Skip to content

Commit a5534c7

Browse files
kcarmichael08kcarmichael08
authored
Merge pull request #67710 from xJustin/OSDOCS-8066-S3-install-permissions
2 parents 5da1297 + a3b303e commit a5534c7

File tree

1 file changed

+21
-1
lines changed

1 file changed

+21
-1
lines changed

modules/rosa-sts-account-wide-roles-and-policies.adoc

Lines changed: 21 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -131,6 +131,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
131131
"ec2:DescribeInstanceCreditSpecifications",
132132
"ec2:DescribeInstances",
133133
"ec2:DescribeInstanceStatus",
134+
"ec2:DescribeInstanceTypeOfferings",
134135
"ec2:DescribeInstanceTypes",
135136
"ec2:DescribeInternetGateways",
136137
"ec2:DescribeKeyPairs",
@@ -142,6 +143,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
142143
"ec2:DescribeReservedInstancesOfferings",
143144
"ec2:DescribeRouteTables",
144145
"ec2:DescribeSecurityGroups",
146+
"ec2:DescribeSecurityGroupRules",
145147
"ec2:DescribeSubnets",
146148
"ec2:DescribeTags",
147149
"ec2:DescribeVolumes",
@@ -178,6 +180,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
178180
"elasticloadbalancing:DeleteTargetGroup",
179181
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
180182
"elasticloadbalancing:DeregisterTargets",
183+
"elasticloadbalancing:DescribeAccountLimits",
181184
"elasticloadbalancing:DescribeInstanceHealth",
182185
"elasticloadbalancing:DescribeListeners",
183186
"elasticloadbalancing:DescribeLoadBalancerAttributes",
@@ -196,6 +199,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
196199
"iam:CreateInstanceProfile",
197200
"iam:DeleteInstanceProfile",
198201
"iam:GetInstanceProfile",
202+
"iam:TagInstanceProfile",
199203
"iam:GetRole",
200204
"iam:GetRolePolicy",
201205
"iam:GetUser",
@@ -215,6 +219,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
215219
"route53:ChangeTagsForResource",
216220
"route53:CreateHostedZone",
217221
"route53:DeleteHostedZone",
222+
"route53:GetAccountLimit",
218223
"route53:GetChange",
219224
"route53:GetHostedZone",
220225
"route53:ListHostedZones",
@@ -225,12 +230,14 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
225230
"s3:CreateBucket",
226231
"s3:DeleteBucket",
227232
"s3:DeleteObject",
233+
"s3:DeleteObjectVersion",
228234
"s3:GetAccelerateConfiguration",
229235
"s3:GetBucketAcl",
230236
"s3:GetBucketCORS",
231237
"s3:GetBucketLocation",
232238
"s3:GetBucketLogging",
233239
"s3:GetBucketObjectLockConfiguration",
240+
"s3:GetBucketPolicy",
234241
"s3:GetBucketReplication",
235242
"s3:GetBucketRequestPayment",
236243
"s3:GetBucketTagging",
@@ -247,6 +254,7 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
247254
"s3:ListBucketVersions",
248255
"s3:PutBucketAcl",
249256
"s3:PutBucketTagging",
257+
"s3:PutBucketVersioning",
250258
"s3:PutEncryptionConfiguration",
251259
"s3:PutObject",
252260
"s3:PutObjectAcl",
@@ -263,11 +271,23 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
263271
"ec2:DescribeVpcEndpointServiceConfigurations",
264272
"ec2:DescribeVpcEndpointServicePermissions",
265273
"ec2:DescribeVpcEndpointServices",
266-
"ec2:ModifyVpcEndpointServicePermissions"
274+
"ec2:ModifyVpcEndpointServicePermissions",
267275
"kms:DescribeKey",
268276
"cloudwatch:GetMetricData"
269277
],
270278
"Resource": "*"
279+
},
280+
{
281+
"Effect": "Allow",
282+
"Action": [
283+
"secretsmanager:GetSecretValue"
284+
],
285+
"Resource": "*",
286+
"Condition": {
287+
"StringEquals": {
288+
"aws:ResourceTag/red-hat-managed": "true"
289+
}
290+
}
271291
}
272292
]
273293
}

0 commit comments

Comments
 (0)