edit

Author: bmcelvee

modules/rosa-roles-and-policies.adoc

@@ -7,9 +7,9 @@
 = AWS managed policies and roles
 
 [id="aws-managed-policies"]
-== Account-wide AWS managed policies
+== AWS managed policies
 
-.AWS managed policies
+.AWS managed account policies
 [options="header",cols="2*"]
 |===
 | Policy 
@@ -26,31 +26,43 @@ ifdef::openshift-rosa-hcp[]
 | You must attach `ROSASRESupportPolicy` to a support IAM role before creating a cluster. `ROSASRESupportPolicy` grants required permissions to Red Hat site reliability engineers (SREs) to directly observe, diagnose, and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state.
 
 | link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAInstallerPolicy.html[ROSAInstallerPolicy]
-| You must attach `ROSAInstallerPolicy` to an IAM role named `<prefix>-ROSA-Worker-Role` before creating a cluster. `ROSAInstallerPolicy` allows the addition of any role that follows the `<prefix>-ROSA-Worker-Role` pattern to an instance profile. `ROSAInstallerPolicy` grants required permissions to the installer to manage AWS resources that support ROSA cluster installation.
+| You must attach `ROSAInstallerPolicy` to an IAM role named `<prefix>-ROSA-Worker-Role` before creating a cluster. `ROSAInstallerPolicy` allows the addition of any role that follows the `<prefix>-ROSA-Worker-Role` pattern to an instance profile. `ROSAInstallerPolicy` grants permissions to the installer to manage AWS resources that support ROSA cluster installation.
+|===
 
-| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAIngressOperatorPolicy.html[ROSAIngressOperatorPolicy]
-| describe
+[NOTE]
+====
+You must attach Operator policies to an Operator IAM role to allow a ROSA cluster to make calls to other AWS services.
+====
 
-| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAAmazonEBSCSIDriverOperatorPolicy.html[ROSAAmazonEBSCSIDriverOperatorPolicy]
-| describe
+.AWS managed Operator policies
+[options="header",cols="2*"]
+|===
+| Policy 
+| Description 
 
-| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSACloudNetworkConfigOperatorPolicy.html[ROSACloudNetworkConfigOperatorPolicy]
-| describe
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAAmazonEBSCSIDriverOperatorPolicy.html[ROSAAmazonEBSCSIDriverOperatorPolicy]
+| `ROSAAmazonEBSCSIDriverOperatorPolicy` grants permissions to the Amazon EBS CSI Driver Operator to install and maintain the Amazon EBS CSI driver on a ROSA cluster.
 
-| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAControlPlaneOperatorPolicy.html[ROSAControlPlaneOperatorPolicy]
-| describe
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAIngressOperatorPolicy.html[ROSAIngressOperatorPolicy]
+| `ROSAIngressOperatorPolicy` grants required permissions to the Ingress Operator to provision and manage load balancers and DNS configurations for ROSA clusters. The policy allows read access to tag values. The operator then filters the tag values for Route 53 resources to discover hosted zones. 
 
 | link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAImageRegistryOperatorPolicy.html[ROSAImageRegistryOperatorPolicy]
-| describe
+| `ROSAImageRegistryOperatorPolicy` grants permissions to the Image Registry Operator to provision and manage resources for the ROSA in-cluster image registry and dependent services, including S3, which allows the Operator to install and maintain the internal registry of a ROSA cluster.
 
-| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKMSProviderPolicy.html[ROSAKMSProviderPolicy]
-| describe
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSACloudNetworkConfigOperatorPolicy.html[ROSACloudNetworkConfigOperatorPolicy]
+| `ROSACloudNetworkConfigOperatorPolicy` grants permissions to the Cloud Network Config Controller Operator to provision and manage networking resources for the ROSA cluster networking overlay. The Operator uses these permissions to manage private IP addresses for Amazon EC2 instances as part of the ROSA cluster.
 
 | link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKubeControllerPolicy.html[ROSAKubeControllerPolicy]
-| describe
+| `ROSAKubeControllerPolicy` grants permissions to the kube controller to manage Amazon EC2, Elastic Load Balancing, and AWS Key Management Service (KMS) resources for a ROSA cluster.
 
 | link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSANodePoolManagementPolicy.html[ROSANodePoolManagementPolicy]
-| describe
+| `ROSANodePoolManagementPolicy` grants permissions to the NodePool controller to describe, run, and terminate Amazon EC2 instances managed as worker nodes; and allows for disk encryption of the worker node root volume using AWS KMS keys.
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKMSProviderPolicy.html[ROSAKMSProviderPolicy]
+| `ROSAKMSProviderPolicy` grants permissions to the built-in AWS Encryption Provider to manage AWS KMS keys that support etcd data encryption. `ROSAKMSProviderPolicy` allows Amazon EC2 to use KMS keys that the AWS Encryption Provider provides to encrypt and decrypt etcd data. 
+
+| link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAControlPlaneOperatorPolicy.html[ROSAControlPlaneOperatorPolicy]
+| `ROSAControlPlaneOperatorPolicy` grants permissions to the Control Plane Operator to manage Amazon EC2 and Route 53 resources for ROSA clusters.
 
 |===
 
@@ -60,14 +72,29 @@ endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa[]
 For the full `JSON` information for the following policies, see the link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-support-policy[AWS _ROSA classic account policies_ documentation].
 
-* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-installer-policy[<prefix>-Installer-Role-Policy]
-* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-control-plane-policy[<prefix>-ControlPlane-Role-Policy]
-* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-worker-policy[<prefix>-Worker-Role-Policy]
-* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-support-policy[<Prefix>-Support-Role-Policy]
-endif::openshift-rosa[]
+.AWS managed Operator policies
+[options="header",cols="2*"]
 |===
+| Policy 
+| Description
+
+| link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-installer-policy[<prefix>-Installer-Role-Policy]
+|
+
+| link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-control-plane-policy[<prefix>-ControlPlane-Role-Policy]
+|
+
+| link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-worker-policy[<prefix>-Worker-Role-Policy]
+|
+
+| link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-rosa-classic-account-policies.html#security-iam-id-based-policy-examples-rosa-classic-support-policy[<Prefix>-Support-Role-Policy]
+|
+
+|===
+endif::openshift-rosa[]
 
-.Operator roles
+[id="operator-roles"]
+== Operator roles
 
 ifdef::openshift-rosa-hcp[]
 Certain policies are used by the cluster Operator roles, listed below. The Operator roles are created in a second step because they are dependent on an existing cluster name and cannot be created at the same time as the account-wide roles.