Goal:

As an administrator, I would like to know the minimum list of required credential permissions for AWS and what they're needed for. This will allow me to create a custom role with only minimal permissions needed for installation (Day 1) and also for the operation (Day 2) of OpenShift.

Problem:

In many organizations, permissions are tightly controlled by their security teams making it difficult for some users to get the necessary credentials created with the proper set of permissions. Customers need a way to minimally know the mandatory set of permissions for installing OpenShift (Day 1) and only what is needed for the operation of the cluster (Day 2).

Why is this important:

• Many of our customers have security policies in their organizations that restrict credentials to only minimal permissions that conflict with the documented list of permissions needed for OpenShift. Customers need to know the explicit list of permissions minimally needed for deploying and running OpenShift and what they're used for so they can request the right permissions. Without this information, it's blocking the adoption of OpenShift 4 in many cases.

Lifecycle Information:

• Core

Previous Work:

• OpenShift Product Documentation: https://docs.openshift.com/container-platform/4.5/installing/installing_aws/installing-aws-account.html
• Component credential request manifests

Dependencies:

• Installer [both UPI & IPI Workflows]
• Control Plane
  • Kube Controller Manager
• Compute [Managed Identity]
• Cloud API enabled components
  • Cloud Credential Operator
  • Machine API
  • Internal Registry
  • Ingress
• ?

Prioritized epics + deliverables (in scope / not in scope):

• Ensure required permissions are regularly validated for AWS in CI

Related:

Estimate (XS, S, M, L, XL, XXL):

Customers: All customers deploying OpenShift 4 to AWS

Open Questions: