openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-07 00:48:01 +01:00
Code Issues Releases Activity
Files
b861fb8d1fe02da170cbb977e5f74d9d1d76384c
openshift-docs/modules/rosa-cli-hcp-classic-examples.adoc
mletalie 9d59161388 ROSA CLI permissions
2024-04-09 14:36:54 +00:00

254 lines
5.7 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// Module included in the following assemblies:
//
// * rosa_cli/rosa-cli-permission-examples.adoc
:_mod-docs-content-type: REFERENCE
[id="rosa-cli-hcp-classic-examples_{context}"]
= Least privilege permissions for common ROSA CLI commands
The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.
[id="rosa-create-OIDC-providers-hcp-classic_{context}"]
== Create a managed OpenID Connect (OIDC) provider
Run the following command with the specified permissions to create your managed OIDC provider by using `auto` mode.
.Input
[source,terminal]
----
$ rosa create oidc-config --mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOidcConfig",
"Effect": "Allow",
"Action": [
"iam:TagOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
----
[id="rosa-create-unmanaged-OIDC-providers-hcp-classic_{context}"]
== Create an unmanaged OpenID Connect provider
Run the following command with the specified permissions to create your unmanaged OIDC provider by using `auto` mode.
.Input
[source,terminal]
----
$ rosa create oidc-config --mode auto --managed=false
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagOpenIDConnectProvider",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:CreateOpenIDConnectProvider",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutBucketPolicy",
"s3:PutObjectTagging",
"s3:PutBucketPublicAccessBlock",
"secretsmanager:CreateSecret",
"secretsmanager:TagResource"
],
"Resource": "*"
}
]
}
----
[id="rosa-list-account-roles-hcp-classic_{context}"]
== List your account roles
Run the following command with the specified permissions to list your account roles.
.Input
[source,terminal]
----
$ rosa list account-roles
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAccountRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
----
[id="rosa-list-operator-roles-hcp-classic_{context}"]
== List your Operator roles
Run the following command with the specified permissions to list your Operator roles.
.Input
[source,terminal]
----
$ rosa list operator-roles
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
----
[id="rosa-list-OIDC-providers-hcp-classic_{context}"]
== List your OIDC providers
Run the following command with the specified permissions to list your OIDC providers.
.Input
[source,terminal]
----
$ rosa list oidc-providers
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOidcProviders",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:ListOpenIDConnectProviderTags"
],
"Resource": "*"
}
]
}
----
[id="rosa-verify-quota-hcp-classic_{context}"]
== Verify your quota
Run the following command with the specified permissions to verify your quota.
.Input
[source,terminal]
----
$ rosa verify quota
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VerifyQuota",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeAccountLimits",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-oidc-config-hcp-classic_{context}"]
== Delete your managed OIDC configuration
Run the following command with the specified permissions to delete your managed OIDC configuration by using `auto` mode.
.Input
[source,terminal]
----
$ rosa delete oidc-config -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOidcConfig",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-unmanaged-oidc-config-hcp-classic_{context}"]
== Delete your unmanaged OIDC configuration
Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using `auto` mode.
.Input
[source,terminal]
----
$ rosa delete oidc-config -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider",
"secretsmanager:DeleteSecret",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
----
View Git Blame Copy Permalink