Skip to content

Commit b7185f7

Browse files
jeana-redhatjeana-redhat
committed
[OSDOCS-6554]: Adds CloudFront perms for AWS STS with private bucket
1 parent f4bdaf8 commit b7185f7

File tree

1 file changed

+31
-3
lines changed

1 file changed

+31
-3
lines changed

modules/cco-ccoctl-configuring.adoc

Lines changed: 31 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -80,8 +80,9 @@ ifdef::aws-sts[]
8080
.Required AWS permissions
8181
[cols="a,a"]
8282
|====
83-
|`iam` permissions |`s3` permissions
83+
|Permission type |Required permissions
8484

85+
|`iam` permissions
8586
|* `iam:CreateOpenIDConnectProvider`
8687
* `iam:CreateRole`
8788
* `iam:DeleteOpenIDConnectProvider`
@@ -96,6 +97,8 @@ ifdef::aws-sts[]
9697
* `iam:PutRolePolicy`
9798
* `iam:TagOpenIDConnectProvider`
9899
* `iam:TagRole`
100+
101+
|`s3` permissions
99102
|* `s3:CreateBucket`
100103
* `s3:DeleteBucket`
101104
* `s3:DeleteObject`
@@ -106,12 +109,38 @@ ifdef::aws-sts[]
106109
* `s3:GetObjectTagging`
107110
* `s3:ListBucket`
108111
* `s3:PutBucketAcl`
112+
* `s3:PutBucketPolicy`
113+
* `s3:PutBucketPublicAccessBlock`
109114
* `s3:PutBucketTagging`
110115
* `s3:PutObject`
111116
* `s3:PutObjectAcl`
112117
* `s3:PutObjectTagging`
113118

119+
|`cloudfront` permissions
120+
|* `cloudfront:ListCloudFrontOriginAccessIdentities`
121+
* `cloudfront:ListDistributions`
122+
* `cloudfront:ListTagsForResource`
123+
114124
|====
125+
+
126+
If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the `ccoctl` utility requires the following additional permissions:
127+
+
128+
--
129+
* `cloudfront:CreateCloudFrontOriginAccessIdentity`
130+
* `cloudfront:CreateDistribution`
131+
* `cloudfront:DeleteCloudFrontOriginAccessIdentity`
132+
* `cloudfront:DeleteDistribution`
133+
* `cloudfront:GetCloudFrontOriginAccessIdentity`
134+
* `cloudfront:GetCloudFrontOriginAccessIdentityConfig`
135+
* `cloudfront:GetDistribution`
136+
* `cloudfront:TagResource`
137+
* `cloudfront:UpdateDistribution`
138+
--
139+
+
140+
[NOTE]
141+
====
142+
These additional permissions support the use of the `--create-private-s3-bucket` option when processing credentials requests with the `ccoctl aws create-all` command.
143+
====
115144
endif::aws-sts[]
116145

117146
.Procedure
@@ -158,8 +187,7 @@ $ chmod 775 ccoctl
158187
$ ccoctl --help
159188
----
160189
+
161-
.Output of `ccoctl --help`:
162-
+
190+
.Output of `ccoctl --help`
163191
[source,terminal]
164192
----
165193
OpenShift credentials provisioning tool

0 commit comments

Comments
 (0)