====