Skip to content

Commit f9d6b67

Browse files
EricPonvelleEricPonvelle
authored
Merge pull request #64491 from aldiazRH/OSDOCS-7642
[OSDOCS-7642] SRE STS access updates
2 parents eb08487 + bf41861 commit f9d6b67

File tree

1 file changed

+3
-1
lines changed

1 file changed

+3
-1
lines changed

modules/rosa-policy-identity-access-management.adoc

Lines changed: 3 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -53,12 +53,14 @@ SREs generate a short-lived AWS access token for a reserved role using the AWS S
5353
[id="rosa-sre-sts-view-aws-account_{context}"]
5454
== SRE STS view of AWS accounts
5555

56-
When SRE is on VPN through two-factor authentication, Red Hat Support and SRE can assume the `ManagedOpenShift-Support-Role` in your AWS Account. `ManagedOpenShift-Support-Role` has all the permissions necessary for SRE to troubleshoot AWS resources. Upon assumption of the `ManagedOpenShift-Support-Role`, SRE uses a AWS Security Token Service (STS) to perform troubleshooting actions in your account. SRE can perform multiple actions which include:
56+
When SREs are on a VPN through two-factor authentication, they and Red Hat Support can assume the `ManagedOpenShift-Support-Role` in your AWS account. The `ManagedOpenShift-Support-Role` has all the permissions necessary for SREs to directly troubleshoot and manage AWS resources. Upon assumption of the `ManagedOpenShift-Support-Role`, SREs use a AWS Security Token Service (STS) to generate a unique, time-expiring URL to the customer's AWS web UI for their account. SREs can then perform multiple troubleshooting actions which include:
5757

5858
* Viewing CloudTrail logs
5959
* Shutting down a faulty EC2 Instance
6060
* Creating EC2 snapshots
6161

62+
All activities performed by SREs arrive from Red Hat IP addresses and are logged to CloudTrail to allow you to audit and review all activity. This role is only used in cases where access to AWS services is required to assist you. The majority of permissions are read-only. However, a select few permissions have more access, including the ability to reboot an instance or spin up a new instance. SRE access is limited to the policy permissions attached to the `ManagedOpenShift-Support-Role`.
63+
6264
For a full list of permissions, see sts_support_permission_policy.json in the link:https://docs.openshift.com/rosa/rosa_architecture/rosa-sts-about-iam-resources.html[About IAM resources for ROSA clusters that use STS] user guide.
6365

6466
[id="rosa-policy-rh-access_{context}"]

0 commit comments

Comments
 (0)