AWS managed IAM policies for ROSA
An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.
Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they’re available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.
You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services.
For more information, see AWS managed policies in the IAM User Guide.
AWS managed policy: ROSAManageSubscription
You can attach the ROSAManageSubscription
policy to your IAM entities. Before you enable ROSA in the AWS
ROSA console, you must first attach this policy to a console role.
This policy grants the AWS Marketplace permissions required for you to manage the ROSA subscription.
Permissions details
This policy includes the following permissions.
-
aws-marketplace:Subscribe
- Grants permission to subscribe to the AWS Marketplace product for ROSA. -
aws-marketplace:Unsubscribe
- Allows principals to remove subscriptions to AWS Marketplace products. -
aws-marketplace:ViewSubscriptions
- Allows principals to view subscriptions from AWS Marketplace. This is required so that the IAM principal can view the available AWS Marketplace subscriptions.
To view the full JSON policy document, see ROSAManageSubscription in the AWS Managed Policy Reference Guide.
AWS managed policies for ROSA with HCP account roles
You can attach these AWS managed policies to the account roles needed to use ROSA with hosted control planes (HCP). The permissions are required for Red Hat site reliability engineering (SRE) support on the cluster, cluster creation, and compute functionality.
The following managed policies are required:
-
AWS managed policy: ROSAWorkerInstancePolicy — Allows the ROSA service to manage Amazon EC2 instance lifecycles in a ROSA cluster.
-
AWS managed policy: ROSASRESupportPolicy — Grants required permissions to Red Hat site reliability engineers (SREs) to directly observe, diagnose, and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state.
-
AWS managed policy: ROSAInstallerPolicy — Grants required permissions to the installer to manage AWS resources that support cluster installation.
AWS managed policies for ROSA with HCP operator roles
You can attach these AWS managed policies to the operator roles needed to use ROSA with hosted control planes (HCP). The permissions are required to allow OpenShift operators to manage ROSA with HCP cluster nodes.
The following managed policies are required:
-
AWS managed policy: ROSAAmazonEBSCSIDriverOperatorPolicy — Grants required permissions to the Amazon EBS CSI Driver Operator to install and maintain the Amazon EBS CSI driver on a ROSA cluster.
-
AWS managed policy: ROSAIngressOperatorPolicy — Grants required permissions to the Ingress Operator to provision and manage load balancers and DNS configurations for ROSA clusters. The policy allows read access to tag values. The operator then filters the tag values for Route 53 resources to discover hosted zones.
-
AWS managed policy: ROSAImageRegistryOperatorPolicy — Grants required permissions to the Image Registry Operator to provision and manage resources for the ROSA in-cluster image registry and dependent services, including S3.
-
AWS managed policy: ROSACloudNetworkConfigOperatorPolicy — Grants required permissions to the Cloud Network Config Controller Operator to provision and manage networking resources for the ROSA cluster networking overlay.
-
AWS managed policy: ROSAKubeControllerPolicy — Grants required permissions to kube controller to manage Amazon EC2, Elastic Load Balancing, and AWS KMS resources for a ROSA with hosted control planes cluster.
-
AWS managed policy: ROSANodePoolManagementPolicy — Grants required permissions to the NodePool controller to describe, run, and terminate Amazon EC2 instances managed as worker nodes. This policy also enables disk encryption of the worker node root volume using AWS KMS keys.
-
AWS managed policy: ROSAKMSProviderPolicy — Grants required permissions to the built-in AWS Encryption Provider to manage AWS KMS keys that support etcd data encryption. This policy allows Amazon EC2 to encrypt and decrypt
etcd
data using the KMS keys provided by the AWS Encryption Provider. -
AWS managed policy: ROSAControlPlaneOperatorPolicy — Grants required permissions to the Control Plane Operator to manage Amazon EC2 and Route 53 resources for ROSA with hosted control planes clusters.
To view managed policy permissions, see AWS managed policies in the AWS Managed Policy Reference Guide.
ROSA updates to AWS managed policies
View details about updates to AWS managed policies for ROSA since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history for the ROSA User Guide page.
Change | Description | Date |
---|---|---|
ROSANodePoolManagementPolicy — Policy updated |
ROSA updated the policy to allow the ROSA node pool manager to describe DHCP option sets in order to set the proper private DNS names. To learn more, see AWS managed policy: ROSANodePoolManagementPolicy. |
May 2, 2024 |
ROSAInstallerPolicy — Policy updated |
ROSA updated the policy to allow the ROSA installer to
add tags to subnets using tag keys matching |
April 24, 2024 |
ROSASRESupportPolicy — Policy updated |
ROSA updated the policy to allow the SRE role to retrieve information on
instance profiles that have been tagged by ROSA as |
April 10, 2024 |
ROSAInstallerPolicy — Policy updated |
ROSA updated the policy to allow the ROSA installer to validate that AWS managed policies for ROSA are attached to IAM roles used by ROSA. This update also allows the installer to identify whether customer managed policies have been attached to ROSA roles. To learn more, see AWS managed policy: ROSAInstallerPolicy. |
April 10, 2024 |
ROSAInstallerPolicy — Policy updated |
ROSA updated the policy to allow the service to provide installer alert messages when cluster installation fails due to a missing customer-specified cluster OIDC provider. This update also allows the service to retrieve existing DNS name servers so that cluster provisioning operations are idempotent. To learn more, see AWS managed policy: ROSAInstallerPolicy. |
January 26, 2024 |
ROSASRESupportPolicy — Policy updated |
ROSA updated the policy to allow the service to perform read operations on security groups using the DescribeSecurityGroups API. To learn more, see AWS managed policy: ROSASRESupportPolicy. |
January 22, 2024 |
ROSAImageRegistryOperatorPolicy — Policy updated |
ROSA updated the policy to allow the Image Registry Operator to take actions on Amazon S3 buckets in Regions with 14-character names. To learn more, see AWS managed policy: ROSAImageRegistryOperatorPolicy. |
December 12, 2023 |
ROSAKubeControllerPolicy — Policy updated |
ROSA updated the policy to allow the kube-controller-manager to describe Availability Zones, Amazon EC2 instances, route tables, security groups, VPCs, and subnets. To learn more, see AWS managed policy: ROSAKubeControllerPolicy. |
October 16, 2023 |
ROSAManageSubscription — Policy updated |
ROSA updated the policy to add the ROSA with hosted control planes ProductId. To learn more, see AWS managed policy: ROSAManageSubscription. |
August 1, 2023 |
ROSAKubeControllerPolicy — Policy updated |
ROSA updated the policy to allow the kube-controller-manager to create Network Load Balancers as Kubernetes service load balancers. Network Load Balancers provide greater ability to handle volatile workloads and support static IP addresses for the load balancer. To learn more, see AWS managed policy: ROSAKubeControllerPolicy. |
July 13, 2023 |
ROSANodePoolManagementPolicy — New policy added |
ROSA added a new policy to allow the NodePool controller to describe, run, and terminate Amazon EC2 instances managed as worker nodes. This policy also enables disk encryption of the worker node root volume using AWS KMS keys. To learn more, see AWS managed policy: ROSANodePoolManagementPolicy. |
June 8, 2023 |
ROSAInstallerPolicy — New policy added |
ROSA added a new policy to allow the installer to manage AWS resources that support cluster installation. To learn more, see AWS managed policy: ROSAInstallerPolicy. |
June 6, 2023 |
ROSASRESupportPolicy — New policy added |
ROSA added a new policy to allow Red Hat SREs to directly observe, diagnose and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state. To learn more, see AWS managed policy: ROSASRESupportPolicy. |
June 1, 2023 |
ROSAKMSProviderPolicy — New policy added |
ROSA added a new policy to allow the built-in AWS Encryption Provider to manage AWS KMS keys to support etcd data encryption. To learn more, see AWS managed policy: ROSAKMSProviderPolicy. |
April 27, 2023 |
ROSAKubeControllerPolicy — New policy added |
ROSA added a new policy to allow the kube controller to manage Amazon EC2, Elastic Load Balancing, and AWS KMS resources for ROSA with hosted control planes clusters. To learn more, see AWS managed policy: ROSAKubeControllerPolicy. |
April 27, 2023 |
ROSAImageRegistryOperatorPolicy — New policy added |
ROSA added a new policy to allow the Image Registry Operator to provision and manage resources for the ROSA in-cluster image registry and dependent services, including S3. To learn more, see AWS managed policy: ROSAImageRegistryOperatorPolicy. |
April 27, 2023 |
ROSAControlPlaneOperatorPolicy — New policy added |
ROSA added a new policy to allow the Control Plane Operator to manage Amazon EC2 and Route 53 resources for ROSA with hosted control planes clusters. To learn more, see AWS managed policy: ROSAControlPlaneOperatorPolicy. |
April 24, 2023 |
ROSACloudNetworkConfigOperatorPolicy — New policy added |
ROSA added a new policy to allow the Cloud Network Config Controller Operator to provision and manage networking resources for the ROSA cluster networking overlay. To learn more, see AWS managed policy: ROSACloudNetworkConfigOperatorPolicy. |
April 20, 2023 |
ROSAIngressOperatorPolicy — New policy added |
ROSA added a new policy to allow the Ingress Operator to provision and manage load balancers and DNS configurations for ROSA clusters. To learn more, see AWS managed policy: ROSAIngressOperatorPolicy. |
April 20, 2023 |
ROSAAmazonEBSCSIDriverOperatorPolicy — New policy added |
ROSA added a new policy to allow the Amazon EBS CSI Driver Operator to install and maintain the Amazon EBS CSI driver on a ROSA cluster. To learn more, see AWS managed policy: ROSAAmazonEBSCSIDriverOperatorPolicy. |
April 20, 2023 |
ROSAWorkerInstancePolicy — New policy added |
ROSA added a new policy to allow the service to manage cluster resources. To learn more, see AWS managed policy: ROSAWorkerInstancePolicy. |
April 20, 2023 |
ROSAManageSubscription – New policy added |
ROSA added a new policy to grant the AWS Marketplace permissions required to manage the ROSA subscription. To learn more, see AWS managed policy: ROSAManageSubscription. |
April 11, 2022 |
Red Hat OpenShift Service on AWS started tracking changes |
Red Hat OpenShift Service on AWS started tracking changes for its AWS managed policies. |
March 2, 2022 |