Chapter 1. Adding additional constraints for IP-based AWS role assumption

Procedure

1. Sign in to the AWS Management Console using your AWS account credentials.
2. Navigate to the IAM service.
3. In the IAM console, select Policies from the left navigation menu.
4. Click Create policy.
5. Select the JSON tab to define the policy using JSON format.

6. To get the IP addresses required for the JSON policy document, run the following command:

   $ ocm get /api/clusters_mgmt/v1/trusted_ip_addresses

   Note

   These IP addresses are not permanent and can change. Regularly review the API output and update the JSON policy document.

7. Copy and paste the following policy_document.json file into the editor:

   {
       "Version": "2012-10-17",
       "Statement": [
           {
               "Effect": "Deny",
               "Action": "*",
               "Resource": "*",
               "Condition": {
                   "NotIpAddress": {
                       "aws:SourceIp": []
                   },
                   "Bool": {
                       "aws:ViaAWSService": "false"
                   }
               }
           }
       ]
   }

8. Copy and paste all of the IP addresses, which you got in Step 6, into the "aws:SourceIp": [] array in your policy_document.json file.
9. Click Review and create.
10. Provide a name and description for the policy, and review the details for accuracy.

11. Click Create policy to save the policy.

    Note

    Set the aws:ViaAWSService condition key to false to ensure that subsequent calls succeed after your initial call. For example, if you do not set aws:ViaAWSService to false and run aws ec2 describe-instances, some follow-up calls can fail. It applies to subsequent calls that you make within the AWS API server to retrieve information about the Elastic Block Store (EBS) volumes attached to the EC2 instance. The subsequent calls fail because they originate from AWS IP addresses that are not included in the AllowList.

Procedure

1. Navigate to the IAM console in the AWS Management Console.

2. Select the default IAM ManagedOpenShift-Support-Role role to attach the policy.

   Note

   You can change the default IAM ManagedOpenShift-Support-Role role. For more information about roles, see Red Hat support access.

3. In the Permissions tab, select Add Permissions or Create inline policy from the Add Permissions drop-down list.

4. Search for the policy you created earlier by:

   1. Entering the policy name.
   2. Filtering by the appropriate category.

5. Select the policy and click Attach policy.

   Important

   To prevent IP-based role assumption, keep the allowlisted IPs up-to-date. Outdated IPs can block Red Hat site reliability engineering (SRE) from accessing your account and affect your Service Level Agreement (SLA).