ROSA STS: More granular installer permissions

openshift-cs / managed-openshift

Public roadmaps for the Red Hat Managed OpenShift offerings OpenShift Dedicated (OSD) and Red Hat OpenShift Service on AWS (ROSA)

Apache License 2.0

56 stars 6 forks source link

ROSA STS: More granular installer permissions #79

Closed arendej closed 5 months ago

arendej commented 2 years ago

Allow breaking up installer permissions to accomodate separation-of-duties scenarios, and provide clearer barriers between installer permissions.

This will be achieved through the use of AWS IAM permission boundary policy files that have been validated with ROSA.

The following would be the boundary policies

installer core permissions
installer VPC permissions
installer PrivateLink permissions

funasakak commented 1 year ago

Hi Team

There has been no progress for almost a year, when will it be available?

The IAM role for Installer has many IAM actions that are not used in some case. For example ,The privatelink cluster will be built on BYOVPC, so permissions for "CreateVPC" and "CreateRouteTable" are not required....

We want to be able to follow the principle of least privilege as soon as possible. We hope to be able to use it soon

Manoj2087 commented 5 months ago

Hey team is this still relevant, since the new install permissions are much granular https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAInstallerPolicy.html

arendej commented 5 months ago

Now available via a set of prepared permissions boundaries, for ROSA classic architecture. https://docs.openshift.com/rosa/rosa_architecture/rosa-sts-about-iam-resources.html#rosa-sts-aws-requirements-attaching-boundary-policy_rosa-sts-about-iam-resources