openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
d572228289f9680688c044d82cc8b8e11029a69a
openshift-docs/modules/rosa-cli-classic-examples.adoc
mletalie 9d59161388 ROSA CLI permissions
2024-04-09 14:36:54 +00:00

155 lines
3.6 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
// Module included in the following assemblies:
//
// * rosa_cli/rosa-cli-permission-examples.adoc
:_mod-docs-content-type: REFERENCE
[id="rosa-cli-classic-examples_{context}"]
= Least privilege permissions for common ROSA Classic CLI commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA Classic clusters.
[id="rosa-min-permissions-required-classic_{context}"]
== Create a cluster
Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.
.Input
[source,terminal]
----
$ rosa create cluster
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCluster",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
----
[id="rosa-create-account-operator-roles-classic_{context}"]
== Create account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles in `auto' mode.
.Input
[source,terminal]
----
$ rosa create account-roles --mode auto --classic
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccountOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagPolicy",
"iam:CreatePolicy",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-account-roles-classic_{context}"]
== Delete your account roles
Run the following command with the specified permissions to delete the account roles in `auto` mode.
.Input
[source,terminal]
----
$ rosa delete account-roles -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}
----
[id="rosa-delete-operator-roles-classic_{context}"]
== Delete your Operator roles
Run the following command with the specified permissions to delete the Operator roles in `auto` mode.
.Input
[source,terminal]
----
$ rosa delete operator-roles -mode auto
----
.Policy
[source,json]
----
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}
----
View Git Blame Copy Permalink