Bug 1304457
| Summary: | Detailed AWS Provider Rights | ||
|---|---|---|---|
| Product: | Red Hat CloudForms Management Engine | Reporter: | Colin Arnott <carnott> |
| Component: | Documentation | Assignee: | Red Hat CloudForms Documentation <cloudforms-docs> |
| Status: | CLOSED WONTFIX | QA Contact: | Red Hat CloudForms Documentation <cloudforms-docs> |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | 5.5.0 | CC: | adahms, benglish, cloudforms-docs, gblomqui, jfrey, jhardy, jocarter, mfeifer, myoder, obarenbo, psavage |
| Target Milestone: | GA | ||
| Target Release: | cfme-future | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | cloud:ec2 | ||
| Fixed In Version: | Doc Type: | Bug Fix | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2018-10-10 12:26:55 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Colin Arnott
2016-02-03 16:39:36 UTC
I was able to generate the following policy, that from my testing, appears to enable all required CloudForms functionality:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": "arn:aws:apigateway:*::/*"
},
{
"Effect": "Allow",
"Action": [
"autoscaling:*",
"cloudformation:CreateStack",
"cloudformation:DeleteStack",
"cloudformation:DescribeStack*",
"cloudformation:UpdateStack",
"cloudwatch:*",
"ec2:*",
"ecs:*",
"elasticloadbalancing:*",
"iam:ListInstanceProfiles",
"iam:ListRoles",
"iam:PassRole",
"sns:*"
],
"Resource": "*"
}
]
}
Note that policy is a composite of the following:
AmazonEC2FullAccess
AmazonAPIGatewayAdministrator
AmazonEC2ContainerServiceFullAccess
AmazonSNSFullAccess
Josh, it sounds like we should publish this as the official policy. What are your thought? Document URL: https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding_amazon_ec2_providers Section Number and Name: 3.3.1.7 Adding Amazon EC2 Providers: security credentials Describe the issue: The AWS provider currently provides no requirements for privilege level on the authenticating access key, my security standards prevent me from giving cart blanch access to my AWS environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my AWS environment. Suggestions for improvement: Add a section indicating required permissions for the AWS provider. Additional information: Removing Les Williams from the CC list, and moving back to 'NEW' while assigned to the default assignee. Hi Colin, Thank you for raising this bug. My apologies for the delay it has taken for us to respond, but we have had a strong need to focus on feature-related content over the past release or so, which has made it difficult for us to schedule time for requests such as this. That said, we understand this is a topic of growing importance to customers, and I have started a conversation with engineering and product management to see how we can address this across the board. I will let you know how we proceed. Kind regards, Andrew Thank you for raising this bug. We have evaluated this request, and while we recognize that it is a valid request for the documentation, we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Andrew Dahms. |