Uploaded image for project: 'OpenShift Request For Enhancement'
  1. OpenShift Request For Enhancement
  2. RFE-2237

Limit Scope of AWS IAM Permissions Generated by Cloud-Credential-Operator

XMLWordPrintable

    • False
    • False

      1. Proposed title of this feature request
      Limit Scope of AWS IAM Permissions Generated by Cloud-Credential-Operator.

      2. What is the nature and description of the request?
      Please review the current IAM permissions provided by the CCO to meet the minimal requirements for running OpenShift.

      For example, the IAM user for the `aws-ebs-csi-driver-operator` has the following permissions provided:

      ~~~
      {
      "Version": "2012-10-17",
      "Statement": [

      { "Effect": "Allow", "Action": [ "ec2:AttachVolume", "ec2:CreateSnapshot", "ec2:CreateTags", "ec2:CreateVolume", "ec2:DeleteSnapshot", "ec2:DeleteTags", "ec2:DeleteVolume", "ec2:DescribeInstances", "ec2:DescribeSnapshots", "ec2:DescribeTags", "ec2:DescribeVolumes", "ec2:DescribeVolumesModifications", "ec2:DetachVolume", "ec2:ModifyVolume" ], "Resource": "*" }

      ,

      { "Effect": "Allow", "Action": [ "iam:GetUser" ], "Resource": "arn:aws:iam::326747146819:user/yuzu-x428b-aws-ebs-csi-driver-operator-cbnjk" }

      ]
      }
      ~~~

      The request is, where possible, to add the "aws:SourceVpc" permission limitations that force credentials to be used just from inside the VPC.

      3. Why does the customer need this? (List the business requirements here)
      Security concerns about the scope of permissions provided by the CCO

      4. List any affected packages or components.
      CloudCredentialOperator

              julim Ju Lim
              rhn-support-mwasher Michael Washer (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: