Bug 1304457 - Detailed AWS Provider Rights
Summary: Detailed AWS Provider Rights
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: Red Hat CloudForms Management Engine
Classification: Red Hat
Component: Documentation
Version: 5.5.0
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: GA
: cfme-future
Assignee: Red Hat CloudForms Documentation
QA Contact: Red Hat CloudForms Documentation
URL:
Whiteboard: cloud:ec2
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-02-03 16:39 UTC by Colin Arnott
Modified: 2020-03-11 15:01 UTC (History)
11 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2018-10-10 12:26:55 UTC
Category: ---
Cloudforms Team: ---
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Knowledge Base (Solution) 2430321 0 None None None 2016-09-15 19:38:09 UTC

Description Colin Arnott 2016-02-03 16:39:36 UTC
Description of problem:
When setting up AWS as a CloudProvider, instructions state that the AWS rights "[s]hould have privileged access, such as root or administrator". This is not feasible in all cases and more detailed breakdown of required rights is needed.

Actual results:
root or administrator rights are said to be required for AWS CloudProvider setup.

Expected results:
Explicit rights should be enumerated for AWS CloudProvider setup.

Comment 5 Colin Arnott 2016-02-10 15:37:36 UTC
I was able to generate the following policy, that from my testing, appears to enable all required CloudForms functionality:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "apigateway:*"
            ],
            "Resource": "arn:aws:apigateway:*::/*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:*",
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStack*",
                "cloudformation:UpdateStack",
                "cloudwatch:*",
                "ec2:*",
                "ecs:*",
                "elasticloadbalancing:*",
                "iam:ListInstanceProfiles",
                "iam:ListRoles",
                "iam:PassRole",
                "sns:*"
            ],
            "Resource": "*"
        }
    ]
}

Note that policy is a composite of the following:

AmazonEC2FullAccess
AmazonAPIGatewayAdministrator
AmazonEC2ContainerServiceFullAccess
AmazonSNSFullAccess

Comment 6 Greg Blomquist 2016-02-19 20:22:19 UTC
Josh, it sounds like we should publish this as the official policy.  What are your thought?

Comment 8 Colin Arnott 2016-09-08 12:45:34 UTC
Document URL: 
https://access.redhat.com/documentation/en/red-hat-cloudforms/4.1/managing-providers/#adding_amazon_ec2_providers

Section Number and Name: 
3.3.1.7 Adding Amazon EC2 Providers: security credentials

Describe the issue: 
The AWS provider currently provides no requirements for privilege level on the authenticating access key, my security standards prevent me from giving cart blanch access to my AWS environment. Can you please enumerate the permissions required by CFME so that I can use least privilege when creating the CFME user for my AWS environment.

Suggestions for improvement: 
Add a section indicating required permissions for the AWS provider.

Additional information:

Comment 12 Andrew Dahms 2017-03-06 05:06:13 UTC
Removing Les Williams from the CC list, and moving back to 'NEW' while assigned to the default assignee.

Comment 13 Andrew Dahms 2017-05-15 01:32:02 UTC
Hi Colin,

Thank you for raising this bug.

My apologies for the delay it has taken for us to respond, but we have had a strong need to focus on feature-related content over the past release or so, which has made it difficult for us to schedule time for requests such as this.

That said, we understand this is a topic of growing importance to customers, and I have started a conversation with engineering and product management to see how we can address this across the board.

I will let you know how we proceed.

Kind regards,

Andrew

Comment 14 Andrew Dahms 2018-10-10 12:26:55 UTC
Thank you for raising this bug.

We have evaluated this request, and while we recognize that it is a valid request for the documentation, we do not expect this to be implemented in the product in the foreseeable future. We are therefore closing this out as WONTFIX. 

If you have any concerns about this, please feel free to contact Andrew Dahms.


Note You need to log in before you can comment on or make changes to this bug.