openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 21:46:22 +01:00
Code Issues Releases Activity
Files
bccb026e9beac58ee57722f69a0841cce4e9ce28
openshift-docs/modules/rosa-cli-classic-examples.adoc
mletalie 2906f15e35 CLI tools update
2025-09-17 00:56:10 +00:00

400 lines
9.0 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// Module included in the following assemblies:
//
// * rosa_cli/rosa-cli-permission-examples.adoc
:_mod-docs-content-type: REFERENCE
[id="rosa-cli-classic-examples_{context}"]
= Least privilege permissions for common {rosa-cli} commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building {product-title} clusters.
[id="rosa-create-OIDC-providers-hcp-classic_{context}"]
== Create a managed OpenID Connect (OIDC) provider
Run the following command with the specified permissions to create your managed OIDC provider by using `auto` mode.
.Input
[source,terminal]
----
$ rosa create oidc-config --mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOidcConfig",
"Effect": "Allow",
"Action": [
"iam:TagOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
----
[id="rosa-create-unmanaged-OIDC-providers-hcp-classic_{context}"]
== Create an unmanaged OpenID Connect provider
Run the following command with the specified permissions to create your unmanaged OIDC provider by using `auto` mode.
.Input
[source,terminal]
----
$ rosa create oidc-config --mode auto --managed=false
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagOpenIDConnectProvider",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:CreateOpenIDConnectProvider",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutBucketPolicy",
"s3:PutObjectTagging",
"s3:PutBucketPublicAccessBlock",
"secretsmanager:CreateSecret",
"secretsmanager:TagResource"
],
"Resource": "*"
}
]
}
----
[id="rosa-list-account-roles-hcp-classic_{context}"]
== List your account roles
Run the following command with the specified permissions to list your account roles.
.Input
[source,terminal]
----
$ rosa list account-roles
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAccountRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
----
[id="rosa-list-operator-roles-hcp-classic_{context}"]
== List your Operator roles
Run the following command with the specified permissions to list your Operator roles.
.Input
[source,terminal]
----
$ rosa list operator-roles
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
----
[id="rosa-list-OIDC-providers-hcp-classic_{context}"]
== List your OIDC providers
Run the following command with the specified permissions to list your OIDC providers.
.Input
[source,terminal]
----
$ rosa list oidc-providers
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOidcProviders",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:ListOpenIDConnectProviderTags"
],
"Resource": "*"
}
]
}
----
[id="rosa-verify-quota-hcp-classic_{context}"]
== Verify your quota
Run the following command with the specified permissions to verify your quota.
.Input
[source,terminal]
----
$ rosa verify quota
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VerifyQuota",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeAccountLimits",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-oidc-config-hcp-classic_{context}"]
== Delete your managed OIDC configuration
Run the following command with the specified permissions to delete your managed OIDC configuration by using `auto` mode.
.Input
[source,terminal]
----
$ rosa delete oidc-config -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOidcConfig",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-unmanaged-oidc-config-hcp-classic_{context}"]
== Delete your unmanaged OIDC configuration
Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using `auto` mode.
.Input
[source,terminal]
----
$ rosa delete oidc-config -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider",
"secretsmanager:DeleteSecret",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
----
[id="rosa-min-permissions-required-classic_{context}"]
== Create a cluster
Run the following command with the specified permissions to create a {product-title} cluster with least privilege permissions.
.Input
[source,terminal]
----
$ rosa create cluster
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCluster",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
----
[id="rosa-create-account-operator-roles-classic_{context}"]
== Create account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles in `auto' mode.
.Input
[source,terminal]
----
$ rosa create account-roles --mode auto --classic
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccountOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagPolicy",
"iam:CreatePolicy",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-account-roles-classic_{context}"]
== Delete your account roles
Run the following command with the specified permissions to delete the account roles in `auto` mode.
.Input
[source,terminal]
----
$ rosa delete account-roles -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-operator-roles-classic_{context}"]
== Delete your Operator roles
Run the following command with the specified permissions to delete the Operator roles in `auto` mode.
.Input
[source,terminal]
----
$ rosa delete operator-roles -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}
----
View Git Blame Copy Permalink