Bug 1467508

Summary: [DOCS] AWS configuration does not describe how to use IAM Roles
Product: OpenShift Container Platform Reporter: Gaurav Nelson <gnelson>
Component: DocumentationAssignee: Gaurav Nelson <gnelson>
Status: CLOSED NOTABUG QA Contact: Chao Yang <chaoyang>
Severity: unspecified Docs Contact: Vikram Goyal <vigoyal>
Priority: unspecified    
Version: 3.4.0CC: aos-bugs, jhou, jokerman, mmccomas, rcook, stwalter, vigoyal
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1462823 Environment:
Last Closed: 2017-08-04 13:53:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1462823    
Bug Blocks:    

Comment 2 Ryan Cook 2017-07-24 21:01:23 UTC 
IAM roles must be assigned to instances at launch time

Refer to http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html  specifically To launch an instance with an IAM role using the console or To launch an instance with an IAM role using the AWS CLI
Comment 3 Gaurav Nelson 2017-07-31 03:17:01 UTC 
There are no changes needed in docs other than what's already done in Bug #1462823
Comment 4 Steven Walter 2017-08-02 15:48:25 UTC 
I dont understand why this is closed. The questions are not answered in the docs or here.

2. Can we be more precise in granting privileges. The ec2:* in the example you give may be a problem. If I need to set aws as the cloud provider but all I need is to dynamically assign Elastic Block Storage for persistent volumes, can I change ec2:* to a smaller list of permissions?

We still have no indication in the docs as to what permissions are required by the role used -- in instances where the user wants to lock it down.
Comment 5 Steven Walter 2017-08-02 15:50:02 UTC 
To clarify this isn't about launching instances at all, this is about EBS volumes. Thats why this bug was forked.
Comment 6 Gaurav Nelson 2017-08-04 00:46:14 UTC 
Hello Steven, we are working on getting those done as part of https://bugzilla.redhat.com/show_bug.cgi?id=1452816, which is documenting permissions for all cloud providers.