Merge pull request #73430 from mletalie/OSDOCS-3498

[OSDOCS-3498]ROSA STS docs: least-privilege user IAM for CLI user

Author: EricPonvelle

_topic_maps/_topic_map_rosa.yml

@@ -516,6 +516,9 @@ Topics:
     File: rosa-checking-acct-version-cli
   - Name: Checking logs with the ROSA CLI
     File: rosa-checking-logs-cli
+  - Name: Least privilege permissions for ROSA CLI commands
+    File: rosa-cli-permission-examples
+
 ---
 Name: Red Hat OpenShift Cluster Manager
 Dir: ocm

cli_reference/rosa_cli/rosa-cli-permission-examples.adoc

@@ -0,0 +1,32 @@
+:_mod-docs-content-type: ASSEMBLY
+include::_attributes/attributes-openshift-dedicated.adoc[]
+[id="rosa-cli-permission-examples"]
+= Least privilege permissions for ROSA CLI commands
+:context: rosa-cli-permission-examples
+toc::[]
+
+You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the {product-title} (ROSA) command line interface (CLI).
+
+[IMPORTANT]
+====
+Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.
+====
+
+[NOTE]
+====
+The examples listed cover several of the most common ROSA CLI commands. For more information regarding ROSA CLI commands, see xref:../../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-common-commands_rosa-managing-objects-cli[Common commands and arguments].
+====
+
+For more information about configuring permissions, policies, and roles in the AWS console, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html[AWS Identity and Access Management] in the AWS documentation.
+
+include::modules/rosa-cli-hcp-classic-examples.adoc[leveloffset=+1]
+include::modules/rosa-cli-hcp-examples.adoc[leveloffset=+1]
+include::modules/rosa-cli-classic-examples.adoc[leveloffset=+1]
+include::modules/rosa-cli-no-permissions-required.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="additional-resources_min-permissions-required"]
+== Additional resources
+
+* For more information about AWS roles, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles.html[IAM roles].
+* For more information about AWS policies and permissions, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html[Policies and permissions in IAM].

modules/rosa-cli-classic-examples.adoc

@@ -0,0 +1,155 @@
+// Module included in the following assemblies:
+//
+// * rosa_cli/rosa-cli-permission-examples.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="rosa-cli-classic-examples_{context}"]
+= Least privilege permissions for common ROSA Classic CLI commands
+
+The following examples show the least privilege permissions needed for the most common ROSA CLI commands  when building ROSA Classic clusters.
+
+[id="rosa-min-permissions-required-classic_{context}"]
+== Create a cluster
+
+Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.
+
+.Input
+[source,terminal]
+----
+$ rosa create cluster
+----
+.Policy
+[source,json]
+----
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CreateCluster",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:ListRoleTags",
+                "iam:ListRoles"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+
+[id="rosa-create-account-operator-roles-classic_{context}"]
+== Create account roles and Operator roles
+
+Run the following command with the specified permissions to create account and Operator roles in `auto' mode.
+
+.Input
+[source,terminal]
+----
+$ rosa create account-roles --mode auto --classic
+----
+.Policy
+[source,json]
+----
+
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "CreateAccountOperatorRoles",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:UpdateAssumeRolePolicy",
+                "iam:ListRoleTags",
+                "iam:GetPolicy",
+                "iam:TagRole",
+                "iam:ListRoles",
+                "iam:CreateRole",
+                "iam:AttachRolePolicy",
+                "iam:TagPolicy",
+                "iam:CreatePolicy",
+                "iam:ListPolicyTags"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----
+[id="rosa-delete-account-roles-classic_{context}"]
+== Delete your account roles
+
+Run the following command with the specified permissions to delete the account roles in `auto` mode.
+
+.Input
+[source,terminal]
+----
+$ rosa delete account-roles -–mode auto
+----
+.Policy
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:ListInstanceProfilesForRole",
+                "iam:DetachRolePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListRoles",
+                "iam:DeleteRole",
+                "iam:ListRolePolicies",
+                "iam:GetPolicy",
+                "iam:ListPolicyVersions",
+                "iam:DeletePolicy"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+----
+
+[id="rosa-delete-operator-roles-classic_{context}"]
+== Delete your Operator roles
+
+Run the following command with the specified permissions to delete the Operator roles in `auto` mode.
+
+.Input
+[source,terminal]
+----
+$ rosa delete operator-roles -–mode auto
+----
+.Policy
+[source,json]
+----
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetRole",
+                "iam:ListInstanceProfilesForRole",
+                "iam:DetachRolePolicy",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListRoles",
+                "iam:DeleteRole",
+                "iam:ListRolePolicies",
+                "iam:GetPolicy",
+                "iam:ListPolicyVersions",
+                "iam:DeletePolicy"
+            ],
+            "Resource": "*"
+        }
+    ]
+}
+
+----