Bug 1403966 - [RFE][Docs] Restrict AWS IAM Roles and Permissions
Summary: [RFE][Docs] Restrict AWS IAM Roles and Permissions
Keywords:
Status: CLOSED CANTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 3.3.0
Hardware: Unspecified
OS: Unspecified
unspecified
low
Target Milestone: ---
: ---
Assignee: Ashley Hardin
QA Contact: Chao Yang
Vikram Goyal
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2016-12-12 18:14 UTC by Brennan Vincello
Modified: 2017-02-02 19:55 UTC (History)
7 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2017-02-02 19:55:40 UTC
Target Upstream Version:

Attachments (Terms of Use)
Add an attachment (proposed patch, testcase, etc.)

Description Brennan Vincello 2016-12-12 18:14:43 UTC 
Document URL and section: 

Section 2.5.4, Permissions for Amazon Web Services
https://access.redhat.com/articles/2623521 

Configuring for AWS
https://docs.openshift.com/container-platform/3.3/install_config/configuring_aws.html

Describe the issue: 

As an OpenShift admin, I'm running the advanced setup of the OpenShift Platform using AWS as a cloud provider. I can complete the setup using the broadest possible IAM permission set that is allow everything. I would like to assign an IAM Role to the AWS instance (both masters and nodes) but I want to have a more restrictive set of permissions. 

Suggestions for improvement: 

Could you provide a recommended set of permissions that  is required to install and run the OpenShift cluster on AWS? Also, if the masters' IAM permissions are different from the ones for the nodes, could you provide two sets - one for the masters and one for the nodes?

Additional information: 

In the the AWS reference architecture Section 2.5.4, Permissions for Amazon Web Services, we see:

"The deployment of OpenShift requires a user that has the proper permissions by the AWS IAM administrator. The user must be able to create accounts, S3 buckets, roles, policies, Route53 entries, and deploy ELBs and EC2 instances. It is helpful to have delete permissions in order to be able to redeploy the environment while testing."

By implication it seems as if the required permissions would be the following:

- create accounts
- create S3 buckets
- create roles
- create policies
- create Route53 entries
- deploy ELBs
- deploy EC2 instances

However this list doesn't appear to be explicit enough for implementation, nor does it differentiate between master and node permissions.


(Submitted on behalf of client.)
Comment 1 Takayoshi Tanaka 2016-12-22 01:32:42 UTC 
Hi, is there any update?
Comment 2 Vikram Goyal 2016-12-22 01:50:36 UTC 
(In reply to Takayoshi Tanaka from comment #1)
> Hi, is there any update?

Not yet. Expect this around OCP 3.4 release.
Comment 4 Scott Creeley 2017-01-31 15:54:21 UTC 
Ashley,
I would reach out to the RH person/people that manage and set up the RH-DEV environments, they might have some information that could help.  Dan Walsh might be a good starting point.
Comment 5 Ashley Hardin 2017-01-31 16:52:51 UTC 
Thanks, Scott!

Dan, Can you please help?
Comment 6 Scott Creeley 2017-02-01 13:53:13 UTC 
@Ashley,
I think I put in the wrong name, I think Dan McPherson might be a better starting point for this.


thanks,
Scott
Comment 7 Ashley Hardin 2017-02-02 14:31:19 UTC 
Thanks, Scott.

Dan, Are you able to help provide guidance? Thanks!
Comment 8 Dan McPherson 2017-02-02 14:42:11 UTC 
Not really.  The only way to do this is to implement a set of desired permissions and go through everything seeing what breaks, adding the needed perms, and repeating.  It's a fairly tedious process and requires development work to prove it out.  If we are going to provide the guidance, it's going to take a user story.  We can't just tell them what we do for rh-dev as that environment has lots of purposes.
Note You need to log in before you can comment on or make changes to this bug.