$ rosa create oidc-config --mode auto
You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the Red Hat OpenShift Service on AWS (ROSA) command line interface (CLI).
Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present. |
For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.
The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.
Run the following command with the specified permissions to create your managed OIDC provider by using auto
mode.
$ rosa create oidc-config --mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOidcConfig",
"Effect": "Allow",
"Action": [
"iam:TagOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto
mode.
$ rosa create oidc-config --mode auto --managed=false
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagOpenIDConnectProvider",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:CreateOpenIDConnectProvider",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutBucketPolicy",
"s3:PutObjectTagging",
"s3:PutBucketPublicAccessBlock",
"secretsmanager:CreateSecret",
"secretsmanager:TagResource"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to list your account roles.
$ rosa list account-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAccountRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to list your Operator roles.
$ rosa list operator-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to list your OIDC providers.
$ rosa list oidc-providers
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOidcProviders",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:ListOpenIDConnectProviderTags"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to verify your quota.
$ rosa verify quota
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VerifyQuota",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeAccountLimits",
"servicequotas:ListServiceQuotas"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete your managed OIDC configuration by using auto
mode.
$ rosa delete oidc-config -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOidcConfig",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto
mode.
$ rosa delete oidc-config -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider",
"secretsmanager:DeleteSecret",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.
Command | Input |
---|---|
list cluster |
|
list versions |
|
describe cluster |
|
create admin |
|
list users |
|
list upgrades |
|
list OIDC configuration |
|
list identity providers |
|
list ingresses |
|
For more information about AWS roles, see IAM roles.
For more information about AWS policies and permissions, see Policies and permissions in IAM.