Skip to content

Commit 17c0f49

Browse files
openshift-merge-bot[bot]openshift-merge-bot[bot]
authored
Merge pull request #8410 from r4f4/aws-granular-s3-perms
OCPBUGS-33662: aws: don't always require s3:Delete* permissions
2 parents 1203d54 + 83d928c commit 17c0f49

File tree

2 files changed

+14
-2
lines changed

2 files changed

+14
-2
lines changed

pkg/asset/installconfig/aws/permissions.go

Lines changed: 10 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -45,6 +45,9 @@ const (
4545

4646
// PermissionPublicIpv4Pool is an additional set of permissions required when the installer uses public IPv4 pools.
4747
PermissionPublicIpv4Pool PermissionGroup = "public-ipv4-pool"
48+
49+
// PermissionDeleteIgnitionObjects is a permission set required when `preserveBootstrapIgnition` is not set.
50+
PermissionDeleteIgnitionObjects PermissionGroup = "delete-ignition-objects"
4851
)
4952

5053
var permissions = map[PermissionGroup][]string{
@@ -156,7 +159,6 @@ var permissions = map[PermissionGroup][]string{
156159

157160
// S3 related perms
158161
"s3:CreateBucket",
159-
"s3:DeleteBucket",
160162
"s3:GetAccelerateConfiguration",
161163
"s3:GetBucketAcl",
162164
"s3:GetBucketCors",
@@ -177,7 +179,6 @@ var permissions = map[PermissionGroup][]string{
177179
"s3:PutEncryptionConfiguration",
178180

179181
// More S3 (would be nice to limit 'Resource' to just the bucket we actually interact with...)
180-
"s3:DeleteObject",
181182
"s3:GetObject",
182183
"s3:GetObjectAcl",
183184
"s3:GetObjectTagging",
@@ -201,6 +202,7 @@ var permissions = map[PermissionGroup][]string{
201202
"iam:ListInstanceProfiles",
202203
"iam:ListRolePolicies",
203204
"iam:ListUserPolicies",
205+
"s3:DeleteBucket",
204206
"s3:DeleteObject",
205207
"s3:ListBucketVersions",
206208
"tag:GetResources",
@@ -268,6 +270,12 @@ var permissions = map[PermissionGroup][]string{
268270
// Needed by terraform because of bootstrap EIP created
269271
"ec2:DisassociateAddress",
270272
},
273+
PermissionDeleteIgnitionObjects: {
274+
// Needed by terraform during the bootstrap destroy stage.
275+
"s3:DeleteBucket",
276+
// Needed by capa which always deletes the ignition objects once the VMs are up.
277+
"s3:DeleteObject",
278+
},
271279
}
272280

273281
// ValidateCreds will try to create an AWS session, and also verify that the current credentials

pkg/asset/installconfig/platformpermscheck.go

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -102,6 +102,10 @@ func (a *PlatformPermsCheck) Generate(dependencies asset.Parents) error {
102102
permissionGroups = append(permissionGroups, awsconfig.PermissionPublicIpv4Pool)
103103
}
104104

105+
if !ic.Config.AWS.PreserveBootstrapIgnition {
106+
permissionGroups = append(permissionGroups, awsconfig.PermissionDeleteIgnitionObjects)
107+
}
108+
105109
ssn, err := ic.AWS.Session(ctx)
106110
if err != nil {
107111
return err

0 commit comments

Comments
 (0)