mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
209 lines
4.9 KiB
Plaintext
209 lines
4.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc
|
|
|
|
:_mod-docs-content-type: REFERENCE
|
|
[id="cco-short-term-creds-component-permissions-aws_{context}"]
|
|
= AWS component secret permissions requirements
|
|
|
|
{product-title} components require the following permissions. These values are in the `CredentialsRequest` custom resource (CR) for each component.
|
|
|
|
[NOTE]
|
|
====
|
|
These permissions apply to all resources. Unless specified, there are no request conditions on these permissions.
|
|
====
|
|
|
|
[cols="a,a,a"]
|
|
|====
|
|
|Component |Custom resource |Required permissions for services
|
|
|
|
|{cluster-capi-operator}
|
|
|`openshift-cluster-api-aws`
|
|
|**EC2**
|
|
|
|
* `ec2:CreateTags`
|
|
* `ec2:DescribeAvailabilityZones`
|
|
* `ec2:DescribeDhcpOptions`
|
|
* `ec2:DescribeImages`
|
|
* `ec2:DescribeInstances`
|
|
* `ec2:DescribeInternetGateways`
|
|
* `ec2:DescribeSecurityGroups`
|
|
* `ec2:DescribeSubnets`
|
|
* `ec2:DescribeVpcs`
|
|
* `ec2:DescribeNetworkInterfaces`
|
|
* `ec2:DescribeNetworkInterfaceAttribute`
|
|
* `ec2:ModifyNetworkInterfaceAttribute`
|
|
* `ec2:RunInstances`
|
|
* `ec2:TerminateInstances`
|
|
|
|
**Elastic load balancing**
|
|
|
|
* `elasticloadbalancing:DescribeLoadBalancers`
|
|
* `elasticloadbalancing:DescribeTargetGroups`
|
|
* `elasticloadbalancing:DescribeTargetHealth`
|
|
* `elasticloadbalancing:RegisterInstancesWithLoadBalancer`
|
|
* `elasticloadbalancing:RegisterTargets`
|
|
* `elasticloadbalancing:DeregisterTargets`
|
|
|
|
**Identity and Access Management (IAM)**
|
|
|
|
* `iam:PassRole`
|
|
* `iam:CreateServiceLinkedRole`
|
|
|
|
**Key Management Service (KMS)**
|
|
|
|
* `kms:Decrypt`
|
|
* `kms:Encrypt`
|
|
* `kms:GenerateDataKey`
|
|
* `kms:GenerateDataKeyWithoutPlainText`
|
|
* `kms:DescribeKey`
|
|
* `kms:RevokeGrant`^[1]^
|
|
* `kms:CreateGrant` ^[1]^
|
|
* `kms:ListGrants` ^[1]^
|
|
|
|
|Machine API Operator
|
|
|`openshift-machine-api-aws`
|
|
|**EC2**
|
|
|
|
* `ec2:CreateTags`
|
|
* `ec2:DescribeAvailabilityZones`
|
|
* `ec2:DescribeDhcpOptions`
|
|
* `ec2:DescribeImages`
|
|
* `ec2:DescribeInstances`
|
|
* `ec2:DescribeInstanceTypes`
|
|
* `ec2:DescribeInternetGateways`
|
|
* `ec2:DescribeSecurityGroups`
|
|
* `ec2:DescribeRegions`
|
|
* `ec2:DescribeSubnets`
|
|
* `ec2:DescribeVpcs`
|
|
* `ec2:RunInstances`
|
|
* `ec2:TerminateInstances`
|
|
|
|
**Elastic load balancing**
|
|
|
|
* `elasticloadbalancing:DescribeLoadBalancers`
|
|
* `elasticloadbalancing:DescribeTargetGroups`
|
|
* `elasticloadbalancing:DescribeTargetHealth`
|
|
* `elasticloadbalancing:RegisterInstancesWithLoadBalancer`
|
|
* `elasticloadbalancing:RegisterTargets`
|
|
* `elasticloadbalancing:DeregisterTargets`
|
|
|
|
**Identity and Access Management (IAM)**
|
|
|
|
* `iam:PassRole`
|
|
* `iam:CreateServiceLinkedRole`
|
|
|
|
**Key Management Service (KMS)**
|
|
|
|
* `kms:Decrypt`
|
|
* `kms:Encrypt`
|
|
* `kms:GenerateDataKey`
|
|
* `kms:GenerateDataKeyWithoutPlainText`
|
|
* `kms:DescribeKey`
|
|
* `kms:RevokeGrant`^[1]^
|
|
* `kms:CreateGrant` ^[1]^
|
|
* `kms:ListGrants` ^[1]^
|
|
|
|
|Cloud Credential Operator
|
|
|`cloud-credential-operator-iam-ro`
|
|
|**Identity and Access Management (IAM)**
|
|
|
|
* `iam:GetUser`
|
|
* `iam:GetUserPolicy`
|
|
* `iam:ListAccessKeys`
|
|
|
|
|Cluster Image Registry Operator
|
|
|`openshift-image-registry`
|
|
|**S3**
|
|
|
|
* `s3:CreateBucket`
|
|
* `s3:DeleteBucket`
|
|
* `s3:PutBucketTagging`
|
|
* `s3:GetBucketTagging`
|
|
* `s3:PutBucketPublicAccessBlock`
|
|
* `s3:GetBucketPublicAccessBlock`
|
|
* `s3:PutEncryptionConfiguration`
|
|
* `s3:GetEncryptionConfiguration`
|
|
* `s3:PutLifecycleConfiguration`
|
|
* `s3:GetLifecycleConfiguration`
|
|
* `s3:GetBucketLocation`
|
|
* `s3:ListBucket`
|
|
* `s3:GetObject`
|
|
* `s3:PutObject`
|
|
* `s3:DeleteObject`
|
|
* `s3:ListBucketMultipartUploads`
|
|
* `s3:AbortMultipartUpload`
|
|
* `s3:ListMultipartUploadParts`
|
|
|
|
|Ingress Operator
|
|
|`openshift-ingress`
|
|
|**Elastic load balancing**
|
|
|
|
* `elasticloadbalancing:DescribeLoadBalancers`
|
|
|
|
**Route 53**
|
|
|
|
* `route53:ListHostedZones`
|
|
* `route53:ListTagsForResources`
|
|
* `route53:ChangeResourceRecordSets`
|
|
|
|
**Tag**
|
|
|
|
* `tag:GetResources`
|
|
|
|
**Security Token Service (STS)**
|
|
|
|
* `sts:AssumeRole`
|
|
|
|
|Cluster Network Operator
|
|
|`openshift-cloud-network-config-controller-aws`
|
|
|**EC2**
|
|
|
|
* `ec2:DescribeInstances`
|
|
* `ec2:DescribeInstanceStatus`
|
|
* `ec2:DescribeInstanceTypes`
|
|
* `ec2:UnassignPrivateIpAddresses`
|
|
* `ec2:AssignPrivateIpAddresses`
|
|
* `ec2:UnassignIpv6Addresses`
|
|
* `ec2:AssignIpv6Addresses`
|
|
* `ec2:DescribeSubnets`
|
|
* `ec2:DescribeNetworkInterfaces`
|
|
|
|
|AWS Elastic Block Store CSI Driver Operator
|
|
|`aws-ebs-csi-driver-operator`
|
|
|**EC2**
|
|
|
|
* `ec2:AttachVolume`
|
|
* `ec2:CreateSnapshot`
|
|
* `ec2:CreateTags`
|
|
* `ec2:CreateVolume`
|
|
* `ec2:DeleteSnapshot`
|
|
* `ec2:DeleteTags`
|
|
* `ec2:DeleteVolume`
|
|
* `ec2:DescribeInstances`
|
|
* `ec2:DescribeSnapshots`
|
|
* `ec2:DescribeTags`
|
|
* `ec2:DescribeVolumes`
|
|
* `ec2:DescribeVolumesModifications`
|
|
* `ec2:DetachVolume`
|
|
* `ec2:ModifyVolume`
|
|
* `ec2:DescribeAvailabilityZones`
|
|
* `ec2:EnableFastSnapshotRestores`
|
|
|
|
**Key Management Service (KMS)**
|
|
|
|
* `kms:ReEncrypt*`
|
|
* `kms:Decrypt`
|
|
* `kms:Encrypt`
|
|
* `kms:GenerateDataKey`
|
|
* `kms:GenerateDataKeyWithoutPlainText`
|
|
* `kms:DescribeKey`
|
|
* `kms:RevokeGrant`^[1]^
|
|
* `kms:CreateGrant` ^[1]^
|
|
* `kms:ListGrants` ^[1]^
|
|
|
|
|====
|
|
[.small]
|
|
--
|
|
1. Request condition: `kms:GrantIsForAWSResource: true`
|
|
-- |