Created
June 5, 2021 05:58
-
-
Save ruo91/d68ddea20ebdf7901620f9a7d3ed0291 to your computer and use it in GitHub Desktop.
OpenShift v4x - Required AWS permissions for the IAM user
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| /* | |
| - RefURL | |
| https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account | |
| - Required EC2 permissions for installation | |
| file: ocp4-ec2-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "ec2:AllocateAddress", | |
| "ec2:AssociateAddress", | |
| "ec2:AuthorizeSecurityGroupEgress", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CopyImage", | |
| "ec2:CreateNetworkInterface", | |
| "ec2:AttachNetworkInterface", | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateTags", | |
| "ec2:CreateVolume", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DeleteSnapshot", | |
| "ec2:DeleteTags", | |
| "ec2:DeregisterImage", | |
| "ec2:DescribeAccountAttributes", | |
| "ec2:DescribeAddresses", | |
| "ec2:DescribeAvailabilityZones", | |
| "ec2:DescribeDhcpOptions", | |
| "ec2:DescribeImages", | |
| "ec2:DescribeInstanceAttribute", | |
| "ec2:DescribeInstanceCreditSpecifications", | |
| "ec2:DescribeInstances", | |
| "ec2:DescribeInstanceTypes", | |
| "ec2:DescribeInternetGateways", | |
| "ec2:DescribeKeyPairs", | |
| "ec2:DescribeNatGateways", | |
| "ec2:DescribeNetworkAcls", | |
| "ec2:DescribeNetworkInterfaces", | |
| "ec2:DescribePrefixLists", | |
| "ec2:DescribeRegions", | |
| "ec2:DescribeRouteTables", | |
| "ec2:DescribeSecurityGroups", | |
| "ec2:DescribeSubnets", | |
| "ec2:DescribeTags", | |
| "ec2:DescribeVolumes", | |
| "ec2:DescribeVpcAttribute", | |
| "ec2:DescribeVpcClassicLink", | |
| "ec2:DescribeVpcClassicLinkDnsSupport", | |
| "ec2:DescribeVpcEndpoints", | |
| "ec2:DescribeVpcs", | |
| "ec2:GetEbsDefaultKmsKeyId", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:ModifyNetworkInterfaceAttribute", | |
| "ec2:ReleaseAddress", | |
| "ec2:RevokeSecurityGroupEgress", | |
| "ec2:RevokeSecurityGroupIngress", | |
| "ec2:RunInstances", | |
| "ec2:TerminateInstances" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required permissions for creating network resources during installation | |
| If you use an existing VPC, your account does not require these permissions for creating network resources. | |
| file: ocp4-ec2-network-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "ec2:AssociateDhcpOptions", | |
| "ec2:AssociateRouteTable", | |
| "ec2:AttachInternetGateway", | |
| "ec2:CreateDhcpOptions", | |
| "ec2:CreateInternetGateway", | |
| "ec2:CreateNatGateway", | |
| "ec2:CreateRoute", | |
| "ec2:CreateRouteTable", | |
| "ec2:CreateSubnet", | |
| "ec2:CreateVpc", | |
| "ec2:CreateVpcEndpoint", | |
| "ec2:ModifySubnetAttribute", | |
| "ec2:ModifyVpcAttribute" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required Elastic Load Balancing permissions for installation | |
| file: ocp4-elb-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", | |
| "elasticloadbalancing:AttachLoadBalancerToSubnets", | |
| "elasticloadbalancing:ConfigureHealthCheck", | |
| "elasticloadbalancing:CreateListener", | |
| "elasticloadbalancing:CreateLoadBalancer", | |
| "elasticloadbalancing:CreateLoadBalancerListeners", | |
| "elasticloadbalancing:CreateTargetGroup", | |
| "elasticloadbalancing:DeleteLoadBalancer", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:DeregisterTargets", | |
| "elasticloadbalancing:DescribeInstanceHealth", | |
| "elasticloadbalancing:DescribeListeners", | |
| "elasticloadbalancing:DescribeLoadBalancerAttributes", | |
| "elasticloadbalancing:DescribeLoadBalancers", | |
| "elasticloadbalancing:DescribeTags", | |
| "elasticloadbalancing:DescribeTargetGroupAttributes", | |
| "elasticloadbalancing:DescribeTargetHealth", | |
| "elasticloadbalancing:ModifyLoadBalancerAttributes", | |
| "elasticloadbalancing:ModifyTargetGroup", | |
| "elasticloadbalancing:ModifyTargetGroupAttributes", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesOfListener" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required IAM permissions for installation | |
| If you have not created an elastic load balancer (ELB) in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRole permission. | |
| file: ocp4-iam-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "iam:AddRoleToInstanceProfile", | |
| "iam:CreateInstanceProfile", | |
| "iam:CreateRole", | |
| "iam:DeleteInstanceProfile", | |
| "iam:DeleteRole", | |
| "iam:DeleteRolePolicy", | |
| "iam:GetInstanceProfile", | |
| "iam:GetRole", | |
| "iam:GetRolePolicy", | |
| "iam:GetUser", | |
| "iam:ListInstanceProfilesForRole", | |
| "iam:ListRoles", | |
| "iam:ListUsers", | |
| "iam:PassRole", | |
| "iam:PutRolePolicy", | |
| "iam:RemoveRoleFromInstanceProfile", | |
| "iam:SimulatePrincipalPolicy", | |
| "iam:TagRole" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required Route 53 permissions for installation | |
| file: ocp4-route53-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "route53:ChangeResourceRecordSets", | |
| "route53:ChangeTagsForResource", | |
| "route53:CreateHostedZone", | |
| "route53:DeleteHostedZone", | |
| "route53:GetChange", | |
| "route53:GetHostedZone", | |
| "route53:ListHostedZones", | |
| "route53:ListHostedZonesByName", | |
| "route53:ListResourceRecordSets", | |
| "route53:ListTagsForResource", | |
| "route53:UpdateHostedZoneComment" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required S3 permissions for installation | |
| file: ocp4-s3-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "s3:CreateBucket", | |
| "s3:DeleteBucket", | |
| "s3:GetAccelerateConfiguration", | |
| "s3:GetBucketAcl", | |
| "s3:GetBucketCors", | |
| "s3:GetBucketLocation", | |
| "s3:GetBucketLogging", | |
| "s3:GetBucketObjectLockConfiguration", | |
| "s3:GetBucketReplication", | |
| "s3:GetBucketRequestPayment", | |
| "s3:GetBucketTagging", | |
| "s3:GetBucketVersioning", | |
| "s3:GetBucketWebsite", | |
| "s3:GetEncryptionConfiguration", | |
| "s3:GetLifecycleConfiguration", | |
| "s3:GetReplicationConfiguration", | |
| "s3:ListBucket", | |
| "s3:PutBucketAcl", | |
| "s3:PutBucketTagging", | |
| "s3:PutEncryptionConfiguration" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - S3 permissions that cluster Operators require | |
| file: ocp4-s3-cluster-operator-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "s3:DeleteObject", | |
| "s3:GetObject", | |
| "s3:GetObjectAcl", | |
| "s3:GetObjectTagging", | |
| "s3:GetObjectVersion", | |
| "s3:PutObject", | |
| "s3:PutObjectAcl", | |
| "s3:PutObjectTagging" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required permissions to delete base cluster resources | |
| file: ocp4-cluster-delete-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "autoscaling:DescribeAutoScalingGroups", | |
| "ec2:DeleteNetworkInterface", | |
| "ec2:DeleteVolume", | |
| "elasticloadbalancing:DeleteTargetGroup", | |
| "elasticloadbalancing:DescribeTargetGroups", | |
| "iam:DeleteAccessKey", | |
| "iam:DeleteUser", | |
| "iam:ListAttachedRolePolicies", | |
| "iam:ListInstanceProfiles", | |
| "iam:ListRolePolicies", | |
| "iam:ListUserPolicies", | |
| "s3:DeleteObject", | |
| "s3:ListBucketVersions", | |
| "tag:GetResources" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required permissions to delete network resources | |
| If you use an existing VPC, your account does not require these permissions to delete network resources. Instead, your account only requires the tag:UntagResources permission to delete network resources. | |
| file: ocp4-ec2-delete-network-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "ec2:DeleteDhcpOptions", | |
| "ec2:DeleteInternetGateway", | |
| "ec2:DeleteNatGateway", | |
| "ec2:DeleteRoute", | |
| "ec2:DeleteRouteTable", | |
| "ec2:DeleteSubnet", | |
| "ec2:DeleteVpc", | |
| "ec2:DeleteVpcEndpoints", | |
| "ec2:DetachInternetGateway", | |
| "ec2:DisassociateRouteTable", | |
| "ec2:ReplaceRouteTableAssociation" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Additional IAM and S3 permissions that are required to create manifests | |
| file: ocp4-iam-s3-create-manifest-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "iam:CreateAccessKey", | |
| "iam:CreateUser", | |
| "iam:DeleteAccessKey", | |
| "iam:DeleteUser", | |
| "iam:DeleteUserPolicy", | |
| "iam:GetUserPolicy", | |
| "iam:ListAccessKeys", | |
| "iam:PutUserPolicy", | |
| "iam:TagUser", | |
| "iam:GetUserPolicy", | |
| "iam:ListAccessKeys", | |
| "s3:PutBucketPublicAccessBlock", | |
| "s3:GetBucketPublicAccessBlock", | |
| "s3:PutLifecycleConfiguration", | |
| "s3:HeadBucket", | |
| "s3:ListBucketMultipartUploads", | |
| "s3:AbortMultipartUpload" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Optional permissions for instance and quota checks for installation | |
| file: ocp4-ec2-instance-quota-check-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "ec2:DescribeInstanceTypeOfferings", | |
| "servicequotas:ListAWSDefaultServiceQuotas" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } | |
| /* | |
| - Required IAM role permissions for control plane instance profiles. | |
| file: ocp4-iam-role-control-plane-instance-permissions.json | |
| */ | |
| { | |
| "Version": "2012-10-17", | |
| "Statement": [ | |
| { | |
| "Action": [ | |
| "sts:AssumeRole", | |
| "ec2:AttachVolume", | |
| "ec2:AuthorizeSecurityGroupIngress", | |
| "ec2:CreateSecurityGroup", | |
| "ec2:CreateTags", | |
| "ec2:CreateVolume", | |
| "ec2:DeleteSecurityGroup", | |
| "ec2:DeleteVolume", | |
| "ec2:Describe*", | |
| "ec2:DetachVolume", | |
| "ec2:ModifyInstanceAttribute", | |
| "ec2:ModifyVolume", | |
| "ec2:RevokeSecurityGroupIngress", | |
| "elasticloadbalancing:AddTags", | |
| "elasticloadbalancing:AttachLoadBalancerToSubnets", | |
| "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer", | |
| "elasticloadbalancing:CreateListener", | |
| "elasticloadbalancing:CreateLoadBalancer", | |
| "elasticloadbalancing:CreateLoadBalancerPolicy", | |
| "elasticloadbalancing:CreateLoadBalancerListeners", | |
| "elasticloadbalancing:CreateTargetGroup", | |
| "elasticloadbalancing:ConfigureHealthCheck", | |
| "elasticloadbalancing:DeleteListener", | |
| "elasticloadbalancing:DeleteLoadBalancer", | |
| "elasticloadbalancing:DeleteLoadBalancerListeners", | |
| "elasticloadbalancing:DeleteTargetGroup", | |
| "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", | |
| "elasticloadbalancing:DeregisterTargets", | |
| "elasticloadbalancing:Describe*", | |
| "elasticloadbalancing:DetachLoadBalancerFromSubnets", | |
| "elasticloadbalancing:ModifyListener", | |
| "elasticloadbalancing:ModifyLoadBalancerAttributes", | |
| "elasticloadbalancing:ModifyTargetGroup", | |
| "elasticloadbalancing:ModifyTargetGroupAttributes", | |
| "elasticloadbalancing:RegisterInstancesWithLoadBalancer", | |
| "elasticloadbalancing:RegisterTargets", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer", | |
| "elasticloadbalancing:SetLoadBalancerPoliciesOfListener", | |
| "kms:DescribeKey" | |
| ], | |
| "Resource": "*", | |
| "Effect": "Allow", | |
| "Sid": "1" | |
| } | |
| ] | |
| } |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment