Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2237

Limit Scope of AWS IAM Permissions Generated by Cloud-Credential-Operator

XMLWordPrintable

    • False
    • False
    • 0
    • 0% 0%

      1. Proposed title of this feature request
      Limit Scope of AWS IAM Permissions Generated by Cloud-Credential-Operator.

      2. What is the nature and description of the request?
      Please review the current IAM permissions provided by the CCO to meet the minimal requirements for running OpenShift.

      For example, the IAM user for the `aws-ebs-csi-driver-operator` has the following permissions provided:

      ~~~
      {
      "Version": "2012-10-17",
      "Statement": [

      { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DetachVolume", "ec2:ModifyVolume" ], "Resource": "*" }

      ,

      { "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": "arn:aws:iam::326747146819:user/yuzu-x428b-aws-ebs-csi-driver-operator-cbnjk" }

      ]
      }
      ~~~

      The request is, where possible, to add the "aws:SourceVpc" permission limitations that force credentials to be used just from inside the VPC.

      3. Why does the customer need this? (List the business requirements here)
      Security concerns about the scope of permissions provided by the CCO

      4. List any affected packages or components.
      CloudCredentialOperator

            julim Ju Lim
            rhn-support-mwasher Michael Washer
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated:
              Resolved: