You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/rosa-sharing-vpc-creation-and-sharing.adoc
+84-20Lines changed: 84 additions & 20 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -10,35 +10,99 @@ You can share subnets within a configured VPC with another AWS user account if t
10
10
11
11
.Procedure
12
12
13
-
. From the AWS account that centrally manages your VPC, create or modify a VPC to your specifications in the link:https://us-east-1.console.aws.amazon.com/vpc/[VPC section of the AWS console]. This AWS account will be the *VPC-owning AWS account*.
14
-
. In the link:https://us-east-1.console.aws.amazon.com/iamv2/[Identity and Access Management (IAM) section of the AWS console], create a custom trust policy role for the shared VPC permissions. This role needs to have the following permissions:
15
-
* A trust policy to assume roles:
13
+
. From the AWS account that centrally manages your VPC, create or modify a VPC to your specifications in the link:https://us-east-1.console.aws.amazon.com/vpc/[VPC section of the AWS console]. This AWS account will be the *VPC-owning AWS account*.
14
+
+
15
+
. Create a custom policy file to allow for necessary Shared VPC permissions that uses the name `SharedVPCPolicy`:
You will attach this policy to a role necessary for the shared VPC permissions.
56
+
+
57
+
. Create a custom trust policy file that grants permission to assume roles:
58
+
+
59
+
[source,terminal]
60
+
----
61
+
$ cat <<EOF > /tmp/shared-vpc-role.json
62
+
{
63
+
"Version": "2012-10-17",
64
+
"Statement": [
65
+
{
66
+
"Effect": "Allow",
67
+
"Principal": {
68
+
"AWS": "arn:aws:iam::<Account-ID>:root" <1>
69
+
},
70
+
"Action": "sts:AssumeRole"
71
+
}
72
+
]
73
+
}
74
+
EOF
32
75
----
33
76
+
34
77
--
35
-
<1> The following principals are be added later in this process after the *cluster-creating AWS account* user has created these roles. On creation, you must create a root user placeholder by using the *cluster-creator's AWS Account* ID as `arn:aws:iam::{Account}:root`.
78
+
<1> The principal will be scoped down later in this process after the *cluster-creating AWS account* user has created the necessary cluster roles. On creation, you must create a root user placeholder by using the *cluster-creator's AWS Account* ID as `arn:aws:iam::{Account}:root`.
79
+
--
80
+
+
81
+
. Create the IAM role:
82
+
+
83
+
[source,terminal]
84
+
----
85
+
$ aws iam create-role --role-name <role_name> \ <1>
<1> Replace _<role_name>_ with the name of the role you created.
103
+
<2> Replace _<AWS_account_ID>_ with the *VPC-owning AWS account* ID.
36
104
--
37
-
* The `ResourceGroupandTagEditorFullAccess` permissions policy
38
-
* The `Route53minimalPermissions` permissions policy
39
105
+
40
-
After you create this IAM role, provide the created role's ARN to the cluster creator.
41
-
42
106
. In the link:https://us-east-1.console.aws.amazon.com/ram/[Resource Access Manager of the AWS console], create a Resource Share that shares the previously created public and private subnets to the *cluster-creating AWS account* ID.
43
107
44
-
After you create the Resource Share, notify the *cluster-creating AWS account* user to reserve an `openshiftapps.com` DNS domain and create Operator roles to continue configuration.
108
+
After you create the Resource Share, notify the *cluster-creating AWS account* user to reserve an `openshiftapps.com` DNS domain and create Operator roles to continue configuration.
0 commit comments