Description of problem: When setting up AWS as a CloudProvider, instructions state that the AWS rights "[s]hould have privileged access, such as root or administrator". This is not feasible in all cases and more detailed breakdown of required rights is needed. Actual results: root or administrator rights are said to be required for AWS CloudProvider setup. Expected results: Explicit rights should be enumerated for AWS CloudProvider setup.
I was able to generate the following policy, that from my testing, appears to enable all required CloudForms functionality: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "apigateway:*" ], "Resource": "arn:aws:apigateway:*::/*" }, { "Effect": "Allow", "Action": [ "autoscaling:*", "cloudformation:CreateStack", "cloudformation:DeleteStack", "cloudformation:DescribeStack*", "cloudformation:UpdateStack", "cloudwatch:*", "ec2:*", "ecs:*", "elasticloadbalancing:*", "iam:ListInstanceProfiles", "iam:ListRoles", "iam:PassRole", "sns:*" ], "Resource": "*" } ] } Note that policy is a composite of the following: AmazonEC2FullAccess AmazonAPIGatewayAdministrator AmazonEC2ContainerServiceFullAccess AmazonSNSFullAccess
Josh, it sounds like we should publish this as the official policy. What are your thought?
Document URL: https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding_amazon_ec2_providers Section Number and Name: 3.3.1.7 Adding Amazon EC2 Providers: security credentials Describe the issue: The AWS provider currently provides no requirements for privilege level on the authenticating access key, my security standards prevent me from giving cart blanch access to my AWS environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my AWS environment. Suggestions for improvement: Add a section indicating required permissions for the AWS provider. Additional information:
Removing Les Williams from the CC list, and moving back to 'NEW' while assigned to the default assignee.
Hi Colin, Thank you for raising this bug. My apologies for the delay it has taken for us to respond, but we have had a strong need to focus on feature-related content over the past release or so, which has made it difficult for us to schedule time for requests such as this. That said, we understand this is a topic of growing importance to customers, and I have started a conversation with engineering and product management to see how we can address this across the board. I will let you know how we proceed. Kind regards, Andrew
Thank you for raising this bug. We have evaluated this request, and while we recognize that it is a valid request for the documentation, we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. If you have any concerns about this, please feel free to contact Andrew Dahms.