Fixing KMS policy to not prevent mounting issues and be more granular

michaelryanmcneill · michaelryanmcneill · commit e13e2f247d43 · 2022-06-17T14:03:18.000-04:00
diff --git a/modules/rosa-sts-creating-a-cluster-with-customizations.adoc b/modules/rosa-sts-creating-a-cluster-with-customizations.adoc
@@ -63,22 +63,62 @@ $ aws kms get-key-policy --key-id <key_id_or_arn> --policy-name default --output
 [source,json]
 ----
 {
-  "Version": "2012-10-17",
-  "Id": "key-default-1",
-  "Statement": [
-    {
-      "Sid": "Enable IAM User Permissions",
-      "Effect": "Allow",
-      "Principal": {
-        "AWS": [
-          "arn:aws:iam::<aws_account_id>:root",
-          "arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role" <1>
-        ]
-      },
-      "Action": "kms:*",
-      "Resource": "*"
-    }
-  ]
+    "Version": "2012-10-17",
+    "Id": "key-rosa-policy-1",
+    "Statement": [
+        {
+            "Sid": "Enable IAM User Permissions",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": "arn:aws:iam::<aws-account-id>:root"
+            },
+            "Action": "kms:*",
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow ROSA use of the key",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Support-Role",
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Installer-Role",
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Worker-Role",
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role"
+                ]
+            },
+            "Action": [
+                "kms:Encrypt",
+                "kms:Decrypt",
+                "kms:ReEncrypt*",
+                "kms:GenerateDataKey*",
+                "kms:DescribeKey"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "Allow attachment of persistent resources",
+            "Effect": "Allow",
+            "Principal": {
+                "AWS": [
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Support-Role",
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Installer-Role",
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Worker-Role",
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role"
+                ]
+            },
+            "Action": [
+                "kms:CreateGrant",
+                "kms:ListGrants",
+                "kms:RevokeGrant"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": "true"
+                }
+            }
+        }
+    ]
 }
 ----
 <1> You must specify the ARN for the account-wide role that will be used when you create the ROSA cluster. The ARNs listed in the section must be comma-separated.
