Bug 1403966

Summary: [RFE][Docs] Restrict AWS IAM Roles and Permissions
Product: OpenShift Container Platform Reporter: Brennan Vincello <bvincell>
Component: DocumentationAssignee: Ashley Hardin <ahardin>
Status: CLOSED CANTFIX QA Contact: Chao Yang <chaoyang>
Severity: low Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, dmcphers, dwalsh, jokerman, mmccomas, screeley, tatanaka
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2017-02-02 19:55:40 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Brennan Vincello 2016-12-12 18:14:43 UTC 
Document URL and section: 

Section 2.5.4, Permissions for Amazon Web Services
https://access.redhat.com/articles/2623521 

Configuring for AWS
https://docs.openshift.com/container-platform/3.3/install_config/configuring_aws.html

Describe the issue: 

As an OpenShift admin, I'm running the advanced setup of the OpenShift Platform using AWS as a cloud provider. I can complete the setup using the broadest possible IAM permission set that is allow everything. I would like to assign an IAM Role to the AWS instance (both masters and nodes) but I want to have a more restrictive set of permissions. 

Suggestions for improvement: 

Could you provide a recommended set of permissions that  is required to install and run the OpenShift cluster on AWS? Also, if the masters' IAM permissions are different from the ones for the nodes, could you provide two sets - one for the masters and one for the nodes?

Additional information: 

In the the AWS reference architecture Section 2.5.4, Permissions for Amazon Web Services, we see:

"The deployment of OpenShift requires a user that has the proper permissions by the AWS IAM administrator. The user must be able to create accounts, S3 buckets, roles, policies, Route53 entries, and deploy ELBs and EC2 instances. It is helpful to have delete permissions in order to be able to redeploy the environment while testing."

By implication it seems as if the required permissions would be the following:

- create accounts
- create S3 buckets
- create roles
- create policies
- create Route53 entries
- deploy ELBs
- deploy EC2 instances

However this list doesn't appear to be explicit enough for implementation, nor does it differentiate between master and node permissions.


(Submitted on behalf of client.)
Comment 1 Takayoshi Tanaka 2016-12-22 01:32:42 UTC 
Hi, is there any update?
Comment 2 Vikram Goyal 2016-12-22 01:50:36 UTC 
(In reply to Takayoshi Tanaka from comment #1)
> Hi, is there any update?

Not yet. Expect this around OCP 3.4 release.
Comment 4 Scott Creeley 2017-01-31 15:54:21 UTC 
Ashley,
I would reach out to the RH person/people that manage and set up the RH-DEV environments, they might have some information that could help.  Dan Walsh might be a good starting point.
Comment 5 Ashley Hardin 2017-01-31 16:52:51 UTC 
Thanks, Scott!

Dan, Can you please help?
Comment 6 Scott Creeley 2017-02-01 13:53:13 UTC 
@Ashley,
I think I put in the wrong name, I think Dan McPherson might be a better starting point for this.


thanks,
Scott
Comment 7 Ashley Hardin 2017-02-02 14:31:19 UTC 
Thanks, Scott.

Dan, Are you able to help provide guidance? Thanks!
Comment 8 Dan McPherson 2017-02-02 14:42:11 UTC 
Not really.  The only way to do this is to implement a set of desired permissions and go through everything seeing what breaks, adding the needed perms, and repeating.  It's a fairly tedious process and requires development work to prove it out.  If we are going to provide the guidance, it's going to take a user story.  We can't just tell them what we do for rh-dev as that environment has lots of purposes.