$ rosa create oidc-config --mode auto
You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the Red Hat OpenShift service on AWS (ROSA) command line interface (CLI).
Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present. |
The examples listed cover several of the most common ROSA CLI commands. For more information regarding ROSA CLI commands, see Common commands and arguments. |
For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.
The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.
Run the following command with the specified permissions to create your managed OIDC provider by using auto
mode.
$ rosa create oidc-config --mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateOidcConfig",
"Effect": "Allow",
"Action": [
"iam:TagOpenIDConnectProvider",
"iam:CreateOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto
mode.
$ rosa create oidc-config --mode auto --managed=false
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:TagOpenIDConnectProvider",
"iam:ListRoleTags",
"iam:ListRoles",
"iam:CreateOpenIDConnectProvider",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutBucketTagging",
"s3:PutBucketPolicy",
"s3:PutObjectTagging",
"s3:PutBucketPublicAccessBlock",
"secretsmanager:CreateSecret",
"secretsmanager:TagResource"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to list your account roles.
$ rosa list account-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListAccountRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to list your Operator roles.
$ rosa list operator-roles
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to list your OIDC providers.
$ rosa list oidc-providers
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListOidcProviders",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:ListOpenIDConnectProviderTags"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to verify your quota.
$ rosa verify quota
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VerifyQuota",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeAccountLimits",
"servicequotas:ListserviceQuotas"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete your managed OIDC configuration by using auto
mode.
$ rosa delete oidc-config -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOidcConfig",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto
mode.
$ rosa delete oidc-config -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:ListOpenIDConnectProviders",
"iam:DeleteOpenIDConnectProvider",
"secretsmanager:DeleteSecret",
"s3:ListBucket",
"s3:DeleteObject",
"s3:DeleteBucket"
],
"Resource": "*"
}
]
}
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA with hosted control plane (HCP) clusters.
Run the following command with the specified permissions to create ROSA with HCP clusters.
$ rosa create cluster --hosted-cp
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCluster",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables",
"ec2:DescribeAvailabilityZones"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to create account and Operator roles by using auto
mode.
$ rosa create account-roles --mode auto --hosted-cp
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccountRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete the account roles in auto
mode.
$ rosa delete account-roles -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteAccountRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete your Operator roles in auto
mode.
$ rosa delete operator-roles -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DeleteOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole"
],
"Resource": "*"
}
]
}
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA Classic clusters.
Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.
$ rosa create cluster
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateCluster",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoleTags",
"iam:ListRoles"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to create account and Operator roles in `auto' mode.
$ rosa create account-roles --mode auto --classic
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CreateAccountOperatorRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:UpdateAssumeRolePolicy",
"iam:ListRoleTags",
"iam:GetPolicy",
"iam:TagRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy",
"iam:TagPolicy",
"iam:CreatePolicy",
"iam:ListPolicyTags"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete the account roles in auto
mode.
$ rosa delete account-roles -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}
Run the following command with the specified permissions to delete the Operator roles in auto
mode.
$ rosa delete operator-roles -–mode auto
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListInstanceProfilesForRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:ListRoles",
"iam:DeleteRole",
"iam:ListRolePolicies",
"iam:GetPolicy",
"iam:ListPolicyVersions",
"iam:DeletePolicy"
],
"Resource": "*"
}
]
}
The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.
Command | Input |
---|---|
list cluster |
|
list versions |
|
describe cluster |
|
create admin |
|
list users |
|
list upgrades |
|
list OIDC configuration |
|
list identity providers |
|
list ingresses |
|
For more information about AWS roles, see IAM roles.
For more information about AWS policies and permissions, see Policies and permissions in IAM.