Epic Goal

• Provide a mechanism/solution to track IAM permissions used by components during a cluster life cycle (install, run e2e, destroy) when deploying a cluster on AWS in a CI job, getting quickly feedback of permissions requested (created) versus required (used/API Calls), targeting to:
  • fine granted minimum permissions required
  • enable short feedback to dependent components (such as managed services to update managed IAM Roles/policies)

Why is this important?

• Contribute to fine grant minimum IAM policies used by installer to install a cluster on AWS
• Contribute to components track which permissions has been required during some exercise (e2e)
• Track IAM policy changes when bumping dependencies (such as CAPA for installer)
• Quick feedback to managed services to decrease total time to review managed policies by ROSA

Scenarios

1. ...

Acceptance Criteria

• CI - MUST be running successfully with tests automated
• Release Technical Enablement - Provide necessary release enablement details and documents.
• ...

Dependencies (internal and external)

1. ...

Previous Work (Optional):

1. …

Open questions::

1. …

Done Checklist

• CI - CI is running, tests are automated and merged.
• Release Enablement <link to Feature Enablement Presentation>
• DEV - Upstream code and tests merged: <link to meaningful PR or GitHub Issue>
• DEV - Upstream documentation merged: <link to meaningful PR or GitHub Issue>
• DEV - Downstream build attached to advisory: <link to errata>
• QE - Test plans in Polarion: <link or reference to Polarion>
• QE - Automated tests merged: <link or reference to automated tests>
• DOC - Downstream documentation merged: <link to meaningful PR>

Engineering references

• Spike with exploration of an option to provide signals in CI PR SPLAT-1816