ROSA CLI permissions

Author: mletalie

_topic_maps/_topic_map_rosa.yml

@@ -516,6 +516,9 @@ Topics:
     File: rosa-checking-acct-version-cli
   - Name: Checking logs with the ROSA CLI
     File: rosa-checking-logs-cli
+  - Name: Least privilege permissions for ROSA CLI commands
+    File: rosa-cli-permission-examples
+
 ---
 Name: Red Hat OpenShift Cluster Manager
 Dir: ocm

cli_reference/rosa_cli/rosa-cli-permission-examples.adoc

@@ -0,0 +1,27 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/attributes-openshift-dedicated.adoc[]
+[id="rosa-cli-permission-examples"]
+= Least privilege permissions for ROSA CLI commands
+:context: rosa-cli-permission-examples
+toc::[]
+
+You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the {product-title} (ROSA) command line interface (CLI).
+
+[NOTE]
+====
+The examples listed cover several of the most common ROSA CLI commands.
+For more information regarding ROSA CLI commands, see xref:../../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-common-commands_rosa-managing-objects-cli[Common commands and arguments].
+====
+
+For more information about configuring permissions, policies, and roles in the AWS console, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html[AWS Identity and Access Management] in the AWS documentation.
+
+include::modules/rosa-cli-hcp-classic-examples.adoc[leveloffset=+1]
+include::modules/rosa-cli-hcp-examples.adoc[leveloffset=+1]
+include::modules/rosa-cli-classic-examples.adoc[leveloffset=+1]
+include::modules/rosa-cli-no-permissions-required.adoc[leveloffset=+1]
+[role="_additional-resources"]
+[id="additional-resources_min-permissions-required"]
+== Additional resources
+
+* For more information about AWS roles, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html[IAM roles].
+* For more information about AWS policies and permissions, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html[Policies and permissions in IAM].

modules/rosa-cli-classic-examples.adoc

@@ -0,0 +1,81 @@
+// Module included in the following assemblies:
+//
+// * rosa_cli/rosa-cli-permission-examples.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="rosa-cli-classic-examples_{context}"]
+= Least privilege permissions for common ROSA Classic CLI commands
+
+The following examples show the least privilege permissions needed for the most common ROSA CLI commands  when building ROSA Classic clusters.
+
+[id="rosa-min-permissions-required-classic_{context}"]
+== Create a cluster
+
+Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.
+
+.Input
+[source,terminal]
+----
+$ rosa create cluster
+----
+.Minimum permissions
+[source,json]
+----
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CreateCluster",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:ListRoleTags",
+                "iam:ListRoles"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+
+[id="rosa-create-account-operator-roles-classic_{context}"]
+== Create account roles and Operator roles
+
+Run the following command with the specified permissions to create account and Operator roles in `auto' mode.
+
+.Input
+[source,terminal]
+----
+$ rosa create account-roles --mode auto
+----
+.Minimum permissions
+[source,json]
+----
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CreateAccountOperatorRoles",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:UpdateAssumeRolePolicy",
+                "iam:ListRoleTags",
+                "iam:GetPolicy",
+                "iam:TagRole",
+                "iam:ListRoles",
+                "iam:CreateRole",
+                "iam:AttachRolePolicy",
+                "iam:TagPolicy",
+                "iam:CreatePolicy",
+                "iam:ListPolicyTags"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----

modules/rosa-cli-hcp-classic-examples.adoc

@@ -0,0 +1,256 @@
+// Module included in the following assemblies:
+//
+// * rosa_cli/rosa-cli-permission-examples.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="rosa-cli-hcp-classic-examples_{context}"]
+= Least privilege permissions for common ROSA CLI commands
+
+The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.
+
+[id="rosa-create-OIDC-providers-hcp-classic_{context}"]
+== Create an OpenID Connect (OIDC) provider
+Run the following command with the specified permissions to create your OIDC provider by using `auto` mode.
+
+.Input
+[source,terminal]
+----
+$ rosa create oidc-config --mode auto
+----
+.Minimum permissions
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CreateOidcConfig",
+            "Effect": "Allow",
+            "Action": [
+                "iam:TagOpenIDConnectProvider",
+                "iam:CreateOpenIDConnectProvider"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+
+[id="rosa-list-account-roles-hcp-classic_{context}"]
+== List your account roles
+Run the following command with the specified permissions to list your account roles.
+
+.Input
+[source,terminal]
+----
+$ rosa list account-roles
+----
+.Minimum permissions
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ListAccountRoles",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ListRoleTags",
+                "iam:ListRoles"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+
+[id="rosa-list-operator-roles-hcp-classic_{context}"]
+== List your Operator roles
+Run the following command with the specified permissions to list your Operator roles.
+
+.Input
+[source,terminal]
+----
+$ rosa list operator-roles
+----
+.Minimum permissions
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ListOperatorRoles",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ListRoleTags",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListRoles",
+                "iam:ListPolicyTags"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+
+[id="rosa-list-OIDC-providers-hcp-classic_{context}"]
+== List your OIDC providers
+
+Run the following command with the specified permissions to list your OIDC providers.
+
+.Input
+[source,terminal]
+----
+$ rosa list oidc-providers
+----
+.Minimum permissions
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "ListOidcProviders",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ListOpenIDConnectProviders",
+                "iam:ListOpenIDConnectProviderTags"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+
+[id="rosa-verify-quota-hcp-classic_{context}"]
+== Verify your quota
+
+Run the following command with the specified permissions to verify your quota.
+
+.Input
+[source,terminal]
+----
+$ rosa verify quota
+----
+.Minimum permissions
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VerifyQuota",
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:DescribeAccountLimits",
+                "servicequotas:ListServiceQuotas"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+
+[id="rosa-delete-account-roles-hcp-classic_{context}"]
+== Delete your account roles
+
+Run the following command with the specified permissions to delete the account roles in `auto` mode.
+
+.Input
+[source,terminal]
+----
+$ rosa delete account-roles -–mode auto
+----
+.Minimum permissions
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DeleteAccountRoles",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:ListInstanceProfilesForRole",
+                "iam:DetachRolePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListRoles",
+                "iam:DeleteRole",
+                "iam:ListRolePolicies"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+
+[id="rosa-delete-operator-roles-hcp-classic_{context}"]
+== Delete your Operator roles
+
+Run the following command with the specified permissions to delete your Operator roles in `auto` mode.
+
+.Input
+[source,terminal]
+----
+$ rosa delete operator-roles -–mode auto
+----
+.Minimum permissions
+[source,json]
+----
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DeleteOperatorRoles",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:DetachRolePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListRoles",
+                "iam:DeleteRole"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+
+[id="rosa-delete-oidc-config-hcp-classic_{context}"]
+== Delete your OIDC configuration
+
+Run the following command with the specified permissions to delete your OIDC configuration by using `auto` mode.
+
+.Input
+[source,terminal]
+----
+$ rosa delete oidc-config -–mode auto
+----
+.Minimum permissions
+[source,json]
+----
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DeleteOidcConfig",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ListOpenIDConnectProviders",
+                "iam:DeleteOpenIDConnectProvider"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+