Merge pull request #75897 from mletalie/OSDOCS-9279

[OSDOCS-9279]Arbitrary policies attached to ROSA roles

Author: EricPonvelle

cli_reference/rosa_cli/rosa-manage-objects-cli.adoc

@@ -10,7 +10,7 @@ toc::[]
 Managing objects with the {product-title} (ROSA) CLI, `rosa`, such as adding `dedicated-admin` users, managing clusters, and scheduling cluster upgrades.
 
 [NOTE]
-====	
+====
 To access a cluster that is accessible only over an HTTP proxy server, you can set the `HTTP_PROXY`, `HTTPS_PROXY`, and `NO_PROXY` variables. These environment variables are respected by the `rosa` CLI so that all communication with the cluster goes through the HTTP proxy.
 ====
 
@@ -31,3 +31,4 @@ include::modules/rosa-install-uninstall-addon.adoc[leveloffset=+1]
 include::modules/rosa-list-objects.adoc[leveloffset=+1]
 include::modules/rosa-revoke-objects.adoc[leveloffset=+1]
 include::modules/rosa-upgrade-cluster-cli.adoc[leveloffset=+1]
+

modules/rosa-aws-customer-managed-policies.adoc

@@ -0,0 +1,21 @@
+// Module included in the following assemblies:
+//
+// * rosa_architecture/rosa-sts-about-iam-resources.adoc
+
+[id="rosa-aws-customer-managed-policies_{context}"]
+= Customer-managed policies
+{product-title} (ROSA) users are able to attach customer-managed policies to the IAM roles required to run and maintain ROSA clusters. This capability is not uncommon with AWS IAM roles.
+The ability to attach these policies to ROSA-specific IAM roles extends a ROSA cluster’s permission capabilities; for example, as a way to allow cluster components to access additional AWS resources that are otherwise not part of the ROSA-specific IAM policies.
+
+To ensure that any critical customer applications that rely on customer-managed policies are not modified in any way during cluster or role upgrades, ROSA utilizes the `ListAttachedRolesPolicies` permission to retrieve the list of permission policies from roles and the `ListRolePolicies` permission to retrieve the list of policies from ROSA-specific roles. This information ensures that customer-managed policies are not impacted during cluster events, and allows Red Hat SREs to monitor both ROSA and customer-managed policies attached to ROSA-specific IAM roles, enhancing their ability to troubleshoot any cluster issues more effectively.
+
+[WARNING]
+====
+Attaching permission boundary policies to IAM roles that restrict ROSA-specific policies is not supported, as these policies could interrupt the functionality of the basic permissions necessary to successfully run and maintain your ROSA cluster. There are prepared permissions boundary policies for the ROSA (classic architecture) installer role. See the Additional resources section for more information.
+====
+
+[role="_additional-resources"]
+.Additional resources
+
+* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-aws-requirements-attaching-boundary-policy_rosa-sts-about-iam-resources[Permission boundaries for the installer role]
+* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_boundaries.html[Permissions boundaries for IAM entities]

modules/rosa-list-objects.adoc

@@ -683,8 +683,12 @@ $ rosa describe cluster --cluster=<cluster_name> | <cluster_id> [arguments]
 
 |--profile
 |Specifies an AWS profile (string) from your credentials file.
+
+|--get-role-policy-bindings
+|Lists the policies that are attached to the STS roles assigned to the cluster.
 |===
 
+
 .Example
 Describe a cluster named `mycluster`.
 [source,terminal]
@@ -724,7 +728,9 @@ a| Optional. Specifies the name of the `KubeletConfig` object to describe.
 // Required.
 // endif::openshift-rosa-hcp[]
 
-|-o, --output string    
+|-o, --output string
+
+|-o, --output string
 |The output format. You can specify either `json` or `yaml`.
 
 |===

modules/rosa-upgrade-cluster-cli.adoc

@@ -192,6 +192,52 @@ $ rosa delete upgrade --cluster=<cluster_name> <machinepool_name>
 |Specifies an AWS profile (string) from your credentials file.
 |===
 
+[id="rosa-upgrade-roles_{context}"]
+== upgrade roles
+Upgrades roles configured on a cluster.
+
+
+.Syntax
+[source,terminal]
+----
+$ rosa upgrade roles --cluster=<cluster_id>
+----
+
+.Arguments
+[cols="30,70"]
+|===
+|Option |Definition
+
+|--cluster
+|Required: The name or ID (string) of the cluster.
+|===
+
+.Optional arguments inherited from parent commands
+[cols="30,70"]
+|===
+|Option |Definition
+
+|--help
+|Shows help for this command.
+
+|--debug
+|Enables debug mode.
+
+|--profile
+|Specifies an AWS profile (string) from your credentials file.
+|===
+
+.Example
+Upgrade roles on a cluster named `mycluster`.
+[source,terminal]
+----
+$ rosa upgrade roles --cluster=mycluster
+----
+
+
+
+
+
 // .Example
 // Delete  a machine pool named `mymachinepool` on a cluster named `mycluster`.
 // [source,terminal]

rosa_architecture/rosa-sts-about-iam-resources.adoc

@@ -105,4 +105,6 @@ include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+3]
 [discrete]
 include::modules/rosa-sts-byo-oidc-options.adoc[leveloffset=+3]
 
-include::modules/rosa-aws-scp.adoc[leveloffset=+1]
+include::modules/rosa-aws-scp.adoc[leveloffset=+1]
+
+include::modules/rosa-aws-customer-managed-policies.adoc[leveloffset=+1]