coreos-assembler
coreos-assembler copied to clipboard
coreos
mantle: Document platform permission requirements
The individual permissions required to perform the different commands on different platforms should be documented. Initially providing a bulk set of permissions required for the entire mantle suite would be sufficient but ultimately we should document exactly what permissions are required for each command.
FWIW, while debugging the RHCOS pipeline, we determined the following permissions necessary for ore aws upload (might cover additional ore aws operations):
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:ListAllMyBuckets"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:CreateBucket",
"s3:DeleteBucket",
"s3:DeleteObject",
"s3:GetBucketLocation",
"s3:GetObject",
"s3:ListBucket",
"s3:PutObject"
],
"Resource": [
"arn:aws:s3:::mys3bucket",
"arn:aws:s3:::mys3bucket/*"
]
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:PutRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CancelConversionTask",
"ec2:CancelExportTask",
"ec2:CreateImage",
"ec2:CreateInstanceExportTask",
"ec2:CreateTags",
"ec2:DeleteTags",
"ec2:DescribeConversionTasks",
"ec2:DescribeExportTasks",
"ec2:DescribeInstanceAttribute",
"ec2:DescribeInstanceStatus",
"ec2:DescribeInstances",
"ec2:DescribeTags",
"ec2:ImportInstance",
"ec2:ImportVolume",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ImportImage",
"ec2:ImportSnapshot",
"ec2:DescribeImportImageTasks",
"ec2:DescribeImportSnapshotTasks",
"ec2:CancelImportTask"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:CopyImage",
"ec2:CopySnapshot",
"ec2:CreateTags",
"ec2:Describe*",
"ec2:ImportSnapshot",
"ec2:ModifyImageAttribute",
"ec2:ModifySnapshotAttribute",
"ec2:RegisterImage"
],
"Resource": "*"
}
]
}
Bulk of the permissions come from - https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#iam-permissions-image
