openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-07 09:46:53 +01:00
Code Issues Releases Activity
Files
b861fb8d1fe02da170cbb977e5f74d9d1d76384c
openshift-docs/modules/rosa-cli-hcp-examples.adoc
mletalie 9d59161388 ROSA CLI permissions
2024-04-09 14:36:54 +00:00

149 lines
3.4 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// Module included in the following assemblies:
//
// * rosa_cli/rosa-cli-permission-examples.adoc
:_mod-docs-content-type: REFERENCE
[id="rosa-cli-hcp-examples_{context}"]
= Least privilege permissions for common ROSA with HCP CLI commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA with hosted control plane (HCP) clusters.
[id="rosa-create-hcp-cluster_{context}"]
== Create a cluster
Run the following command with the specified permissions to create ROSA with HCP clusters.
.Input
[source,terminal]
----
$ rosa create cluster --hosted-cp
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCluster",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
}
]
}
----
[id="rosa-create-account-operator-roles-hcp_{context}"]
== Create your account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles by using `auto` mode.
.Input
[source,terminal]
----
$ rosa create account-roles --mode auto --hosted-cp
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccountRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-account-roles-hcp_{context}"]
== Delete your account roles
Run the following command with the specified permissions to delete the account roles in `auto` mode.
.Input
[source,terminal]
----
$ rosa delete account-roles -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteAccountRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-operator-roles-hcp_{context}"]
== Delete your Operator roles
Run the following command with the specified permissions to delete your Operator roles in `auto` mode.
.Input
[source,terminal]
----
$ rosa delete operator-roles -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole"
],
"Resource": "*"
}
]
}
----
View Git Blame Copy Permalink