×

You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the Red Hat OpenShift Service on AWS (ROSA) command line interface (CLI).

Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.

The examples listed cover several of the most common ROSA CLI commands. For more information regarding ROSA CLI commands, see Common commands and arguments.

For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.

Least privilege permissions for common ROSA CLI commands

The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.

Create a managed OpenID Connect (OIDC) provider

Run the following command with the specified permissions to create your managed OIDC provider by using auto mode.

Input
$ rosa create oidc-config --mode auto
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateOidcConfig",
            "Effect": "Allow",
            "Action": [
                "iam:TagOpenIDConnectProvider",
                "iam:CreateOpenIDConnectProvider"
            ],
            "Resource": "*"
        }
    ]
}

Create an unmanaged OpenID Connect provider

Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto mode.

Input
$ rosa create oidc-config --mode auto --managed=false
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:TagOpenIDConnectProvider",
                "iam:ListRoleTags",
                "iam:ListRoles",
                "iam:CreateOpenIDConnectProvider",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutBucketTagging",
                "s3:PutBucketPolicy",
                "s3:PutObjectTagging",
                "s3:PutBucketPublicAccessBlock",
                "secretsmanager:CreateSecret",
                "secretsmanager:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

List your account roles

Run the following command with the specified permissions to list your account roles.

Input
$ rosa list account-roles
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAccountRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

List your Operator roles

Run the following command with the specified permissions to list your Operator roles.

Input
$ rosa list operator-roles
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}

List your OIDC providers

Run the following command with the specified permissions to list your OIDC providers.

Input
$ rosa list oidc-providers
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListOidcProviders",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:ListOpenIDConnectProviderTags"
            ],
            "Resource": "*"
        }
    ]
}

Verify your quota

Run the following command with the specified permissions to verify your quota.

Input
$ rosa verify quota
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VerifyQuota",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeAccountLimits",
                "servicequotas:ListServiceQuotas"
            ],
            "Resource": "*"
        }
    ]
}

Delete your managed OIDC configuration

Run the following command with the specified permissions to delete your managed OIDC configuration by using auto mode.

Input
$ rosa delete oidc-config -–mode auto
Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeleteOidcConfig",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:DeleteOpenIDConnectProvider"
            ],
            "Resource": "*"
        }
    ]
}

Delete your unmanaged OIDC configuration

Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto mode.

Input
$ rosa delete oidc-config -–mode auto
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:DeleteOpenIDConnectProvider",
                "secretsmanager:DeleteSecret",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteBucket"
            ],
            "Resource": "*"
        }
    ]
}

Least privilege permissions for common ROSA with HCP CLI commands

The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA with hosted control plane (HCP) clusters.

Create a cluster

Run the following command with the specified permissions to create ROSA with HCP clusters.

Input
$ rosa create cluster --hosted-cp
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateCluster",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "ec2:DescribeSubnets",
                "ec2:DescribeRouteTables",
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*"
        }
    ]
}

Create your account roles and Operator roles

Run the following command with the specified permissions to create account and Operator roles by using auto mode.

Input
$ rosa create account-roles --mode auto --hosted-cp
Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAccountRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}

Delete your account roles

Run the following command with the specified permissions to delete the account roles in auto mode.

Input
$ rosa delete account-roles -–mode auto
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeleteAccountRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies"
            ],
            "Resource": "*"
        }
    ]
}

Delete your Operator roles

Run the following command with the specified permissions to delete your Operator roles in auto mode.

Input
$ rosa delete operator-roles -–mode auto
Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeleteOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole"
            ],
            "Resource": "*"
        }
    ]
}

Least privilege permissions for common ROSA Classic CLI commands

The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA Classic clusters.

Create a cluster

Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.

Input
$ rosa create cluster
Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateCluster",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

Create account roles and Operator roles

Run the following command with the specified permissions to create account and Operator roles in `auto' mode.

Input
$ rosa create account-roles --mode auto --classic
Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAccountOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}

Delete your account roles

Run the following command with the specified permissions to delete the account roles in auto mode.

Input
$ rosa delete account-roles -–mode auto
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:DeletePolicy"
            ],
            "Resource": "*"
        }
    ]
}

Delete your Operator roles

Run the following command with the specified permissions to delete the Operator roles in auto mode.

Input
$ rosa delete operator-roles -–mode auto
Policy
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:DeletePolicy"
            ],
            "Resource": "*"
        }
    ]
}

ROSA CLI commands with no required permissions

The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.

Table 1. Commands
Command Input

list cluster

$ rosa list cluster

list versions

$ rosa list versions

describe cluster

$ rosa describe cluster -c <cluster name>

create admin

$ rosa create admin -c <cluster name>

list users

$ rosa list users -c <cluster-name>

list upgrades

$ rosa list upgrades

list OIDC configuration

$ rosa list oidc-config

list identity providers

$ rosa list idps -c <cluster-name>

list ingresses

$ rosa list ingresses -c <cluster-name>

Additional resources