Bug 1304457 - Detailed AWS Provider Rights
Detailed AWS Provider Rights
Status: NEW
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation (Show other bugs)
5.5.0
Unspecified Unspecified
medium Severity medium
: GA
: cfme-future
Assigned To: Red Hat CloudForms Documentation
Red Hat CloudForms Documentation
cloud:ec2
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2016-02-03 11:39 EST by Colin Arnott
Modified: 2017-10-26 01:36 EDT (History)
11 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)


External Trackers
Tracker ID Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2430321 None None None 2016-09-15 15:38 EDT

  None (edit)
Description Colin Arnott 2016-02-03 11:39:36 EST
Description of problem:
When setting up AWS as a CloudProvider, instructions state that the AWS rights "[s]hould have privileged access, such as root or administrator". This is not feasible in all cases and more detailed breakdown of required rights is needed.

Actual results:
root or administrator rights are said to be required for AWS CloudProvider setup.

Expected results:
Explicit rights should be enumerated for AWS CloudProvider setup.
Comment 5 Colin Arnott 2016-02-10 10:37:36 EST
I was able to generate the following policy, that from my testing, appears to enable all required CloudForms functionality:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:*"
            ],
            "Resource": "arn:aws:apigateway:*::/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStack*",
                "cloudformation:UpdateStack",
                "cloudwatch:*",
                "ec2:*",
                "ecs:*",
                "elasticloadbalancing:*",
                "iam:ListInstanceProfiles",
                "iam:ListRoles",
                "iam:PassRole",
                "sns:*"
            ],
            "Resource": "*"
        }
    ]
}

Note that policy is a composite of the following:

AmazonEC2FullAccess
AmazonAPIGatewayAdministrator
AmazonEC2ContainerServiceFullAccess
AmazonSNSFullAccess
Comment 6 Greg Blomquist 2016-02-19 15:22:19 EST
Josh, it sounds like we should publish this as the official policy.  What are your thought?
Comment 8 Colin Arnott 2016-09-08 08:45:34 EDT
Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding_amazon_ec2_providers

Section Number and Name: 
3.3.1.7 Adding Amazon EC2 Providers: security credentials

Describe the issue: 
The AWS provider currently provides no requirements for privilege level on the authenticating access key, my security standards prevent me from giving cart blanch access to my AWS environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my AWS environment.

Suggestions for improvement: 
Add a section indicating required permissions for the AWS provider.

Additional information:
Comment 12 Andrew Dahms 2017-03-06 00:06:13 EST
Removing Les Williams from the CC list, and moving back to 'NEW' while assigned to the default assignee.
Comment 13 Andrew Dahms 2017-05-14 21:32:02 EDT
Hi Colin,

Thank you for raising this bug.

My apologies for the delay it has taken for us to respond, but we have had a strong need to focus on feature-related content over the past release or so, which has made it difficult for us to schedule time for requests such as this.

That said, we understand this is a topic of growing importance to customers, and I have started a conversation with engineering and product management to see how we can address this across the board.

I will let you know how we proceed.

Kind regards,

Andrew

Note You need to log in before you can comment on or make changes to this bug.