openshift
diff --git a/‎modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc
Lines changed: 375 additions & 0 deletions b/‎modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc
Lines changed: 375 additions & 0 deletions
diff --git a/‎rosa_architecture/rosa-sts-about-iam-resources.adoc
Lines changed: 9 additions & 2 deletions b/‎rosa_architecture/rosa-sts-about-iam-resources.adoc
Lines changed: 9 additions & 2 deletions
@@ -0,0 +1,375 @@
+// Module included in the following assemblies:
+//
+// * rosa_planning/rosa-sts-ocm-role.adoc
+// * rosa_architecture/rosa-sts-about-iam-resources.adoc
+:_mod-docs-content-type: PROCEDURE
+[id="rosa-sts-aws-requirements-attaching-boundary-policy_{context}"]
+= Permission boundaries for the installer role
+
+You can apply a policy as a _permissions boundary_ on an installer role.
+You can use an AWS-managed policy or a customer-managed policy to set the boundary for an Amazon Web Services(AWS) Identity and Access Management (IAM) entity (user or role). The combination of policy and boundary policy limits the maximum permissions for the user or role. ROSA includes a set of three prepared permission boundary policy files, with which you can restrict permissions for the installer role since changing the installer policy itself is not supported.
+
+[NOTE]
+====
+This feature is only supported on Red Hat OpenShift Service on AWS (classic architecture) clusters.
+====
+
+The permission boundary policy files are as follows:
+
+* The _Core_ boundary policy file contains the minimum permissions needed for ROSA (classic architecture) installer to install an {product-title} cluster.
+The installer does not have permissions to create a virtual private cloud (VPC) or PrivateLink (PL). A VPC needs to be provided.
+* The _VPC_ boundary policy file contains the minimum permissions needed for ROSA (classic architecture) installer to create/manage the VPC. It does not include permissions for PL or core installation. If you need to install a cluster with enough permissions for the installer to install the cluster and create/manage the VPC, but you do not need to set up PL, then use the core and VPC boundary files together with the installer role.
+* The _PrivateLink (PL)_ boundary policy file contains the minimum permissions needed for ROSA (classic architecture) installer to create the AWS PL with a cluster. It does not include permissions for VPC or core installation. Provide a pre-created VPC for all PL clusters during installation.
+
+When using the permission boundary policy files, the following combinations apply:
+
+* No permission boundary policies means that the full installer policy permissions apply to your cluster.
+* *Core* only sets the most restricted permissions for the installer role. The VPC and PL permissions are not included in the *Core only* boundary policy.
+** Installer cannot create or manage the VPC or PL.
+** You must have a customer-provided VPC, and PrivateLink (PL) is not available.
+* *Core + VPC* sets the core and VPC permissions for the installer role.
+** Installer cannot create or manage the PL.
+** Assumes you are not using custom/BYO-VPC.
+** Assumes the installer will create and manage the VPC.
+* *Core + PrivateLink (PL)* means the installer can provision the PL infrastructure.
+** You must have a customer-provided VPC.
+** This is for a private cluster with PL.
+
+This example procedure is applicable for an installer role and policy with the most restriction of permissions, using only the _core_ installer permission boundary policy for ROSA. You can complete this with the AWS console or the AWS CLI. This example uses the AWS CLI and the following policy:
+
+.`sts_installer_core_permission_boundary_policy.json`
+[%collapsible]
+====
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+		    "autoscaling:DescribeAutoScalingGroups",
+		    "ec2:AllocateAddress",
+		    "ec2:AssociateAddress",
+		    "ec2:AttachNetworkInterface",
+		    "ec2:AuthorizeSecurityGroupEgress",
+		    "ec2:AuthorizeSecurityGroupIngress",
+		    "ec2:CopyImage",
+		    "ec2:CreateNetworkInterface",
+		    "ec2:CreateSecurityGroup",
+		    "ec2:CreateTags",
+		    "ec2:CreateVolume",
+		    "ec2:DeleteNetworkInterface",
+		    "ec2:DeleteSecurityGroup",
+		    "ec2:DeleteSnapshot",
+		    "ec2:DeleteTags",
+		    "ec2:DeleteVolume",
+		    "ec2:DeregisterImage",
+		    "ec2:DescribeAccountAttributes",
+		    "ec2:DescribeAddresses",
+		    "ec2:DescribeAvailabilityZones",
+		    "ec2:DescribeDhcpOptions",
+		    "ec2:DescribeImages",
+		    "ec2:DescribeInstanceAttribute",
+		    "ec2:DescribeInstanceCreditSpecifications",
+		    "ec2:DescribeInstances",
+		    "ec2:DescribeInstanceStatus",
+		    "ec2:DescribeInstanceTypeOfferings",
+		    "ec2:DescribeInstanceTypes",
+		    "ec2:DescribeInternetGateways",
+		    "ec2:DescribeKeyPairs",
+		    "ec2:DescribeNatGateways",
+		    "ec2:DescribeNetworkAcls",
+		    "ec2:DescribeNetworkInterfaces",
+		    "ec2:DescribePrefixLists",
+		    "ec2:DescribeRegions",
+		    "ec2:DescribeReservedInstancesOfferings",
+		    "ec2:DescribeRouteTables",
+		    "ec2:DescribeSecurityGroups",
+		    "ec2:DescribeSecurityGroupRules",
+		    "ec2:DescribeSubnets",
+		    "ec2:DescribeTags",
+		    "ec2:DescribeVolumes",
+		    "ec2:DescribeVpcAttribute",
+		    "ec2:DescribeVpcClassicLink",
+		    "ec2:DescribeVpcClassicLinkDnsSupport",
+		    "ec2:DescribeVpcEndpoints",
+		    "ec2:DescribeVpcs",
+		    "ec2:GetConsoleOutput",
+		    "ec2:GetEbsDefaultKmsKeyId",
+		    "ec2:ModifyInstanceAttribute",
+		    "ec2:ModifyNetworkInterfaceAttribute",
+		    "ec2:ReleaseAddress",
+		    "ec2:RevokeSecurityGroupEgress",
+		    "ec2:RevokeSecurityGroupIngress",
+		    "ec2:RunInstances",
+		    "ec2:StartInstances",
+		    "ec2:StopInstances",
+		    "ec2:TerminateInstances",
+		    "elasticloadbalancing:AddTags",
+		    "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+		    "elasticloadbalancing:AttachLoadBalancerToSubnets",
+		    "elasticloadbalancing:ConfigureHealthCheck",
+		    "elasticloadbalancing:CreateListener",
+		    "elasticloadbalancing:CreateLoadBalancer",
+		    "elasticloadbalancing:CreateLoadBalancerListeners",
+		    "elasticloadbalancing:CreateTargetGroup",
+		    "elasticloadbalancing:DeleteLoadBalancer",
+		    "elasticloadbalancing:DeleteTargetGroup",
+		    "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+		    "elasticloadbalancing:DeregisterTargets",
+		    "elasticloadbalancing:DescribeInstanceHealth",
+		    "elasticloadbalancing:DescribeListeners",
+		    "elasticloadbalancing:DescribeLoadBalancerAttributes",
+		    "elasticloadbalancing:DescribeLoadBalancers",
+		    "elasticloadbalancing:DescribeTags",
+		    "elasticloadbalancing:DescribeTargetGroupAttributes",
+		    "elasticloadbalancing:DescribeTargetGroups",
+		    "elasticloadbalancing:DescribeTargetHealth",
+		    "elasticloadbalancing:ModifyLoadBalancerAttributes",
+		    "elasticloadbalancing:ModifyTargetGroup",
+		    "elasticloadbalancing:ModifyTargetGroupAttributes",
+		    "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
+		    "elasticloadbalancing:RegisterTargets",
+		    "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
+		    "iam:AddRoleToInstanceProfile",
+		    "iam:CreateInstanceProfile",
+		    "iam:DeleteInstanceProfile",
+		    "iam:GetInstanceProfile",
+		    "iam:TagInstanceProfile",
+		    "iam:GetRole",
+		    "iam:GetRolePolicy",
+		    "iam:GetUser",
+		    "iam:ListAttachedRolePolicies",
+		    "iam:ListInstanceProfiles",
+		    "iam:ListInstanceProfilesForRole",
+		    "iam:ListRolePolicies",
+		    "iam:ListRoles",
+		    "iam:ListUserPolicies",
+		    "iam:ListUsers",
+		    "iam:PassRole",
+		    "iam:RemoveRoleFromInstanceProfile",
+		    "iam:SimulatePrincipalPolicy",
+		    "iam:TagRole",
+		    "iam:UntagRole",
+		    "route53:ChangeResourceRecordSets",
+		    "route53:ChangeTagsForResource",
+		    "route53:CreateHostedZone",
+		    "route53:DeleteHostedZone",
+		    "route53:GetAccountLimit",
+		    "route53:GetChange",
+		    "route53:GetHostedZone",
+		    "route53:ListHostedZones",
+		    "route53:ListHostedZonesByName",
+		    "route53:ListResourceRecordSets",
+		    "route53:ListTagsForResource",
+		    "route53:UpdateHostedZoneComment",
+		    "s3:CreateBucket",
+		    "s3:DeleteBucket",
+		    "s3:DeleteObject",
+		    "s3:GetAccelerateConfiguration",
+		    "s3:GetBucketAcl",
+		    "s3:GetBucketCORS",
+		    "s3:GetBucketLocation",
+		    "s3:GetBucketLogging",
+		    "s3:GetBucketObjectLockConfiguration",
+		    "s3:GetBucketPolicy",
+		    "s3:GetBucketRequestPayment",
+		    "s3:GetBucketTagging",
+		    "s3:GetBucketVersioning",
+		    "s3:GetBucketWebsite",
+		    "s3:GetEncryptionConfiguration",
+		    "s3:GetLifecycleConfiguration",
+		    "s3:GetObject",
+		    "s3:GetObjectAcl",
+		    "s3:GetObjectTagging",
+		    "s3:GetObjectVersion",
+		    "s3:GetReplicationConfiguration",
+		    "s3:ListBucket",
+		    "s3:ListBucketVersions",
+		    "s3:PutBucketAcl",
+		    "s3:PutBucketTagging",
+		    "s3:PutEncryptionConfiguration",
+		    "s3:PutObject",
+		    "s3:PutObjectAcl",
+		    "s3:PutObjectTagging",
+		    "servicequotas:GetServiceQuota",
+		    "servicequotas:ListAWSDefaultServiceQuotas",
+		    "sts:AssumeRole",
+		    "sts:AssumeRoleWithWebIdentity",
+		    "sts:GetCallerIdentity",
+		    "tag:GetResources",
+		    "tag:UntagResources",
+		    "kms:DescribeKey",
+		    "cloudwatch:GetMetricData",
+		    "ec2:CreateRoute",
+		    "ec2:DeleteRoute",
+		    "ec2:CreateVpcEndpoint",
+		    "ec2:DeleteVpcEndpoints",
+		    "ec2:CreateVpcEndpointServiceConfiguration",
+		    "ec2:DeleteVpcEndpointServiceConfigurations",
+		    "ec2:DescribeVpcEndpointServiceConfigurations",
+		    "ec2:DescribeVpcEndpointServicePermissions",
+		    "ec2:DescribeVpcEndpointServices",
+		    "ec2:ModifyVpcEndpointServicePermissions"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:GetSecretValue"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "StringEquals": {
+                    "aws:ResourceTag/red-hat-managed": "true"
+                }
+            }
+        }
+    ]
+}
+----
+====
+
+[IMPORTANT]
+====
+To use the permission boundaries, you will need to prepare the permission boundary policy and add it to your relevant installer role in AWS IAM.
+While the ROSA (`rosa`) CLI offers a permission boundary function, it applies to all roles and not just the installer role, which means it does not work with the provided permission boundary policies (which are only for the installer role).
+====
+
+.Prerequisites
+
+* You have an AWS account.
+* You have the permissions required to administer AWS roles and policies.
+* You have installed and configured the latest AWS (`aws`) and ROSA (`rosa`) CLIs on your workstation.
+* You have already prepared your ROSA account-wide roles, includes the installer role, and the corresponding policies. If these do not exist in your AWS account, see "Creating the account-wide STS roles and policies" in _Additional resources_.
+
+.Procedure
+
+. Prepare the policy file by entering the following command in the `rosa` CLI:
++
+[source,terminal]
+----
+$ curl -o ./rosa-installer-core.json https://raw.githubusercontent.com/openshift/managed-cluster-config/master/resources/sts/4.16/sts_installer_core_permission_boundary_policy.json
+----
+
+. Create the policy in AWS and gather its Amazon Resource Name (ARN) by entering the following command:
++
+[source,terminal]
+----
+$ aws iam create-policy \
+--policy-name rosa-core-permissions-boundary-policy \
+--policy-document file://./rosa-installer-core.json \
+--description "ROSA installer core permission boundary policy, the minimum permission set, allows BYO-VPC, disallows PrivateLink"
+----
++
+.Example output
+[source,terminal]
+----
+{
+    "Policy": {
+        "PolicyName": "rosa-core-permissions-boundary-policy",
+        "PolicyId": "<Policy ID>",
+        "Arn": "arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy",
+        "Path": "/",
+        "DefaultVersionId": "v1",
+        "AttachmentCount": 0,
+        "PermissionsBoundaryUsageCount": 0,
+        "IsAttachable": true,
+        "CreateDate": "<CreateDate>",
+        "UpdateDate": "<UpdateDate>"
+    }
+}
+----
+. Add the permission boundary policy to the installer role you want to restrict by entering the following command:
++
+[source,terminal]
+----
+$ aws iam put-role-permissions-boundary \
+--role-name ManagedOpenShift-Installer-Role \
+--permissions-boundary arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy
+----
+
+. Display the installer role to validate attached policies (including permissions boundary) by entering the following command in the `rosa` CLI:
++
+[source,terminal]
+----
+$ aws iam get-role --role-name ManagedOpenShift-Installer-Role \
+--output text | grep PERMISSIONSBOUNDARY
+----
++
+.Example output
+[source,terminal]
+----
+PERMISSIONSBOUNDARY	arn:aws:iam::<account ID>:policy/rosa-core-permissions-boundary-policy	Policy
+----
++
+
++
+For more examples of PL and VPC permission boundary policies see:
++
+.`sts_installer_privatelink_permission_boundary_policy.json`
+[%collapsible]
+====
+[source,json]
+----
+{
+"Version": "2012-10-17",
+  "Statement": [
+    {
+      "Effect": "Allow",
+      "Action": [
+        "ec2:ModifyVpcEndpointServiceConfiguration",
+        "route53:ListHostedZonesByVPC",
+        "route53:CreateVPCAssociationAuthorization",
+        "route53:AssociateVPCWithHostedZone",
+        "route53:DeleteVPCAssociationAuthorization",
+        "route53:DisassociateVPCFromHostedZone",
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource": "*"
+    }
+  ]
+}
+----
+====
++
+.`sts_installer_vpc_permission_boundary_policy.json`
+[%collapsible]
+====
+[source,json]
+----
+{
+     "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+		    "ec2:AssociateDhcpOptions",
+		    "ec2:AssociateRouteTable",
+		    "ec2:AttachInternetGateway",
+		    "ec2:CreateDhcpOptions",
+		    "ec2:CreateInternetGateway",
+		    "ec2:CreateNatGateway",
+		    "ec2:CreateRouteTable",
+		    "ec2:CreateSubnet",
+		    "ec2:CreateVpc",
+		    "ec2:DeleteDhcpOptions",
+		    "ec2:DeleteInternetGateway",
+		    "ec2:DeleteNatGateway",
+		    "ec2:DeleteRouteTable",
+		    "ec2:DeleteSubnet",
+		    "ec2:DeleteVpc",
+		    "ec2:DetachInternetGateway",
+		    "ec2:DisassociateRouteTable",
+		    "ec2:ModifySubnetAttribute",
+		    "ec2:ModifyVpcAttribute",
+		    "ec2:ReplaceRouteTableAssociation"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+====
@@ -76,14 +76,21 @@ include::modules/rosa-sts-account-wide-roles-and-policies.adoc[leveloffset=+1]
 * For a definition of OpenShift major, minor, and patch versions, see xref:../rosa_architecture/rosa_policy_service_definition/rosa-life-cycle.adoc#rosa-life-cycle-definitions_rosa-life-cycle[the {product-title} update life cycle].
 
 include::modules/rosa-sts-account-wide-role-and-policy-commands.adoc[leveloffset=+2]
+include::modules/rosa-sts-aws-requirements-attaching-boundary-policy.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+.Additional resources
+
+* For more information, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities] (AWS documentation).
+* For more information about creating the required account-wide STS roles and policies see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-sts-creating-a-cluster-quickly[Creating the account-wide STS roles and policies].
+
 include::modules/rosa-sts-operator-roles.adoc[leveloffset=+1]
 include::modules/rosa-sts-operator-role-commands.adoc[leveloffset=+2]
 include::modules/rosa-sts-about-operator-role-prefixes.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
 .Additional resources
-
-* For steps to create the cluster-specific Operator IAM roles using a custom prefix, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-cli_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations using the CLI] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-ocm_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations by using {cluster-manager}].
+ For steps to create the cluster-specific Operator IAM roles using a custom prefix, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-cli_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations using the CLI] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations-ocm_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations by using {cluster-manager}].
 
 [id="rosa-sts-oidc-provider-requirements-for-operators_{context}"]
 == Open ID Connect (OIDC) requirements for Operator authentication