Red Hat Summit6.2. アカウント全体の IAM ロールとポリシーのリファレンス
このセクションでは、Operator ポリシーを含む、STS を使用する ROSA デプロイメントに必要なアカウント全体の IAM ロールおよびポリシーに関する詳細を提供します。また、ポリシーを定義する JSON ファイルも含まれます。
アカウント全体のロールおよびポリシーは、Red Hat OpenShift Service on AWS のマイナーリリースバージョン (例: Red Hat OpenShift Service on AWS 4) に固有であり、以前のバージョンと互換性があります。パッチバージョンに関係なく、同じマイナーバージョンの複数のクラスターにアカウント全体のロールおよびポリシーを再利用することで、必要な STS リソースを最小限に抑えることができます。
6.2.1. アカウント全体のロールを作成する方法
リンクのコピーリンクがクリップボードにコピーされました!
Red Hat OpenShift Service on AWS (ROSA) CLI、rosa、または OpenShift Cluster Manager のガイド付きインストールを使用して、アカウント全体のロールを作成できます。ロールは、手動で作成することも、これらのロールとポリシーに事前定義された名前を使用する自動プロセスを使用して作成することもできます。
6.2.1.1. 手動 ocm-role リソースの作成
リンクのコピーリンクがクリップボードにコピーされました!
システムでこれらのロールを作成するのに必要な CLI アクセスがある場合は、手動作成方法を使用できます。このオプションは、目的の CLI ツールまたは OpenShift Cluster Manager から実行できます。手動作成プロセスを開始すると、CLI は、ロールを作成して必要なポリシーにリンクする一連のコマンドを実行するために表示します。
6.2.1.2. 自動 ocm-role リソースの作成
リンクのコピーリンクがクリップボードにコピーされました!
管理者権限で ocm-role リソースを作成した場合は、OpenShift Cluster Manager からの自動作成方法を使用できます。ROSA CLI では、これらのロールとポリシーを自動的に作成するために、この管理 ocm-role IAM リソースが必要です。この方法を選択すると、デフォルト名を使用するロールおよびポリシーが作成されます。
OpenShift Cluster Manager で ROSA ガイド付きインストールを使用する場合は、ガイド付きクラスターインストールの最初のステップで、管理者権限を持つ ocm-role リソースを作成しておく必要があります。このロールがないと、Operator ロールおよびポリシーの自動作成オプションを使用できませんが、クラスターと、そのロールおよびポリシーを手動プロセスで作成することはできます。
| リソース | 説明 |
|---|---|
| このポリシーは、必要なアクセス権をパッケージ化することで権限の設定を簡素化し、過剰な権限の付与を防ぎながら、ROSA サブスクリプションに対する適切な制御権をエンティティーに与えます。 |
| リソース | 説明 |
|---|---|
|
| ROSA インストーラーによって使用される IAM ロール。 |
| クラスターのインストールタスクを完了するのに必要なパーミッションを持つ ROSA インストーラーを提供する IAM ポリシー。 | |
|
| Red Hat OpenShift Service on AWS クラスターを設定するという目的のためだけに、Red Hat インストーラーに AWS アカウント内で操作する一時的な権限を付与します。 |
例6.1 sts_hcp_installer_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeCapacityReservations",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:GetOpenIDConnectProvider",
"iam:GetRole",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:GetAccountLimit",
"servicequotas:GetServiceQuota"
],
"Resource": "*"
},
{
"Sid": "PassRoleToEC2",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:*:iam::*:role/*-ROSA-Worker-Role"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "ManageInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
]
},
{
"Sid": "CreateInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:TagInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "GetSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "Route53ManageRecords",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
"*.openshiftapps.com",
"*.devshift.org",
"*.hypershift.local",
"*.openshiftusgov.com",
"*.devshiftusgov.com"
]
}
}
},
{
"Sid": "Route53Manage",
"Effect": "Allow",
"Action": [
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone"
],
"Resource": "*"
},
{
"Sid": "CreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
]
}
}
},
{
"Sid": "RunInstancesNoCondition",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Sid": "RunInstancesRestrictedRequestTag",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "RunInstancesRedHatOwnedAMIs",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:image/*"
],
"Condition": {
"StringEquals": {
"ec2:Owner": [
"531415883065",
"251351625822",
"210686502322"
]
}
}
},
{
"Sid": "ManageInstancesRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:GetConsoleOutput"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateGrantRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
},
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com"
},
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "ManagedKMSRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
}
}
},
{
"Sid": "CreateSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DeleteSecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "SecurityGroupIngressEgress",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroupsVPCNoCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "CreateTagsRestrictedActions",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateSecurityGroup"
]
}
}
},
{
"Sid": "CreateTagsK8sSubnet",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid": "DeleteTagsK8sSubnet",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"ForAllValues:StringLike": {
"aws:TagKeys": [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid": "ListPoliciesAttachedToRoles",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeCapacityReservations",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:GetOpenIDConnectProvider",
"iam:GetRole",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:GetAccountLimit",
"servicequotas:GetServiceQuota"
],
"Resource": "*"
},
{
"Sid": "PassRoleToEC2",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:*:iam::*:role/*-ROSA-Worker-Role"
],
"Effect": "Allow",
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "ManageInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
]
},
{
"Sid": "CreateInstanceProfiles",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:TagInstanceProfile"
],
"Resource": [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "GetSecretValue",
"Effect": "Allow",
"Action": [
"secretsmanager:GetSecretValue"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "Route53ManageRecords",
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
"*.openshiftapps.com",
"*.devshift.org",
"*.hypershift.local",
"*.openshiftusgov.com",
"*.devshiftusgov.com"
]
}
}
},
{
"Sid": "Route53Manage",
"Effect": "Allow",
"Action": [
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone"
],
"Resource": "*"
},
{
"Sid": "CreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
]
}
}
},
{
"Sid": "RunInstancesNoCondition",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Sid": "RunInstancesRestrictedRequestTag",
"Effect": "Allow",
"Action": "ec2:RunInstances",
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "RunInstancesRedHatOwnedAMIs",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:image/*"
],
"Condition": {
"StringEquals": {
"ec2:Owner": [
"531415883065",
"251351625822",
"210686502322"
]
}
}
},
{
"Sid": "ManageInstancesRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances",
"ec2:GetConsoleOutput"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateGrantRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
},
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com"
},
"Bool": {
"kms:GrantIsForAWSResource": true
}
}
},
{
"Sid": "ManagedKMSRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
}
}
},
{
"Sid": "CreateSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DeleteSecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "SecurityGroupIngressEgress",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroupsVPCNoCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "CreateTagsRestrictedActions",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateSecurityGroup"
]
}
}
},
{
"Sid": "CreateTagsK8sSubnet",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"ForAllValues:StringLike": {
"aws:TagKeys": [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid": "DeleteTagsK8sSubnet",
"Effect": "Allow",
"Action": [
"ec2:DeleteTags"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition": {
"Null": {
"aws:TagKeys": "false"
},
"ForAllValues:StringLike": {
"aws:TagKeys": [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid": "ListPoliciesAttachedToRoles",
"Effect": "Allow",
"Action": [
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies"
],
"Resource": "arn:aws:iam::*:role/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}例6.2 sts_hcp_installer_trust_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"
},
"Action": "sts:AssumeRole"
}
]
}| リソース | 説明 |
|---|---|
|
| コンピュートインスタンスによって使用される IAM ロール。 |
| コンポーネントの管理に必要なパーミッションを持つ ROSA コンピュートインスタンスを提供する IAM ポリシー。 | |
|
| ワーカーノード上の重要なソフトウェアに対して、Red Hat がリモートで管理するクラスターのコントロールプレーンにセキュアに接続して通信することを許可します。 |
例6.3 sts_hcp_worker_instance_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2DescribeInstancesRegions",
"Effect": "Allow",
"Action": ["ec2:DescribeInstances", "ec2:DescribeRegions"],
"Resource": "*"
},
{
"Sid": "ECRGetAuthorizationToken",
"Effect": "Allow",
"Action": ["ecr:GetAuthorizationToken"],
"Resource": "*"
},
{
"Sid": "ECRReadOnlyAccessRedHatManaged",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EC2DescribeInstancesRegions",
"Effect": "Allow",
"Action": ["ec2:DescribeInstances", "ec2:DescribeRegions"],
"Resource": "*"
},
{
"Sid": "ECRGetAuthorizationToken",
"Effect": "Allow",
"Action": ["ecr:GetAuthorizationToken"],
"Resource": "*"
},
{
"Sid": "ECRReadOnlyAccessRedHatManaged",
"Effect": "Allow",
"Action": [
"ecr:BatchCheckLayerAvailability",
"ecr:GetDownloadUrlForLayer",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:ListImages",
"ecr:DescribeImages",
"ecr:BatchGetImage",
"ecr:ListTagsForResource"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}例6.4 sts_hcp_worker_instance_trust_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "ec2.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}| リソース | 説明 |
|---|---|
|
| Red Hat Site Reliability Engineering (SRE) サポートチームによって使用される IAM ロール。 |
| ROSA クラスターをサポートするために必要なパーミッションを持つ Red Hat SRE サポートチームを提供する IAM ポリシー。 | |
|
| 許可された Red Hat Site Reliability Engineers (SRE) がクラスターで診断およびサポート機能を実行するためのセキュアなメカニズムを提供します。 |
例6.5 sts_hcp_support_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeRegions",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
{
"Sid": "Route53",
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:GetHostedZoneCount",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
},
{
"Sid": "DecribeIAMRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2DescribeInstance",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeReservedInstances",
"ec2:DescribeScheduledInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "VPCNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables"
],
"Resource": [
"*"
]
},
{
"Sid": "Cloudtrail",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:LookupEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "Cloudwatch",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeVolumes",
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeLoadBalancers",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpoints"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeStaleSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "DescribeAddressesAttribute",
"Effect": "Allow",
"Action": "ec2:DescribeAddressesAttribute",
"Resource": "arn:aws:ec2:*:*:elastic-ip/*"
},
{
"Sid": "DescribeInstance",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": "arn:aws:iam::*:instance-profile/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DescribeSpotFleetInstances",
"Effect": "Allow",
"Action": "ec2:DescribeSpotFleetInstances",
"Resource": "arn:aws:ec2:*:*:spot-fleet-request/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DescribeVolumeAttribute",
"Effect": "Allow",
"Action": "ec2:DescribeVolumeAttribute",
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "ManageInstanceLifecycle",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeRegions",
"sts:DecodeAuthorizationMessage"
],
"Resource": "*"
},
{
"Sid": "Route53",
"Effect": "Allow",
"Action": [
"route53:GetHostedZone",
"route53:GetHostedZoneCount",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets"
],
"Resource": [
"*"
]
},
{
"Sid": "DecribeIAMRoles",
"Effect": "Allow",
"Action": [
"iam:GetRole",
"iam:ListRoles"
],
"Resource": [
"*"
]
},
{
"Sid": "EC2DescribeInstance",
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeIamInstanceProfileAssociations",
"ec2:DescribeReservedInstances",
"ec2:DescribeScheduledInstances"
],
"Resource": [
"*"
]
},
{
"Sid": "VPCNetwork",
"Effect": "Allow",
"Action": [
"ec2:DescribeDhcpOptions",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeSubnets",
"ec2:DescribeRouteTables"
],
"Resource": [
"*"
]
},
{
"Sid": "Cloudtrail",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:LookupEvents"
],
"Resource": [
"*"
]
},
{
"Sid": "Cloudwatch",
"Effect": "Allow",
"Action": [
"cloudwatch:GetMetricData",
"cloudwatch:GetMetricStatistics",
"cloudwatch:ListMetrics"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeVolumes",
"Effect": "Allow",
"Action": [
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeLoadBalancers",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeListenerCertificates",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeRules",
"elasticloadbalancing:DescribeSSLPolicies",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeVPC",
"Effect": "Allow",
"Action": [
"ec2:DescribeVpcEndpointConnections",
"ec2:DescribeVpcEndpoints"
],
"Resource": [
"*"
]
},
{
"Sid": "DescribeSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroupReferences",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSecurityGroups",
"ec2:DescribeStaleSecurityGroups"
],
"Resource": "*"
},
{
"Sid": "DescribeAddressesAttribute",
"Effect": "Allow",
"Action": "ec2:DescribeAddressesAttribute",
"Resource": "arn:aws:ec2:*:*:elastic-ip/*"
},
{
"Sid": "DescribeInstance",
"Effect": "Allow",
"Action": [
"iam:GetInstanceProfile"
],
"Resource": "arn:aws:iam::*:instance-profile/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DescribeSpotFleetInstances",
"Effect": "Allow",
"Action": "ec2:DescribeSpotFleetInstances",
"Resource": "arn:aws:ec2:*:*:spot-fleet-request/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DescribeVolumeAttribute",
"Effect": "Allow",
"Action": "ec2:DescribeVolumeAttribute",
"Resource": "arn:aws:ec2:*:*:volume/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "ManageInstanceLifecycle",
"Effect": "Allow",
"Action": [
"ec2:RebootInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances"
],
"Resource": "arn:aws:ec2:*:*:instance/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}例6.6 sts_hcp_support_trust_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::710019948333:role/RH-Technical-Support-15234082"
},
"Action": "sts:AssumeRole"
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": "arn:aws:iam::710019948333:role/RH-Technical-Support-15234082"
},
"Action": "sts:AssumeRole"
}
]
}| リソース | 説明 |
|---|---|
|
| Amazon EC2、Elastic Load Balancing、AWS KMS リソースを管理するための権限を kube コントローラーに付与する IAM ポリシー。 |
例6.7 openshift-hcp_kube-controller-manager-credentials-policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeLoadBalancerPolicies"
],
"Resource": [
"*"
]
},
{
"Sid": "KMSDescribeKey",
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
}
}
},
{
"Sid": "LoadBalanacerManagement",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
],
"Resource": [
"*"
]
},
{
"Sid": "CreateTargetGroup",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "LoadBalanacerManagementResourceTag",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateListeners",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true",
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroupVpc",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "CreateLoadBalancer",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "ModifySecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTagsSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Effect": "Allow",
"Action": [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeListeners",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeLoadBalancerPolicies"
],
"Resource": [
"*"
]
},
{
"Sid": "KMSDescribeKey",
"Effect": "Allow",
"Action": [
"kms:DescribeKey"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
}
}
},
{
"Sid": "LoadBalanacerManagement",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer"
],
"Resource": [
"*"
]
},
{
"Sid": "CreateTargetGroup",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateTargetGroup"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "LoadBalanacerManagementResourceTag",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:RegisterTargets",
"elasticloadbalancing:ModifyTargetGroup",
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateListeners",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateListener"
],
"Resource": [
"*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true",
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroupVpc",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "CreateLoadBalancer",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:CreateLoadBalancer"
],
"Resource": [
"arn:aws:elasticloadbalancing:*:*:loadbalancer/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "ModifySecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTagsSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": "CreateSecurityGroup"
}
}
}
]
}| リソース | 説明 |
|---|---|
|
| Amazon EC2 および Route 53 リソースを管理するために必要な権限を Control Plane Operator に付与する IAM ポリシー。 |
例6.8 openshift_hcp_control_plane_operator_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Action": [
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"route53:ListHostedZones"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CreateSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DeleteSecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "SecurityGroupIngressEgress",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroupsVPCNoCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "ListResourceRecordSets",
"Action": [
"route53:ListResourceRecordSets"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "ChangeResourceRecordSetsRestrictedRecordNames",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
"*.hypershift.local"
]
}
}
},
{
"Sid": "VPCEndpointWithCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "VPCEndpointResourceTagCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "VPCEndpointNoCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:route-table/*"
]
},
{
"Sid": "ManageVPCEndpointWithCondition",
"Effect": "Allow",
"Action": [
"ec2:ModifyVpcEndpoint",
"ec2:DeleteVpcEndpoints"
],
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "ModifyVPCEndpoingNoCondition",
"Effect": "Allow",
"Action": [
"ec2:ModifyVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
]
},
{
"Sid": "CreateTagsRestrictedActions",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVpcEndpoint",
"CreateSecurityGroup"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Action": [
"ec2:DescribeVpcEndpoints",
"ec2:DescribeVpcs",
"ec2:DescribeSecurityGroups",
"route53:ListHostedZones"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "CreateSecurityGroups",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "DeleteSecurityGroup",
"Effect": "Allow",
"Action": [
"ec2:DeleteSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "SecurityGroupIngressEgress",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSecurityGroupsVPCNoCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateSecurityGroup"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "ListResourceRecordSets",
"Action": [
"route53:ListResourceRecordSets"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "ChangeResourceRecordSetsRestrictedRecordNames",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Effect": "Allow",
"Resource": [
"*"
],
"Condition": {
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
"*.hypershift.local"
]
}
}
},
{
"Sid": "VPCEndpointWithCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "VPCEndpointResourceTagCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "VPCEndpointNoCondition",
"Effect": "Allow",
"Action": [
"ec2:CreateVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:vpc/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:route-table/*"
]
},
{
"Sid": "ManageVPCEndpointWithCondition",
"Effect": "Allow",
"Action": [
"ec2:ModifyVpcEndpoint",
"ec2:DeleteVpcEndpoints"
],
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "ModifyVPCEndpoingNoCondition",
"Effect": "Allow",
"Action": [
"ec2:ModifyVpcEndpoint"
],
"Resource": [
"arn:aws:ec2:*:*:subnet/*"
]
},
{
"Sid": "CreateTagsRestrictedActions",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:vpc-endpoint/*",
"arn:aws:ec2:*:*:security-group/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVpcEndpoint",
"CreateSecurityGroup"
]
}
}
}
]
}| リソース | 説明 |
|---|---|
|
| ワーカーノードとして管理される Amazon EC2 インスタンスの情報取得、実行、終了を行うために必要な権限を NodePool コントローラーに付与する IAM ポリシー。このポリシーは、AWS KMS キーを使用したワーカーノードのルートボリュームのディスク暗号化を許可する権限と、ワーカーノードに接続されている Elastic Network Interface にタグを付ける権限も付与します。 |
例6.9 openshift_hcp_capa_controller_manager_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Action": [
"ec2:DescribeDhcpOptions",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "CreateServiceLinkedRole",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Effect": "Allow",
"Resource": [
"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Sid": "PassWorkerRole",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:*:iam::*:role/*-ROSA-Worker-Role"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "AuthorizeSecurityGroupIngressRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:security-group-rule/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "NetworkInterfaces",
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "NetworkInterfacesNoCondition",
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "TerminateInstances",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
]
}
}
},
{
"Sid": "CreateTagsCAPAControllerReconcileNetworkInterface",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTagsCAPAControllerReconcileInstance",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTagsCAPAControllerReconcileVolume",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "RunInstancesRequest",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "RunInstancesNoCondition",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:capacity-reservation/*"
]
},
{
"Sid": "RunInstancesRedHatAMI",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:image/*"
],
"Condition": {
"StringEquals": {
"ec2:Owner": [
"531415883065",
"251351625822"
]
}
}
},
{
"Sid": "ManagedKMSRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/red-hat": "true"
}
}
},
{
"Sid": "CreateGrantRestricted",
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
},
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
},
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ReadPermissions",
"Action": [
"ec2:DescribeDhcpOptions",
"ec2:DescribeImages",
"ec2:DescribeInstances",
"ec2:DescribeInternetGateways",
"ec2:DescribeNetworkInterfaces",
"ec2:DescribeNetworkInterfaceAttribute",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs"
],
"Effect": "Allow",
"Resource": [
"*"
]
},
{
"Sid": "CreateServiceLinkedRole",
"Action": [
"iam:CreateServiceLinkedRole"
],
"Effect": "Allow",
"Resource": [
"arn:*:iam::*:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"
],
"Condition": {
"StringLike": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Sid": "PassWorkerRole",
"Action": [
"iam:PassRole"
],
"Effect": "Allow",
"Resource": [
"arn:*:iam::*:role/*-ROSA-Worker-Role"
],
"Condition": {
"StringEquals": {
"iam:PassedToService": [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid": "AuthorizeSecurityGroupIngressRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:security-group-rule/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "NetworkInterfaces",
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "NetworkInterfacesNoCondition",
"Effect": "Allow",
"Action": [
"ec2:ModifyNetworkInterfaceAttribute"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid": "TerminateInstances",
"Effect": "Allow",
"Action": [
"ec2:TerminateInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTags",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"RunInstances"
]
}
}
},
{
"Sid": "CreateTagsCAPAControllerReconcileNetworkInterface",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTagsCAPAControllerReconcileInstance",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateTagsCAPAControllerReconcileVolume",
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "RunInstancesRequest",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "RunInstancesNoCondition",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:capacity-reservation/*"
]
},
{
"Sid": "RunInstancesRedHatAMI",
"Effect": "Allow",
"Action": [
"ec2:RunInstances"
],
"Resource": [
"arn:aws:ec2:*:*:image/*"
],
"Condition": {
"StringEquals": {
"ec2:Owner": [
"531415883065",
"251351625822"
]
}
}
},
{
"Sid": "ManagedKMSRestrictedResourceTag",
"Effect": "Allow",
"Action": [
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource": "*",
"Condition": {
"StringLike": {
"aws:ResourceTag/red-hat": "true"
}
}
},
{
"Sid": "CreateGrantRestricted",
"Effect": "Allow",
"Action": [
"kms:CreateGrant"
],
"Resource": "*",
"Condition": {
"Bool": {
"kms:GrantIsForAWSResource": true
},
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
},
"StringLike": {
"kms:ViaService": "ec2.*.amazonaws.com"
}
}
}
]
}| リソース | 説明 |
|---|---|
|
| ROSA クラスター内のイメージレジストリーと依存サービス (S3 を含む) のリソースをプロビジョニングおよび管理するために必要な権限を Image Registry Operator に付与する IAM ポリシー。これは、Operator が ROSA クラスターの内部レジストリーをインストールおよび保守できるようにするために必要です。 |
例6.10 openshift_hcp_image_registry_operator_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Sid": "AllowSpecificBucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketTagging",
"s3:GetBucketPublicAccessBlock",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}-*",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}?",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}"
]
},
{
"Sid": "AllowSpecificObjectActions",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}-*/*",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}?/*",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}/*"
]
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ListBuckets",
"Effect": "Allow",
"Action": [
"s3:ListBucket",
"s3:ListBucketMultipartUploads"
],
"Resource": "*"
},
{
"Sid": "AllowSpecificBucketActions",
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:GetBucketTagging",
"s3:GetBucketPublicAccessBlock",
"s3:GetEncryptionConfiguration",
"s3:GetLifecycleConfiguration",
"s3:GetBucketLocation",
"s3:PutBucketPublicAccessBlock",
"s3:PutBucketTagging",
"s3:PutEncryptionConfiguration",
"s3:PutLifecycleConfiguration"
],
"Resource": [
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}-*",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}?",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}"
]
},
{
"Sid": "AllowSpecificObjectActions",
"Effect": "Allow",
"Action": [
"s3:AbortMultipartUpload",
"s3:DeleteObject",
"s3:GetObject",
"s3:ListMultipartUploadParts",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}-*/*",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}?/*",
"arn:aws:s3:::*-image-registry-${aws:RequestedRegion}/*"
]
}
]
}| リソース | 説明 |
|---|---|
|
| ROSA クラスターに Amazon EBS CSI ドライバーをインストールおよび保守するために必要な権限を Amazon EBS CSI Driver Operator に付与する IAM ポリシー。 |
例6.11 openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume",
"ec2:ModifyVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateVolumeFromSnapshot",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Sid": "CreateSnapshotResourceTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSnapshotRequestTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:AttachVolume",
"ec2:DetachVolume"
],
"Resource": [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteVolume",
"ec2:ModifyVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateVolumeFromSnapshot",
"Effect": "Allow",
"Action": [
"ec2:CreateVolume"
],
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Sid": "CreateSnapshotResourceTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Sid": "CreateSnapshotRequestTag",
"Effect": "Allow",
"Action": [
"ec2:CreateSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"aws:RequestTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:DeleteSnapshot"
],
"Resource": [
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
},
{
"Effect": "Allow",
"Action": [
"ec2:CreateTags"
],
"Resource": [
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:snapshot/*"
],
"Condition": {
"StringEquals": {
"ec2:CreateAction": [
"CreateVolume",
"CreateSnapshot"
]
}
}
}
]
}| リソース | 説明 |
|---|---|
|
| ROSA クラスターに Amazon EBS CSI ドライバーをインストールおよび保守するために必要な権限を Amazon EBS CSI Driver Operator に付与する IAM ポリシー。 |
例6.12 openshift_hcp_cloud_network_config_cloud_credentials_permission_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:UnassignPrivateIpAddresses",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignIpv6Addresses",
"ec2:AssignIpv6Addresses"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:DescribeInstances",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstanceTypes",
"ec2:DescribeSubnets",
"ec2:DescribeNetworkInterfaces"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:UnassignPrivateIpAddresses",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignIpv6Addresses",
"ec2:AssignIpv6Addresses"
],
"Resource": "arn:aws:ec2:*:*:network-interface/*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat-managed": "true"
}
}
}
]
}| リソース | 説明 |
|---|---|
|
| クラスターへの外部アクセスを管理するために必要な権限を ROSA Ingress Operator に提供する IAM ポリシー。 |
例6.13 openshift_hcp_cluster_ingress_operator_cloud_credentials_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"route53:ListHostedZones",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
"*.openshiftapps.com",
"*.devshift.org",
"*.openshiftusgov.com",
"*.devshiftusgov.com"
]
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"route53:ListHostedZones",
"tag:GetResources"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"route53:ChangeResourceRecordSets"
],
"Resource": "*",
"Condition": {
"ForAllValues:StringLike": {
"route53:ChangeResourceRecordSetsNormalizedRecordNames": [
"*.openshiftapps.com",
"*.devshift.org",
"*.openshiftusgov.com",
"*.devshiftusgov.com"
]
}
}
}
]
}| リソース | 説明 |
|---|---|
|
| etcd データ暗号化をサポートする AWS KMS キーを管理するために必要な権限を組み込みの AWS Encryption Provider に付与する IAM ポリシー。このポリシーは、AWS Encryption Provider が提供する KMS キーを使用して etcd データを暗号化および復号することを Amazon EC2 に許可します。 |
例6.14 openshift_hcp_kms_provider_credential_policy.json
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VolumeEncryption",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
}
}
}
]
}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VolumeEncryption",
"Effect": "Allow",
"Action": [
"kms:Encrypt",
"kms:Decrypt",
"kms:DescribeKey"
],
"Resource": "*",
"Condition": {
"StringEquals": {
"aws:ResourceTag/red-hat": "true"
}
}
}
]
}6.2.2. アカウント全体の IAM ロールおよびポリシー AWS CLI リファレンス
リンクのコピーリンクがクリップボードにコピーされました!
このセクションでは、rosa コマンドが端末で生成する aws CLI コマンドをリスト表示します。コマンドは、手動モードまたは自動モードのいずれかで実行できます。
6.2.2.1. アカウントロールの作成に手動モードを使用する
リンクのコピーリンクがクリップボードにコピーされました!
手動のロール作成モードでは、確認して実行するための aws コマンドが生成されます。このプロセスは次のコマンドで開始します。<openshift_version> は、Red Hat OpenShift Service on AWS (ROSA) のバージョン (4 など) を指します。
rosa create account-roles --mode manual
$ rosa create account-roles --mode manual注記
提供されているコマンドの例には、ManagedOpenShift 接頭辞が含まれています。--prefix オプションを使用してカスタム接頭辞を指定しない場合は、ManagedOpenShift 接頭辞がデフォルト値です。
コマンド出力
aws iam create-role \ --role-name ManagedOpenShift-Installer-Role \ --assume-role-policy-document file://sts_installer_trust_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=installer aws iam put-role-policy \ --role-name ManagedOpenShift-Installer-Role \ --policy-name ManagedOpenShift-Installer-Role-Policy \ --policy-document file://sts_installer_permission_policy.json aws iam create-role \ --role-name ManagedOpenShift-ControlPlane-Role \ --assume-role-policy-document file://sts_instance_controlplane_trust_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_controlplane aws iam put-role-policy \ --role-name ManagedOpenShift-ControlPlane-Role \ --policy-name ManagedOpenShift-ControlPlane-Role-Policy \ --policy-document file://sts_instance_controlplane_permission_policy.json aws iam create-role \ --role-name ManagedOpenShift-Worker-Role \ --assume-role-policy-document file://sts_instance_worker_trust_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_worker aws iam put-role-policy \ --role-name ManagedOpenShift-Worker-Role \ --policy-name ManagedOpenShift-Worker-Role-Policy \ --policy-document file://sts_instance_worker_permission_policy.json aws iam create-role \ --role-name ManagedOpenShift-Support-Role \ --assume-role-policy-document file://sts_support_trust_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=support aws iam put-role-policy \ --role-name ManagedOpenShift-Support-Role \ --policy-name ManagedOpenShift-Support-Role-Policy \ --policy-document file://sts_support_permission_policy.json aws iam create-policy \ --policy-name ManagedOpenShift-openshift-ingress-operator-cloud-credentials \ --policy-document file://openshift_ingress_operator_cloud_credentials_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-ingress-operator Key=operator_name,Value=cloud-credentials aws iam create-policy \ --policy-name ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent \ --policy-document file://openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-cluster-csi-drivers Key=operator_name,Value=ebs-cloud-credentials aws iam create-policy \ --policy-name ManagedOpenShift-openshift-machine-api-aws-cloud-credentials \ --policy-document file://openshift_machine_api_aws_cloud_credentials_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-machine-api Key=operator_name,Value=aws-cloud-credentials aws iam create-policy \ --policy-name ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede \ --policy-document file://openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-cloud-credential-operator Key=operator_name,Value=cloud-credential-operator-iam-ro-creds aws iam create-policy \ --policy-name ManagedOpenShift-openshift-image-registry-installer-cloud-creden \ --policy-document file://openshift_image_registry_installer_cloud_credentials_policy.json \ --tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-image-registry Key=operator_name,Value=installer-cloud-credentials
aws iam create-role \
--role-name ManagedOpenShift-Installer-Role \
--assume-role-policy-document file://sts_installer_trust_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=installer
aws iam put-role-policy \
--role-name ManagedOpenShift-Installer-Role \
--policy-name ManagedOpenShift-Installer-Role-Policy \
--policy-document file://sts_installer_permission_policy.json
aws iam create-role \
--role-name ManagedOpenShift-ControlPlane-Role \
--assume-role-policy-document file://sts_instance_controlplane_trust_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_controlplane
aws iam put-role-policy \
--role-name ManagedOpenShift-ControlPlane-Role \
--policy-name ManagedOpenShift-ControlPlane-Role-Policy \
--policy-document file://sts_instance_controlplane_permission_policy.json
aws iam create-role \
--role-name ManagedOpenShift-Worker-Role \
--assume-role-policy-document file://sts_instance_worker_trust_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=instance_worker
aws iam put-role-policy \
--role-name ManagedOpenShift-Worker-Role \
--policy-name ManagedOpenShift-Worker-Role-Policy \
--policy-document file://sts_instance_worker_permission_policy.json
aws iam create-role \
--role-name ManagedOpenShift-Support-Role \
--assume-role-policy-document file://sts_support_trust_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=rosa_role_type,Value=support
aws iam put-role-policy \
--role-name ManagedOpenShift-Support-Role \
--policy-name ManagedOpenShift-Support-Role-Policy \
--policy-document file://sts_support_permission_policy.json
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-ingress-operator-cloud-credentials \
--policy-document file://openshift_ingress_operator_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-ingress-operator Key=operator_name,Value=cloud-credentials
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent \
--policy-document file://openshift_cluster_csi_drivers_ebs_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-cluster-csi-drivers Key=operator_name,Value=ebs-cloud-credentials
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-machine-api-aws-cloud-credentials \
--policy-document file://openshift_machine_api_aws_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-machine-api Key=operator_name,Value=aws-cloud-credentials
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede \
--policy-document file://openshift_cloud_credential_operator_cloud_credential_operator_iam_ro_creds_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-cloud-credential-operator Key=operator_name,Value=cloud-credential-operator-iam-ro-creds
aws iam create-policy \
--policy-name ManagedOpenShift-openshift-image-registry-installer-cloud-creden \
--policy-document file://openshift_image_registry_installer_cloud_credentials_policy.json \
--tags Key=rosa_openshift_version,Value=<openshift_version> Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-image-registry Key=operator_name,Value=installer-cloud-credentials6.2.2.2. ロール作成に自動モードを使用する
リンクのコピーリンクがクリップボードにコピーされました!
--mode auto 引数を追加すると、Red Hat OpenShift Service on AWS (ROSA) CLI (rosa) はロールとポリシーを作成します。次のコマンドは、そのプロセスを開始します。
rosa create account-roles --mode auto
$ rosa create account-roles --mode auto注記
提供されているコマンドの例には、ManagedOpenShift 接頭辞が含まれています。--prefix オプションを使用してカスタム接頭辞を指定しない場合は、ManagedOpenShift 接頭辞がデフォルト値です。
コマンド出力
I: Creating roles using 'arn:aws:iam::<ARN>:user/<UserID>' ? Create the 'ManagedOpenShift-Installer-Role' role? Yes I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Installer-Role' ? Create the 'ManagedOpenShift-ControlPlane-Role' role? Yes I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-ControlPlane-Role' ? Create the 'ManagedOpenShift-Worker-Role' role? Yes I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Worker-Role' ? Create the 'ManagedOpenShift-Support-Role' role? Yes I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Support-Role' ? Create the operator policies? Yes I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials' I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede' I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden' I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials' I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent' I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cloud-network-config-controller-cloud' I: To create a cluster with these roles, run the following command: rosa create cluster --sts
I: Creating roles using 'arn:aws:iam::<ARN>:user/<UserID>'
? Create the 'ManagedOpenShift-Installer-Role' role? Yes
I: Created role 'ManagedOpenShift-Installer-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Installer-Role'
? Create the 'ManagedOpenShift-ControlPlane-Role' role? Yes
I: Created role 'ManagedOpenShift-ControlPlane-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-ControlPlane-Role'
? Create the 'ManagedOpenShift-Worker-Role' role? Yes
I: Created role 'ManagedOpenShift-Worker-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Worker-Role'
? Create the 'ManagedOpenShift-Support-Role' role? Yes
I: Created role 'ManagedOpenShift-Support-Role' with ARN 'arn:aws:iam::<ARN>:role/ManagedOpenShift-Support-Role'
? Create the operator policies? Yes
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent'
I: Created policy with ARN 'arn:aws:iam::<ARN>:policy/ManagedOpenShift-openshift-cloud-network-config-controller-cloud'
I: To create a cluster with these roles, run the following command:
rosa create cluster --sts
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}