$ rosa create oidc-config --mode auto
×
Least privilege permissions for ROSA CLI commands
You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the Red Hat OpenShift Service on AWS (ROSA) command line interface (CLI).
|
Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present. |
|
The examples listed cover several of the most common ROSA CLI commands. For more information regarding ROSA CLI commands, see Common commands and arguments. |
For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.
Least privilege permissions for common ROSA CLI commands
The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.
Create a managed OpenID Connect (OIDC) provider
Run the following command with the specified permissions to create your managed OIDC provider by using auto mode.
Input
Policy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOidcConfig",
"Effect": "Allow",
"Action": [
"iam:TagOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider"
],
"Resource": "*"
}
]
}Create an unmanaged OpenID Connect provider
Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto mode.
Input
$ rosa create oidc-config --mode auto --managed=falsePolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagOpenIDConnectProvider",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:CreateOpenIDConnectProvider",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutBucketPolicy",
"s3:PutObjectTagging",
"s3:PutBucketPublicAccessBlock",
"secretsmanager:CreateSecret",
"secretsmanager:TagResource"
],
"Resource": "*"
}
]
}List your account roles
Run the following command with the specified permissions to list your account roles.
Input
$ rosa list account-rolesPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAccountRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}List your Operator roles
Run the following command with the specified permissions to list your Operator roles.
Input
$ rosa list operator-rolesPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}List your OIDC providers
Run the following command with the specified permissions to list your OIDC providers.
Input
$ rosa list oidc-providersPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOidcProviders",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:ListOpenIDConnectProviderTags"
],
"Resource": "*"
}
]
}Verify your quota
Run the following command with the specified permissions to verify your quota.
Input
$ rosa verify quotaPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VerifyQuota",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeAccountLimits",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
}
]
}Delete your managed OIDC configuration
Run the following command with the specified permissions to delete your managed OIDC configuration by using auto mode.
Input
$ rosa delete oidc-config -–mode autoPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOidcConfig",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
Delete your unmanaged OIDC configuration
Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto mode.
Input
$ rosa delete oidc-config -–mode autoPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider",
"secretsmanager:DeleteSecret",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}Least privilege permissions for common ROSA with HCP CLI commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA with hosted control plane (HCP) clusters.
Create a cluster
Run the following command with the specified permissions to create ROSA with HCP clusters.
Input
$ rosa create cluster --hosted-cpPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCluster",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
}
]
}Create your account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles by using auto mode.
Input
$ rosa create account-roles --mode auto --hosted-cpPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccountRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
Delete your account roles
Run the following command with the specified permissions to delete the account roles in auto mode.
Input
$ rosa delete account-roles -–mode autoPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteAccountRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies"
],
"Resource": "*"
}
]
}
Delete your Operator roles
Run the following command with the specified permissions to delete your Operator roles in auto mode.
Input
$ rosa delete operator-roles -–mode autoPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole"
],
"Resource": "*"
}
]
}
Least privilege permissions for common ROSA Classic CLI commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA Classic clusters.
Create a cluster
Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.
Input
$ rosa create clusterPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCluster",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
Create account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles in `auto' mode.
Input
$ rosa create account-roles --mode auto --classicPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccountOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagPolicy",
"iam:CreatePolicy",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
Delete your account roles
Run the following command with the specified permissions to delete the account roles in auto mode.
Input
$ rosa delete account-roles -–mode autoPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}Delete your Operator roles
Run the following command with the specified permissions to delete the Operator roles in auto mode.
Input
$ rosa delete operator-roles -–mode autoPolicy
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}
ROSA CLI commands with no required permissions
The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.
| Command | Input |
|---|---|
list cluster |
|
list versions |
|
describe cluster |
|
create admin |
|
list users |
|
list upgrades |
|
list OIDC configuration |
|
list identity providers |
|
list ingresses |
|
Additional resources
-
For more information about AWS roles, see IAM roles.
-
For more information about AWS policies and permissions, see Policies and permissions in IAM.