$ rosa create ocm-role
×
About IAM resources for ROSA clusters that use STS
To deploy a Red Hat OpenShift Service on AWS (ROSA) cluster that uses the AWS Security Token Service (STS), you must create the following AWS Identity Access Management (IAM) resources:
-
Specific account-wide IAM roles and policies that provide the STS permissions required for ROSA support, installation, control plane, and compute functionality. This includes account-wide Operator policies.
-
Cluster-specific Operator IAM roles that permit the ROSA cluster Operators to carry out core OpenShift functionality.
-
An OpenID Connect (OIDC) provider that the cluster Operators use to authenticate.
-
If you deploy ROSA by using OpenShift Cluster Manager, you must create the additional resources:
-
An OpenShift Cluster Manager IAM role to complete the installation on your cluster.
-
A user role without any permissions to verify your AWS account identity.
-
This document provides reference information about the IAM resources that you must deploy when you create a ROSA cluster that uses STS. It also includes the aws CLI commands that are generated when you use manual mode with the rosa create command.
Additional resources
-
For steps to quickly create a ROSA cluster with STS, including the AWS IAM resources, see Creating a ROSA cluster with STS using the default options.
-
For steps to create a ROSA cluster with STS using customizations, including the AWS IAM resources, see Creating a ROSA cluster with STS using customizations.
OpenShift Cluster Manager roles and permissions
If you create ROSA clusters by using OpenShift Cluster Manager Hybrid Cloud Console, you must have the following AWS IAM roles linked to your AWS account to create and manage the clusters. For more information about linking your IAM roles to your AWS account, see Associating your AWS account.
|
If you only use the |
These AWS IAM roles are as follows:
-
The ROSA user role is an AWS role used by Red Hat to verify the customer’s AWS identity. This role has no additional permissions, and the role has a trust relationship with the Red Hat installer account.
-
An
ocm-roleresource grants the required permissions for installation of ROSA clusters in OpenShift Cluster Manager. You can apply basic or administrative permissions to theocm-roleresource. If you create an administrativeocm-roleresource, OpenShift Cluster Manager can create the needed AWS Operator roles and OpenID Connect (OIDC) provider. This IAM role also creates a trust relationship with the Red Hat installer account as well.The
ocm-roleIAM resource refers to the combination of the IAM role and the necessary policies created with it.
You must create this user role as well as an administrative ocm-role resource, if you want to use the auto mode in OpenShift Cluster Manager to create your Operator role policies and OIDC provider.
Understanding the OpenShift Cluster Manager role
Creating ROSA clusters in OpenShift Cluster Manager Hybrid Cloud Console require an ocm-role IAM role. The basic ocm-role IAM role permissions let you to perform cluster maintenance within OpenShift Cluster Manager. To automatically create the operator roles and OpenID Connect (OIDC) provider, you must add the --admin option to the rosa create command. This command creates an ocm-role resource with additional permissions needed for administrative tasks.
|
This elevated IAM role allows OpenShift Cluster Manager to automatically create the cluster-specific Operator roles and OIDC provider during cluster creation. For more information about this automatic role and policy creation, see the "Methods of account-wide role creation" link in Additional resources. |
Understanding the user role
In addition to an ocm-role IAM role, you must create a user role so that Red Hat OpenShift Service on AWS can verify your AWS identity. This role has no permissions, and it is only used to create a trust relationship between the installer account and your ocm-role resources.
The following tables show the associated basic and administrative permissions for the ocm-role resource.
| Resource | Description |
|---|---|
|
This permission allows the basic role to retrieve information about the specified OpenID Connect (OIDC) provider. |
|
This permission allows the basic role to retrieve any information for a specified role. Some of the data returned include the role’s path, GUID, ARN, and the role’s trust policy that grants permission to assume the role. |
|
This permission allows the basic role to list the roles within a path prefix. |
|
This permission allows the basic role to list the tags on a specified role. |
|
This permission allows the basic role to return information about all of the enabled regions on your account. |
|
This permission allows the basic role to return information about all of your route tables. |
|
This permission allows the basic role to return information about all of your subnets. |
|
This permission allows the basic role to return information about all of your virtual private clouds (VPCs). |
|
This permission allows the basic role to retrieve temporary security credentials to access AWS resources that are beyond its normal permissions. |
|
This permission allows the basic role to retrieve temporary security credentials for users authenticated their account with a web identity provider. |
| Resource | Description |
|---|---|
|
This permission allows the admin role to attach a specified policy to the desired IAM role. |
|
This permission creates a resource that describes an identity provider, which supports OpenID Connect (OIDC). When you create an OIDC provider with this permission, this provider establishes a trust relationship between the provider and AWS. |
|
This permission allows the admin role to create a role for your AWS account. |
|
This permission allows the admin role to list any policies associated with your AWS account. |
|
This permission allows the admin role to list any tags on a designated policy. |
|
This permission allows the admin role to change the permissions boundary for a user based on a specified policy. |
|
This permission allows the admin role to add tags to an IAM role. |
Additional resources
Creating an OpenShift Cluster Manager IAM role
You create your OpenShift Cluster Manager IAM roles by using the command-line interface (CLI).
Prerequisites
-
You have an AWS account.
-
You have Red Hat Organization Administrator privileges in the OpenShift Cluster Manager organization.
-
You have the permissions required to install AWS account-wide roles.
-
You have installed and configured the latest AWS (
aws) and ROSA (rosa) CLIs on your installation host.
Procedure
-
To create an ocm-role IAM role with basic privileges, run the following command:
-
To create an ocm-role IAM role with admin privileges, run the following command:
$ rosa create ocm-role --adminThis command allows you create the role by specifying specific attributes. The following example output shows the "auto mode" selected, which lets the
rosaCLI to create your Operator roles and policies. See "Methods of account-wide role creation" in the Additional resources for more information.
Example output
I: Creating ocm role
? Role prefix: ManagedOpenShift (1)
? Enable admin capabilities for the OCM role (optional): No (2)
? Permissions boundary ARN (optional): (3)
? Role creation mode: auto (4)
I: Creating role using 'arn:aws:iam::<ARN>:user/<UserName>'
? Create the 'ManagedOpenShift-OCM-Role-182' role? Yes (5)
I: Created role 'ManagedOpenShift-OCM-Role-182' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182'
I: Linking OCM role
? OCM Role ARN: arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182 (6)
? Link the 'arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182' role with organization '<AWS ARN'? Yes (7)
I: Successfully linked role-arn 'arn:aws:iam::<ARN>:role/ManagedOpenShift-OCM-Role-182' with organization account '<AWS ARN>'| 1 | A prefix value for all of the created AWS resources. In this example, ManagedOpenShift prepends all of the AWS resources. |
||
| 2 | Choose if you want this role to have the additional admin permissions.
|
||
| 3 | The Amazon Resource Name (ARN) of the policy to set permission boundaries. | ||
| 4 | Choose the method of how to create your AWS roles. Using auto, the rosa CLI tool generates and links the roles and policies. In the auto mode, you receive some different prompts to create the AWS roles. |
||
| 5 | The auto method asks if you want to create a specific ocm-role using your prefix. |
||
| 6 | Confirm that you want to associate your IAM role with your OpenShift Cluster Manager. | ||
| 7 | Links the created role with your AWS organization. |
AWS IAM roles link to your AWS account to create and manage the clusters. For more information about linking your IAM roles to your AWS account, see Associating your AWS account.
Account-wide IAM role and policy reference
This section provides details about the account-wide IAM roles and policies that are required for ROSA deployments that use STS, including the Operator policies. It also includes the JSON files that define the policies.
The account-wide roles and policies are specific to an OpenShift minor release version, for example OpenShift 4.8, and are backward compatible. You can minimize the required STS resources by reusing the account-wide roles and policies for multiple clusters of the same minor version, regardless of their patch version.
Methods of account-wide role creation
You can create account-wide roles by using the rosa CLI tool or the OpenShift Cluster Manager Hybrid Cloud Console guided installation. You can create the roles manually or by using an automatic process that uses pre-defined names for these roles and polices.
You can create account-wide roles by using the rosa CLI tool. You can create the roles manually or by using an automatic process that uses pre-defined names for these roles and polices.
Manual ocm-role resource creation
You can use the manual creation method if you have the necessary CLI access to create these roles on your system. You can run this option in your desired CLI tool or from OpenShift Cluster Manager. After you start the manual creation process, the CLI presents a series of commands for you to run that create the roles and link them to the needed policies.
Automatic ocm-role resource creation
If you created an ocm-role resource with administrative permissions, you can use the automatic creation method from OpenShift Cluster Manager. The rosa CLI does not require that you have this admin ocm-role IAM resource to automatically create these roles and polices. Selecting this method creates the roles and policies that uses the default names.
If you use the ROSA guided installation on OpenShift Cluster Manager, you must have created an ocm-role resource with administrative permissions in the first step of the guided cluster installation. Without this role, you cannot use the automatic Operator role and policy creation option, but you can still create the cluster and its roles and policies with the manual process.
|
The account number present in the |
| Resource | Description |
|---|---|
|
An IAM role used by the ROSA installer. |
|
An IAM policy that provides the ROSA installer with the permissions required to complete cluster installation tasks. |
sts_installer_trust_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}sts_installer_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CopyImage",
"ec2:CreateDhcpOptions",
"ec2:CreateInternetGateway",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:CreateVpc",
"ec2:CreateVpcEndpoint",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DeleteVpc",
"ec2:DeleteVpcEndpoints",
"ec2:DeregisterImage",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceCreditSpecifications",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:DescribeKeyPairs",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePrefixLists",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DetachInternetGateway",
"ec2:DisassociateRouteTable",
"ec2:GetConsoleOutput",
"ec2:GetEbsDefaultKmsKeyId",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:ListAttachedRolePolicies",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:ListUserPolicies",
"iam:ListUsers",
"iam:PassRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:SimulatePrincipalPolicy",
"iam:TagRole",
"iam:UntagRole",
"route53:ChangeResourceRecordSets",
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone",
"route53:GetChange",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:ListTagsForResource",
"route53:UpdateHostedZoneComment",
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetAccelerateConfiguration",
"s3:GetBucketAcl",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:GetBucketLogging",
"s3:GetBucketObjectLockConfiguration",
"s3:GetBucketReplication",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetBucketWebsite",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetObject",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:GetObjectVersion",
"s3:GetReplicationConfiguration",
"s3:ListBucket",
"s3:ListBucketVersions",
"s3:PutBucketAcl",
"s3:PutBucketTagging",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:PutObjectTagging",
"servicequotas:GetServiceQuota",
"servicequotas:ListAWSDefaultServiceQuotas",
"sts:AssumeRole",
"sts:AssumeRoleWithWebIdentity",
"sts:GetCallerIdentity",
"tag:GetResources",
"tag:UntagResources",
"ec2:CreateVpcEndpointServiceConfiguration",
"ec2:DeleteVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcEndpointServices",
"ec2:ModifyVpcEndpointServicePermissions"
"kms:DescribeKey",
"cloudwatch:GetMetricData"
],
"Resource": "*"
}
]
}| Resource | Description |
|---|---|
|
An IAM role used by the ROSA control plane. |
|
An IAM policy that provides the ROSA control plane with the permissions required to manage its components. |
sts_instance_controlplane_trust_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}sts_instance_controlplane_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:Describe*",
"ec2:DetachVolume",
"ec2:ModifyInstanceAttribute",
"ec2:ModifyVolume",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:CreateTargetGroup",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DeregisterTargets",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"kms:DescribeKey"
],
"Resource": "*"
}
]
}| Resource | Description |
|---|---|
|
An IAM role used by the ROSA compute instances. |
|
An IAM policy that provides the ROSA compute instances with the permissions required to manage their components. |
sts_instance_worker_trust_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": [
"ec2.amazonaws.com"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}sts_instance_worker_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances"
"ec2:DescribeRegions"
],
"Resource": "*"
}
]
}| Resource | Description |
|---|---|
|
An IAM role used by the Red Hat Site Reliability Engineering (SRE) support team. |
|
An IAM policy that provides the Red Hat SRE support team with the permissions required to support ROSA clusters. |
sts_support_trust_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": [
"arn:aws:iam::710019948333:role/RH-Technical-Support-Access"
]
},
"Action": [
"sts:AssumeRole"
]
}
]
}sts_support_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:LookupEvents",
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics",
"ec2-instance-connect:SendSerialConsoleSSHPublicKey",
"ec2:CopySnapshot",
"ec2:CreateNetworkInsightsPath",
"ec2:CreateSnapshot",
"ec2:CreateSnapshots",
"ec2:CreateTags",
"ec2:DeleteNetworkInsightsAnalysis",
"ec2:DeleteNetworkInsightsPath",
"ec2:DeleteTags",
"ec2:DescribeAccountAttributes",
"ec2:DescribeAddresses",
"ec2:DescribeAddressesAttribute",
"ec2:DescribeAggregateIdFormat",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeByoipCidrs",
"ec2:DescribeCapacityReservations",
"ec2:DescribeCarrierGateways",
"ec2:DescribeClassicLinkInstances",
"ec2:DescribeClientVpnAuthorizationRules",
"ec2:DescribeClientVpnConnections",
"ec2:DescribeClientVpnEndpoints",
"ec2:DescribeClientVpnRoutes",
"ec2:DescribeClientVpnTargetNetworks",
"ec2:DescribeCoipPools",
"ec2:DescribeCustomerGateways",
"ec2:DescribeDhcpOptions",
"ec2:DescribeEgressOnlyInternetGateways",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeIdentityIdFormat",
"ec2:DescribeIdFormat",
"ec2:DescribeImageAttribute",
"ec2:DescribeImages",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInternetGateways",
"ec2:DescribeIpv6Pools",
"ec2:DescribeKeyPairs",
"ec2:DescribeLaunchTemplates",
"ec2:DescribeLocalGatewayRouteTables",
"ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
"ec2:DescribeLocalGatewayRouteTableVpcAssociations",
"ec2:DescribeLocalGateways",
"ec2:DescribeLocalGatewayVirtualInterfaceGroups",
"ec2:DescribeLocalGatewayVirtualInterfaces",
"ec2:DescribeManagedPrefixLists",
"ec2:DescribeNatGateways",
"ec2:DescribeNetworkAcls",
"ec2:DescribeNetworkInsightsAnalyses",
"ec2:DescribeNetworkInsightsPaths",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribePlacementGroups",
"ec2:DescribePrefixLists",
"ec2:DescribePrincipalIdFormat",
"ec2:DescribePublicIpv4Pools",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeScheduledInstances",
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSpotFleetInstances",
"ec2:DescribeStaleSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeTags",
"ec2:DescribeTransitGatewayAttachments",
"ec2:DescribeTransitGatewayConnectPeers",
"ec2:DescribeTransitGatewayConnects",
"ec2:DescribeTransitGatewayMulticastDomains",
"ec2:DescribeTransitGatewayPeeringAttachments",
"ec2:DescribeTransitGatewayRouteTables",
"ec2:DescribeTransitGateways",
"ec2:DescribeTransitGatewayVpcAttachments",
"ec2:DescribeVolumeAttribute",
"ec2:DescribeVolumeStatus",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcEndpointConnectionNotifications",
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpointServiceConfigurations",
"ec2:DescribeVpcEndpointServicePermissions",
"ec2:DescribeVpcEndpointServices",
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcPeeringConnections",
"ec2:DescribeVpcs",
"ec2:DescribeVpnConnections",
"ec2:DescribeVpnGateways",
"ec2:GetAssociatedIpv6PoolCidrs",
"ec2:GetConsoleOutput",
"ec2:GetManagedPrefixListEntries",
"ec2:GetSerialConsoleAccessStatus",
"ec2:GetTransitGatewayAttachmentPropagations",
"ec2:GetTransitGatewayMulticastDomainAssociations",
"ec2:GetTransitGatewayPrefixListReferences",
"ec2:GetTransitGatewayRouteTableAssociations",
"ec2:GetTransitGatewayRouteTablePropagations",
"ec2:ModifyInstanceAttribute",
"ec2:RebootInstances",
"ec2:RunInstances",
"ec2:SearchLocalGatewayRoutes",
"ec2:SearchTransitGatewayMulticastGroups",
"ec2:SearchTransitGatewayRoutes",
"ec2:StartInstances",
"ec2:StartNetworkInsightsAnalysis",
"ec2:StopInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"iam:GetRole",
"iam:ListRoles",
"kms:CreateGrant",
"route53:GetHostedZone",
"route53:GetHostedZoneCount",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"s3:GetBucketTagging",
"s3:GetObjectAcl",
"s3:GetObjectTagging",
"s3:ListAllMyBuckets"
"sts:DecodeAuthorizationMessage",
"tiros:CreateQuery",
"tiros:GetQueryAnswer",
"tiros:GetQueryExplanation"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "s3:ListBucket",
"Resource": [
"arn:aws:s3:::managed-velero*",
"arn:aws:s3:::*image-registry*"
]
}
]
}| Resource | Description |
|---|---|
|
An IAM policy that provides the ROSA Ingress Operator with the permissions required to manage external access to a cluster. |
openshift_ingress_operator_cloud_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"tag:GetResources"
],
"Resource": "*"
}
]
}| Resource | Description |
|---|---|
|
An IAM policy required by ROSA to manage back-end storage through the Container Storage Interface (CSI). |
openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeleteVolume",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DetachVolume",
"ec2:ModifyVolume"
],
"Resource": "*"
}
]
}| Resource | Description |
|---|---|
|
An IAM policy that provides the ROSA Machine Config Operator with the permissions required to perform core cluster functionality. |
openshift_machine_api_aws_cloud_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeDhcpOptions",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:RunInstances",
"ec2:TerminateInstances",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:DeregisterTargets",
"iam:PassRole",
"iam:CreateServiceLinkedRole"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:Decrypt",
"kms:Encrypt",
"kms:GenerateDataKey",
"kms:GenerateDataKeyWithoutPlainText",
"kms:DescribeKey"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"kms:RevokeGrant",
"kms:CreateGrant",
"kms:ListGrants"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
}
]
}| Resource | Description |
|---|---|
|
An IAM policy that provides the ROSA Cloud Credential Operator with the permissions required to manage cloud provider credentials. |
openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys"
],
"Resource": "*"
}
]
}| Resource | Description |
|---|---|
|
An IAM policy that provides the ROSA Image Registry Operator with the permissions required to manage the internal registry storage in AWS S3 for a cluster. |
openshift_image_registry_installer_cloud_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:PutBucketTagging",
"s3:GetBucketTagging",
"s3:PutBucketPublicAccessBlock",
"s3:GetBucketPublicAccessBlock",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:PutLifecycleConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:ListBucket",
"s3:GetObject",
"s3:PutObject",
"s3:DeleteObject",
"s3:ListBucketMultipartUploads",
"s3:AbortMultipartUpload",
"s3:ListMultipartUploadParts"
],
"Resource": "*"
}
]
}Additional resources
-
For a definition of OpenShift major, minor, and patch versions, see the Red Hat OpenShift Service on AWS update life cycle.
Account-wide IAM role and policy AWS CLI reference
This section lists the aws CLI commands that the rosa command generates in the terminal. You can run the command in either manual or automatic mode.
Using manual mode for account role creation
The manual role creation mode generates the aws commands for you to review and run. The following command starts that process:
$ rosa create account-roles --mode manual|
The provided command examples include the |
Command output
aws iam create-role \
--role-name ManagedOpenShift-Installer-Role \
--assume-role-policy-document file://sts_installer_trust_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=installer
aws iam put-role-policy \
--role-name ManagedOpenShift-Installer-Role \
--policy-name ManagedOpenShift-Installer-Role-Policy \
--policy-document file://sts_installer_permission_policy.json
aws iam create-role \
--role-name ManagedOpenShift-ControlPlane-Role \
--assume-role-policy-document file://sts_instance_controlplane_trust_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_controlplane
aws iam put-role-policy \
--role-name ManagedOpenShift-ControlPlane-Role \
--policy-name ManagedOpenShift-ControlPlane-Role-Policy \
--policy-document file://sts_instance_controlplane_permission_policy.json
aws iam create-role \
--role-name ManagedOpenShift-Worker-Role \
--assume-role-policy-document file://sts_instance_worker_trust_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_worker
aws iam put-role-policy \
--role-name ManagedOpenShift-Worker-Role \
--policy-name ManagedOpenShift-Worker-Role-Policy \
--policy-document file://sts_instance_worker_permission_policy.json
aws iam create-role \
--role-name ManagedOpenShift-Support-Role \
--assume-role-policy-document file://sts_support_trust_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=support
aws iam put-role-policy \
--role-name ManagedOpenShift-Support-Role \
--policy-name ManagedOpenShift-Support-Role-Policy \
--policy-document file://sts_support_permission_policy.json
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-ingress-operator-cloud-credentials \
--policy-document file://openshift_ingress_operator_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-ingress-operator Key=operator_name,Value=cloud-credentials
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent \
--policy-document file://openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-cluster-csi-drivers Key=operator_name,Value=ebs-cloud-credentials
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-machine-api-aws-cloud-credentials \
--policy-document file://openshift_machine_api_aws_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-machine-api Key=operator_name,Value=aws-cloud-credentials
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede \
--policy-document file://openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-cloud-credential-operator Key=operator_name,Value=cloud-credential-operator-iam-ro-creds
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-image-registry-installer-cloud-creden \
--policy-document file://openshift_image_registry_installer_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-image-registry Key=operator_name,Value=installer-cloud-credentialsUsing auto mode for role creation
When you add the --mode auto argument, the rosa CLI tool creates your roles and policies. The following command starts that process:
$ rosa create account-roles --mode auto|
The provided command examples include the |
Command output
I: Creating roles using 'arn:aws:iam::<ARN>:user/<UserID>'
? Create the 'ManagedOpenShift-Installer-Role' role? Yes
I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Installer-Role'
? Create the 'ManagedOpenShift-ControlPlane-Role' role? Yes
I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-ControlPlane-Role'
? Create the 'ManagedOpenShift-Worker-Role' role? Yes
I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Worker-Role'
? Create the 'ManagedOpenShift-Support-Role' role? Yes
I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Support-Role'
? Create the operator policies? Yes
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cloud-network-config-controller-cloud'
I: To create a cluster with these roles, run the following command:
rosa create cluster --stsCluster-specific Operator IAM role reference
This section provides details about the Operator IAM roles that are required for Red Hat OpenShift Service on AWS (ROSA) deployments that use STS. The cluster Operators use the Operator roles to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage, cloud provider credentials, and external access to a cluster.
When you create the Operator roles, the account-wide Operator policies for the matching cluster version are attached to the roles. The Operator policies are tagged with the Operator and version they are compatible with. The correct policy for an Operator role is determined by using the tags.
|
If more than one matching policy is available in your account for an Operator role, an interactive list of options is provided when you create the Operator. |
| Resource | Description |
|---|---|
|
An IAM role required by ROSA to manage back-end storage through the Container Storage Interface (CSI). |
|
An IAM role required by the ROSA Machine Config Operator to perform core cluster functionality. |
|
An IAM role required by the ROSA Cloud Credential Operator to manage cloud provider credentials. |
|
An IAM role required by the cloud network config controller to manage cloud network configuration for a cluster. |
|
An IAM role required by the ROSA Image Registry Operator to manage the internal registry storage in AWS S3 for a cluster. |
|
An IAM role required by the ROSA Ingress Operator to manage external access to a cluster. |
|
An IAM role required by the cloud network config controller to manage cloud network credentials for a cluster. |
Operator IAM role AWS CLI reference
This section lists the aws CLI commands that are shown in the terminal when you run the following rosa command using manual mode:
$ rosa create operator-roles --mode manual --cluster <cluster_name>|
When using |
Command output
aws iam create-role \
--role-name <cluster_name>-<hash>-openshift-cluster-csi-drivers-ebs-cloud-credent \
--assume-role-policy-document file://operator_cluster_csi_drivers_ebs_cloud_credentials_policy.json \
--tags Key=rosa_cluster_id,Value=<id> Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value= Key=operator_namespace,Value=openshift-cluster-csi-drivers Key=operator_name,Value=ebs-cloud-credentials
aws iam attach-role-policy \
--role-name <cluster_name>-<hash>-openshift-cluster-csi-drivers-ebs-cloud-credent \
--policy-arn arn:aws:iam::<aws_account_id>:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent
aws iam create-role \
--role-name <cluster_name>-<hash>-openshift-machine-api-aws-cloud-credentials \
--assume-role-policy-document file://operator_machine_api_aws_cloud_credentials_policy.json \
--tags Key=rosa_cluster_id,Value=<id> Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value= Key=operator_namespace,Value=openshift-machine-api Key=operator_name,Value=aws-cloud-credentials
aws iam attach-role-policy \
--role-name <cluster_name>-<hash>-openshift-machine-api-aws-cloud-credentials \
--policy-arn arn:aws:iam::<aws_account_id>:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials
aws iam create-role \
--role-name <cluster_name>-<hash>-openshift-cloud-credential-operator-cloud-crede \
--assume-role-policy-document file://operator_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json \
--tags Key=rosa_cluster_id,Value=<id> Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value= Key=operator_namespace,Value=openshift-cloud-credential-operator Key=operator_name,Value=cloud-credential-operator-iam-ro-creds
aws iam attach-role-policy \
--role-name <cluster_name>-<hash>-openshift-cloud-credential-operator-cloud-crede \
--policy-arn arn:aws:iam::<aws_account_id>:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede
aws iam create-role \
--role-name <cluster_name>-<hash>-openshift-image-registry-installer-cloud-creden \
--assume-role-policy-document file://operator_image_registry_installer_cloud_credentials_policy.json \
--tags Key=rosa_cluster_id,Value=<id> Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value= Key=operator_namespace,Value=openshift-image-registry Key=operator_name,Value=installer-cloud-credentials
aws iam attach-role-policy \
--role-name <cluster_name>-<hash>-openshift-image-registry-installer-cloud-creden \
--policy-arn arn:aws:iam::<aws_account_id>:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden
aws iam create-role \
--role-name <cluster_name>-<hash>-openshift-ingress-operator-cloud-credentials \
--assume-role-policy-document file://operator_ingress_operator_cloud_credentials_policy.json \
--tags Key=rosa_cluster_id,Value=<id> Key=rosa_openshift_version,Value=4.8 Key=rosa_role_prefix,Value= Key=operator_namespace,Value=openshift-ingress-operator Key=operator_name,Value=cloud-credentials
aws iam attach-role-policy \
--role-name <cluster_name>-<hash>-openshift-ingress-operator-cloud-credentials \
--policy-arn arn:aws:iam::<aws_account_id>:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials|
The command examples provided in the table include Operator roles that use the |
About custom Operator IAM role prefixes
Each Red Hat OpenShift Service on AWS (ROSA) cluster that uses the AWS Security Token Service (STS) requires cluster-specific Operator IAM roles.
By default, the Operator role names are prefixed with the cluster name and a random 4-digit hash. For example, the Cloud Credential Operator IAM role for a cluster named mycluster has the default name mycluster-<hash>-openshift-cloud-credential-operator-cloud-credentials, where <hash> is a random 4-digit string.
This default naming convention enables you to easily identify the Operator IAM roles for a cluster in your AWS account.
When you create the Operator roles for a cluster, you can optionally specify a custom prefix to use instead of <cluster_name>-<hash>. By using a custom prefix, you can prepend logical identifiers to your Operator role names to meet the requirements of your environment. For example, you might prefix the cluster name and the environment type, such as mycluster-dev. In that example, the Cloud Credential Operator role name with the custom prefix is mycluster-dev-openshift-cloud-credential-operator-cloud-credenti.
|
The role names are truncated to 64 characters. |
Additional resources
-
For steps to create the cluster-specific Operator IAM roles using a custom prefix, see Creating a cluster with customizations using the CLI or Creating a cluster with customizations by using OpenShift Cluster Manager.
OIDC provider requirements for Operator authentication
For ROSA installations that use STS, you must create a cluster-specific OIDC provider that is used by the cluster Operators to authenticate.
OIDC provider AWS CLI reference
This section lists the aws CLI command that is shown in the terminal when you run the following rosa command using manual mode:
$ rosa create oidc-provider --mode manual --cluster <cluster_name>|
When using |
Command output
aws iam create-open-id-connect-provider \
--url https://rh-oidc.s3.<aws_region>.amazonaws.com/<cluster_id> \
--client-id-list openshift sts.amazonaws.com \
--thumbprint-list <thumbprint> (1)| 1 | The thumbprint is generated automatically when you run the rosa create oidc-provider command. For more information about using thumbprints with AWS Identity and Access Management (IAM) OpenID Connect (OIDC) identity providers, see the AWS documentation. |
Minimum set of effective permissions for service control policies (SCP)
Service control policies (SCP) are a type of organization policy that manages permissions within your organization. SCPs ensure that accounts within your organization stay within your defined access control guidelines. These polices are maintained in AWS Organizations and control the services that are available within the attached AWS accounts. SCP management is the responsibility of the customer.
|
When using AWS Security Token Service (STS), you must ensure that the service control policy does not block the following resources:
|
Verify that your service control policy (SCP) does not restrict any of these required permissions.
| Service | Actions | Effect | |
|---|---|---|---|
Required |
Amazon EC2 |
All |
Allow |
Amazon EC2 Auto Scaling |
All |
Allow |
|
Amazon S3 |
All |
Allow |
|
Identity And Access Management |
All |
Allow |
|
Elastic Load Balancing |
All |
Allow |
|
Elastic Load Balancing V2 |
All |
Allow |
|
Amazon CloudWatch |
All |
Allow |
|
Amazon CloudWatch Events |
All |
Allow |
|
Amazon CloudWatch Logs |
All |
Allow |
|
AWS Support |
All |
Allow |
|
AWS Key Management Service |
All |
Allow |
|
AWS Security Token Service |
All |
Allow |
|
AWS Marketplace |
Subscribe Unsubscribe View Subscriptions |
Allow |
|
AWS Resource Tagging |
All |
Allow |
|
AWS Route53 DNS |
All |
Allow |
|
AWS Service Quotas |
ListServices GetRequestedServiceQuotaChange GetServiceQuota RequestServiceQuotaIncrease ListServiceQuotas |
Allow |
|
Optional |
AWS Billing |
ViewAccount Viewbilling ViewUsage |
Allow |
AWS Cost and Usage Report |
All |
Allow |
|
AWS Cost Explorer Services |
All |
Allow |
Additional resources