Merge pull request #44837 from jeana-redhat/OSDOCS-3346_AWS_ccoctl_permission_reqs

jeana-redhat · web-flow · commit d6f0057ec988 · 2022-05-04T09:58:11.000-04:00
[OSDOCS-3346]: Add AWS ccoctl permissions reqs
diff --git a/authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc b/authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc
@@ -1,6 +1,6 @@
 :_content-type: ASSEMBLY
 [id="cco-mode-sts"]
-= Using manual mode with STS
+= Using manual mode with Amazon Web Services Secure Token Service
 include::_attributes/common-attributes.adoc[]
 :context: cco-mode-sts
 
@@ -13,6 +13,9 @@ Manual mode with STS is supported for Amazon Web Services (AWS).
 This credentials strategy is supported for only new {product-title} clusters and must be configured during installation. You cannot reconfigure an existing cluster that uses a different credentials strategy to use this feature.
 ====
 
+[id="sts-mode-about"]
+== About manual mode with AWS Secure Token Service
+
 In manual mode with STS, the individual {product-title} cluster components use AWS Secure Token Service (STS) to assign components IAM roles that provide short-term, limited-privilege security credentials. These credentials are associated with IAM roles that are specific to each component that makes AWS API calls.
 
 Requests for new and refreshed credentials are automated by using an appropriately configured AWS IAM OpenID Connect (OIDC) identity provider, combined with AWS IAM roles. {product-title} signs service account tokens that are trusted by AWS IAM, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour.
diff --git a/modules/cco-ccoctl-configuring.adoc b/modules/cco-ccoctl-configuring.adoc
@@ -37,6 +37,48 @@ endif::alibabacloud[]
 The `ccoctl` is a Linux binary that must run in a Linux environment.
 ====
 
+ifdef::aws-sts[]
+.Prerequisites
+
+* You have created an AWS account for the `ccoctl` to use with the following permissions:
++
+.Required AWS permissions
+[cols="a,a"]
+|====
+|`iam` permissions |`s3` permissions
+
+|* `iam:CreateOpenIDConnectProvider`
+* `iam:CreateRole`
+* `iam:DeleteOpenIDConnectProvider`
+* `iam:DeleteRole`
+* `iam:DeleteRolePolicy`
+* `iam:GetOpenIDConnectProvider`
+* `iam:GetRole`
+* `iam:GetUser`
+* `iam:ListOpenIDConnectProviders`
+* `iam:ListRolePolicies`
+* `iam:ListRoles`
+* `iam:PutRolePolicy`
+* `iam:TagOpenIDConnectProvider`
+* `iam:TagRole`
+|* `s3:CreateBucket`
+* `s3:DeleteBucket`
+* `s3:DeleteObject`
+* `s3:GetBucketAcl`
+* `s3:GetBucketTagging`
+* `s3:GetObject`
+* `s3:GetObjectAcl`
+* `s3:GetObjectTagging`
+* `s3:ListBucket`
+* `s3:PutBucketAcl`
+* `s3:PutBucketTagging`
+* `s3:PutObject`
+* `s3:PutObjectAcl`
+* `s3:PutObjectTagging`
+
+|====
+endif::aws-sts[]
+
 .Procedure
 
 . Obtain the {product-title} release image:
