mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-06 06:46:26 +01:00
255 lines
6.9 KiB
Plaintext
255 lines
6.9 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * installing/installing_aws/installing-aws-user-infra.adoc
|
|
// * installing/installing_aws/installing-aws-account.adoc
|
|
// * installing/installing_aws/installing-restricted-networks-aws.adoc
|
|
|
|
[id="installation-aws-permissions_{context}"]
|
|
= Required AWS permissions
|
|
|
|
When you attach the `AdministratorAccess` policy to the IAM user that you create in Amazon Web Services (AWS),
|
|
you grant that user all of the required permissions. To deploy all components of an {product-title}
|
|
cluster, the IAM user requires the following permissions:
|
|
|
|
.Required EC2 permissions for installation
|
|
[%collapsible]
|
|
====
|
|
* `tag:UntagResources`
|
|
* `ec2:AllocateAddress`
|
|
* `ec2:AssociateAddress`
|
|
* `ec2:AuthorizeSecurityGroupEgress`
|
|
* `ec2:AuthorizeSecurityGroupIngress`
|
|
* `ec2:CopyImage`
|
|
* `ec2:CreateNetworkInterface`
|
|
* `ec2:AttachNetworkInterface`
|
|
* `ec2:CreateSecurityGroup`
|
|
* `ec2:CreateTags`
|
|
* `ec2:CreateVolume`
|
|
* `ec2:DeleteSecurityGroup`
|
|
* `ec2:DeleteSnapshot`
|
|
* `ec2:DeregisterImage`
|
|
* `ec2:DescribeAccountAttributes`
|
|
* `ec2:DescribeAddresses`
|
|
* `ec2:DescribeAvailabilityZones`
|
|
* `ec2:DescribeDhcpOptions`
|
|
* `ec2:DescribeImages`
|
|
* `ec2:DescribeInstanceAttribute`
|
|
* `ec2:DescribeInstanceCreditSpecifications`
|
|
* `ec2:DescribeInstances`
|
|
* `ec2:DescribeInternetGateways`
|
|
* `ec2:DescribeKeyPairs`
|
|
* `ec2:DescribeNatGateways`
|
|
* `ec2:DescribeNetworkAcls`
|
|
* `ec2:DescribeNetworkInterfaces`
|
|
* `ec2:DescribePrefixLists`
|
|
* `ec2:DescribeRegions`
|
|
* `ec2:DescribeRouteTables`
|
|
* `ec2:DescribeSecurityGroups`
|
|
* `ec2:DescribeSubnets`
|
|
* `ec2:DescribeTags`
|
|
* `ec2:DescribeVolumes`
|
|
* `ec2:DescribeVpcAttribute`
|
|
* `ec2:DescribeVpcClassicLink`
|
|
* `ec2:DescribeVpcClassicLinkDnsSupport`
|
|
* `ec2:DescribeVpcEndpoints`
|
|
* `ec2:DescribeVpcs`
|
|
* `ec2:GetEbsDefaultKmsKeyId`
|
|
* `ec2:ModifyInstanceAttribute`
|
|
* `ec2:ModifyNetworkInterfaceAttribute`
|
|
* `ec2:ReleaseAddress`
|
|
* `ec2:RevokeSecurityGroupEgress`
|
|
* `ec2:RevokeSecurityGroupIngress`
|
|
* `ec2:RunInstances`
|
|
* `ec2:TerminateInstances`
|
|
====
|
|
|
|
.Required permissions for creating network resources during installation
|
|
[%collapsible]
|
|
====
|
|
* `ec2:AssociateDhcpOptions`
|
|
* `ec2:AssociateRouteTable`
|
|
* `ec2:AttachInternetGateway`
|
|
* `ec2:CreateDhcpOptions`
|
|
* `ec2:CreateInternetGateway`
|
|
* `ec2:CreateNatGateway`
|
|
* `ec2:CreateRoute`
|
|
* `ec2:CreateRouteTable`
|
|
* `ec2:CreateSubnet`
|
|
* `ec2:CreateVpc`
|
|
* `ec2:CreateVpcEndpoint`
|
|
* `ec2:ModifySubnetAttribute`
|
|
* `ec2:ModifyVpcAttribute`
|
|
|
|
[NOTE]
|
|
=====
|
|
If you use an existing VPC, your account does not require these permissions for creating network resources.
|
|
=====
|
|
====
|
|
|
|
.Required Elasticloadbalancing permissions for installation
|
|
[%collapsible]
|
|
====
|
|
* `elasticloadbalancing:AddTags`
|
|
* `elasticloadbalancing:ApplySecurityGroupsToLoadBalancer`
|
|
* `elasticloadbalancing:AttachLoadBalancerToSubnets`
|
|
* `elasticloadbalancing:ConfigureHealthCheck`
|
|
* `elasticloadbalancing:CreateListener`
|
|
* `elasticloadbalancing:CreateLoadBalancer`
|
|
* `elasticloadbalancing:CreateLoadBalancerListeners`
|
|
* `elasticloadbalancing:CreateTargetGroup`
|
|
* `elasticloadbalancing:DeleteLoadBalancer`
|
|
* `elasticloadbalancing:DeregisterInstancesFromLoadBalancer`
|
|
* `elasticloadbalancing:DeregisterTargets`
|
|
* `elasticloadbalancing:DescribeInstanceHealth`
|
|
* `elasticloadbalancing:DescribeListeners`
|
|
* `elasticloadbalancing:DescribeLoadBalancerAttributes`
|
|
* `elasticloadbalancing:DescribeLoadBalancers`
|
|
* `elasticloadbalancing:DescribeTags`
|
|
* `elasticloadbalancing:DescribeTargetGroupAttributes`
|
|
* `elasticloadbalancing:DescribeTargetHealth`
|
|
* `elasticloadbalancing:ModifyLoadBalancerAttributes`
|
|
* `elasticloadbalancing:ModifyTargetGroup`
|
|
* `elasticloadbalancing:ModifyTargetGroupAttributes`
|
|
* `elasticloadbalancing:RegisterInstancesWithLoadBalancer`
|
|
* `elasticloadbalancing:RegisterTargets`
|
|
* `elasticloadbalancing:SetLoadBalancerPoliciesOfListener`
|
|
====
|
|
|
|
.Required IAM permissions for installation
|
|
[%collapsible]
|
|
====
|
|
* `iam:AddRoleToInstanceProfile`
|
|
* `iam:CreateInstanceProfile`
|
|
* `iam:CreateRole`
|
|
* `iam:DeleteInstanceProfile`
|
|
* `iam:DeleteRole`
|
|
* `iam:DeleteRolePolicy`
|
|
* `iam:GetInstanceProfile`
|
|
* `iam:GetRole`
|
|
* `iam:GetRolePolicy`
|
|
* `iam:GetUser`
|
|
* `iam:ListInstanceProfilesForRole`
|
|
* `iam:ListRoles`
|
|
* `iam:ListUsers`
|
|
* `iam:PassRole`
|
|
* `iam:PutRolePolicy`
|
|
* `iam:RemoveRoleFromInstanceProfile`
|
|
* `iam:SimulatePrincipalPolicy`
|
|
* `iam:TagRole`
|
|
====
|
|
|
|
.Required Route53 permissions for installation
|
|
[%collapsible]
|
|
====
|
|
* `route53:ChangeResourceRecordSets`
|
|
* `route53:ChangeTagsForResource`
|
|
* `route53:CreateHostedZone`
|
|
* `route53:DeleteHostedZone`
|
|
* `route53:GetChange`
|
|
* `route53:GetHostedZone`
|
|
* `route53:ListHostedZones`
|
|
* `route53:ListHostedZonesByName`
|
|
* `route53:ListResourceRecordSets`
|
|
* `route53:ListTagsForResource`
|
|
* `route53:UpdateHostedZoneComment`
|
|
====
|
|
|
|
.Required S3 permissions for installation
|
|
[%collapsible]
|
|
====
|
|
* `s3:CreateBucket`
|
|
* `s3:DeleteBucket`
|
|
* `s3:GetAccelerateConfiguration`
|
|
* `s3:GetBucketAcl`
|
|
* `s3:GetBucketCors`
|
|
* `s3:GetBucketLocation`
|
|
* `s3:GetBucketLogging`
|
|
* `s3:GetBucketObjectLockConfiguration`
|
|
* `s3:GetBucketReplication`
|
|
* `s3:GetBucketRequestPayment`
|
|
* `s3:GetBucketTagging`
|
|
* `s3:GetBucketVersioning`
|
|
* `s3:GetBucketWebsite`
|
|
* `s3:GetEncryptionConfiguration`
|
|
* `s3:GetLifecycleConfiguration`
|
|
* `s3:GetReplicationConfiguration`
|
|
* `s3:ListBucket`
|
|
* `s3:PutBucketAcl`
|
|
* `s3:PutBucketTagging`
|
|
* `s3:PutEncryptionConfiguration`
|
|
====
|
|
|
|
.S3 permissions that cluster Operators require
|
|
[%collapsible]
|
|
====
|
|
* `s3:DeleteObject`
|
|
* `s3:GetObject`
|
|
* `s3:GetObjectAcl`
|
|
* `s3:GetObjectTagging`
|
|
* `s3:GetObjectVersion`
|
|
* `s3:PutObject`
|
|
* `s3:PutObjectAcl`
|
|
* `s3:PutObjectTagging`
|
|
====
|
|
|
|
.Required permissions to delete base cluster resources
|
|
[%collapsible]
|
|
====
|
|
* `autoscaling:DescribeAutoScalingGroups`
|
|
* `ec2:DeleteNetworkInterface`
|
|
* `ec2:DeleteVolume`
|
|
* `elasticloadbalancing:DeleteTargetGroup`
|
|
* `elasticloadbalancing:DescribeTargetGroups`
|
|
* `iam:DeleteAccessKey`
|
|
* `iam:DeleteUser`
|
|
* `iam:ListInstanceProfiles`
|
|
* `iam:ListRolePolicies`
|
|
* `iam:ListUserPolicies`
|
|
* `s3:DeleteObject`
|
|
* `s3:ListBucketVersions`
|
|
* `tag:GetResources`
|
|
====
|
|
|
|
.Required permissions to delete network resources
|
|
[%collapsible]
|
|
====
|
|
* `ec2:DeleteDhcpOptions`
|
|
* `ec2:DeleteInternetGateway`
|
|
* `ec2:DeleteNatGateway`
|
|
* `ec2:DeleteRoute`
|
|
* `ec2:DeleteRouteTable`
|
|
* `ec2:DeleteSubnet`
|
|
* `ec2:DeleteVpc`
|
|
* `ec2:DeleteVpcEndpoints`
|
|
* `ec2:DetachInternetGateway`
|
|
* `ec2:DisassociateRouteTable`
|
|
* `ec2:ReplaceRouteTableAssociation`
|
|
|
|
[NOTE]
|
|
=====
|
|
If you use an existing VPC, your account does not require these permissions to delete network resources.
|
|
=====
|
|
====
|
|
|
|
.Additional IAM and S3 permissions that are required to create manifests
|
|
[%collapsible]
|
|
====
|
|
* `iam:CreateAccessKey`
|
|
* `iam:CreateUser`
|
|
* `iam:DeleteAccessKey`
|
|
* `iam:DeleteUser`
|
|
* `iam:DeleteUserPolicy`
|
|
* `iam:GetUserPolicy`
|
|
* `iam:ListAccessKeys`
|
|
* `iam:PutUserPolicy`
|
|
* `iam:TagUser`
|
|
* `iam:GetUserPolicy`
|
|
* `iam:ListAccessKeys`
|
|
* `s3:PutBucketPublicAccessBlock`
|
|
* `s3:GetBucketPublicAccessBlock`
|
|
* `s3:PutLifecycleConfiguration`
|
|
* `s3:HeadBucket`
|
|
* `s3:ListBucketMultipartUploads`
|
|
* `s3:AbortMultipartUpload`
|
|
====
|