Skip to content

Commit 2e40130

Browse files
kalexand-rhkalexand-rh
authored
Merge pull request #13725 from kalexand-rh/osdocs275
draft table of AWS permissions
2 parents 0607dbe + 532a1f4 commit 2e40130

File tree

2 files changed

+293
-0
lines changed

2 files changed

+293
-0
lines changed

installing-aws/installing-aws-account.adoc

Lines changed: 3 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -14,8 +14,11 @@ include::modules/installation-aws-route53.adoc[leveloffset=+1]
1414

1515
include::modules/installation-aws-limits.adoc[leveloffset=+1]
1616

17+
include::modules/installation-aws-permissions.adoc[leveloffset=+1]
18+
1719
include::modules/installation-aws-iam-user.adoc[leveloffset=+1]
1820

21+
1922
.Next steps
2023

2124
* Install a {product-title} cluster. You can

modules/installation-aws-permissions.adoc

Lines changed: 290 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,290 @@
1+
// Module included in the following assemblies:
2+
//
3+
// * instaling-awst/installing-aws-account.adoc
4+
5+
[id='installation-aws-permissions-{context}']
6+
= Required AWS permissions
7+
8+
When you attach the `AdministratorAccess` policy to the IAM user that you create,
9+
you grant that user all of the required permissions. To deploy a {project-title}
10+
cluster, the IAM user:
11+
12+
.EC2 roles required to launch nodes
13+
[cols="2a,2a,2a,5a",options="header"]
14+
|===
15+
|Node type |Permission |Desired |Reason
16+
17+
|`bootstrap`
18+
|`ec2:Describe*`
19+
|Yes
20+
|Allows pulling EC2 instance information for self
21+
22+
|`bootstrap`
23+
|`ec2:AttachVolume`
24+
|No
25+
|Each node launched has default volumes. Is this to support Kube EBS scheduling?
26+
27+
|`bootstrap`
28+
|`ec2:DetachVolume`
29+
|No
30+
|Each node launched has default volumes. Is this to support Kube EBS scheduling?
31+
32+
|`bootstrap`
33+
|`s3:GetObject`
34+
|Yes
35+
|Allows fetching ignition configs from installation bucket?
36+
37+
|`master`
38+
|`elasticloadbalancing:*`
39+
|Yes
40+
|Updating ELBv2 and classic ELB targets (Service Type: LoadBalancer)
41+
42+
|`master`
43+
|`s3:GetObject`
44+
|No?
45+
|No default S3 Kube behavior. Ignition config from bootstrap here.
46+
47+
|`master`
48+
|`iam:PassRole`
49+
|?
50+
|We don't know.
51+
52+
|`master`
53+
|`ec2:*`
54+
|Yes
55+
|Built-in EBS StorageClass. Potentially other actions.
56+
57+
|`worker`
58+
|`ec2:Describe*`
59+
|Yes
60+
|Built-in EBS StorageClass
61+
62+
|`worker`
63+
|`ec2:AttachVolume`
64+
|Yes
65+
|Built-in EBS StorageClass
66+
67+
|`worker`
68+
|`ec2:DetachVolume`
69+
|Yes
70+
|Built-in EBS StorageClass
71+
72+
|`worker`
73+
|`s3:GetObject`
74+
|No?
75+
|No default S3 Kube behavior. Ignition config from bootstrap here.
76+
77+
|`worker`
78+
|`elasticloadbalancing:*`
79+
|Yes?
80+
|Updating ELBv2 and classic ELB targets (Service Type: LoadBalancer)
81+
82+
|===
83+
84+
85+
.User roles required by Operators
86+
[cols="2a,2a,2a,5a",options="header"]
87+
|===
88+
|Operator |Permission |Desired |Reason
89+
90+
|`installer`
91+
|`*.*`
92+
|Needs to be limited
93+
|Allows creation of all AWS resources that are required to deploy a cluster.
94+
95+
|`cloud-credential-operator-iam-ro`
96+
|`iam:GetUser`
97+
|Yes
98+
|Fetch user details
99+
100+
|`cloud-credential-operator-iam-ro`
101+
|`iam:GetUserPolicy`
102+
|Yes
103+
|Fetch user policy details
104+
105+
|`cloud-credential-operator-iam-ro`
106+
|`iam:ListAccessKeys`
107+
|Yes
108+
|List current access keys (just the key, not the secret)
109+
110+
|`cloud-credential-operator-iam-ro`
111+
|`iam:GetUser`
112+
|No
113+
|Fetching self
114+
115+
|`openshift-cluster-api`
116+
|`iam:GetUser`
117+
|No
118+
|Fetching self
119+
120+
|`openshift-cluster-api`
121+
|`ec2:DescribeImages`
122+
|Yes
123+
|Machine API
124+
125+
|`openshift-cluster-api`
126+
|`ec2:DescribeVpcs`
127+
|Yes
128+
|Machine API
129+
130+
|`openshift-cluster-api`
131+
|`ec2:DescribeSubnets`
132+
|Yes
133+
|Machine API
134+
135+
|`openshift-cluster-api`
136+
|`ec2:DescribeAvailabilityZones`
137+
|Yes
138+
|Machine API
139+
140+
|`openshift-cluster-api`
141+
|`ec2:DescribeSecurityGroups`
142+
|Yes
143+
|Machine API
144+
145+
|`openshift-cluster-api`
146+
|`ec2:RunInstances`
147+
|Yes
148+
|Machine API
149+
150+
|`openshift-cluster-api`
151+
|`ec2:DescribeInstances`
152+
|Yes
153+
|Machine API
154+
155+
|`openshift-cluster-api`
156+
|`ec2:TerminateInstances`
157+
|Yes
158+
|Machine API
159+
160+
|`openshift-cluster-api`
161+
|`elasticloadbalancing:RegisterInstancesWithLoadBalancer`
162+
|Yes
163+
|Updating LB targets for current servers
164+
165+
|`openshift-cluster-api`
166+
|`elasticloadbalancing:DescribeLoadBalancers`
167+
|Yes
168+
|Updating LB targets for current servers
169+
170+
|`openshift-cluster-api`
171+
|`elasticloadbalancing:DescribeTargetGroups`
172+
|Yes
173+
|Updating LB targets for current servers
174+
175+
|`openshift-cluster-api`
176+
|`elasticloadbalancing:RegisterTargets`
177+
|Yes
178+
|Updating LB targets for current servers
179+
180+
|`openshift-image-registry`
181+
|`iam:GetUser`
182+
|No
183+
|Fetching self
184+
185+
|`openshift-image-registry`
186+
|`s3:CreateBucket`
187+
|Yes
188+
|Registry self-creates bucket
189+
190+
|`openshift-image-registry`
191+
|`s3:DeleteBucket`
192+
|Yes
193+
|Registry self-creates bucket
194+
195+
|`openshift-image-registry`
196+
|`s3:PutBucketTagging`
197+
|Yes
198+
|Registry self-creates bucket
199+
200+
|`openshift-image-registry`
201+
|`s3:GetBucketTagging`
202+
|Yes
203+
|Registry self-creates bucket
204+
205+
|`openshift-image-registry`
206+
|`s3:PutEncryptionConfiguration`
207+
|Yes
208+
|Registry self-creates bucket
209+
210+
|`openshift-image-registry`
211+
|`s3:GetEncryptionConfiguration`
212+
|Yes
213+
|Registry self-creates bucket
214+
215+
|`openshift-image-registry`
216+
|`s3:PutLifecycleConfiguration`
217+
|Yes
218+
|Registry self-creates bucket. Cleans up multipart uploads
219+
220+
|`openshift-image-registry`
221+
|`s3:GetLifecycleConfiguration`
222+
|Yes
223+
|Registry self-creates bucket. Cleans up multipart uploads
224+
225+
|`openshift-image-registry`
226+
|`s3:GetBucketLocation`
227+
|Yes
228+
|Working with registry host
229+
230+
|`openshift-image-registry`
231+
|`s3:ListBucket`
232+
|Yes
233+
|Working with registry bucket
234+
235+
|`openshift-image-registry`
236+
|`s3:HeadBucket`
237+
|Yes
238+
|Working with registry bucket
239+
240+
|`openshift-image-registry`
241+
|`s3:GetObject`
242+
|Yes
243+
|Working with registry bucket
244+
245+
|`openshift-image-registry`
246+
|`s3:PutObject`
247+
|Yes
248+
|Working with registry bucket
249+
250+
|`openshift-image-registry`
251+
|`s3:DeleteObject`
252+
|Yes
253+
|Working with registry bucket
254+
255+
|`openshift-image-registry`
256+
|`s3:ListBucketMultipartUploads`
257+
|Yes
258+
|Working with registry bucket
259+
260+
|`openshift-image-registry`
261+
|`s3:AbortMultipartUpload`
262+
|Yes
263+
|Working with registry bucket
264+
265+
|`openshift-image-ingress`
266+
|`iam:GetUser`
267+
|No
268+
|Fetching self
269+
270+
|`openshift-image-ingress`
271+
|`elasticloadbalancing:DescribeLoadBalancers`
272+
|Yes
273+
|Ingress creates and removes names associated with ELB
274+
275+
|`openshift-image-ingress`
276+
|`route53:ListHostedZones`
277+
|Yes
278+
|Ingress creates and removes names associated with ELB
279+
280+
|`openshift-image-ingress`
281+
|`route53:ChangeResourceRecordSets`
282+
|Yes
283+
|Ingress creates and removes names associated with ELB
284+
285+
|`openshift-image-ingress`
286+
|`tag:GetResources`
287+
|Yes
288+
|Used to find appropriate load balancer
289+
290+
|===

0 commit comments

Comments
 (0)