As traduções são geradas por tradução automática. Em caso de conflito entre o conteúdo da tradução e da versão original em inglês, a versão em inglês prevalecerá.
# ROSAInstallerPolicy
**Descrição**: Permite que o instalador do Red Hat OpenShift Service on AWS (ROSA) gerencie AWS recursos que suportam a instalação do cluster ROSA. Isso inclui o gerenciamento de perfis de instância para nós de trabalho ROSA.
`ROSAInstallerPolicy` é uma [política gerenciada pelo AWS](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies).
## Utilização desta política
Você pode vincular a `ROSAInstallerPolicy` aos seus usuários, grupos e perfis.
## Detalhes desta política
+ **Tipo**: Política de função de serviço
+ **Hora da criação**: 06 de junho de 2023, 21:00 UTC
+ **Horário editado:** 12 de fevereiro de 2026, 18:00 UTC
+ **ARN**: `arn:aws:iam::aws:policy/service-role/ROSAInstallerPolicy`
## Versão da política
**Versão da política:** v10 (padrão)
A versão padrão da política é aquela que define as permissões desta política. Quando um usuário ou função da política faz uma solicitação para acessar um AWS recurso, AWS verifica a versão padrão da política para determinar se a solicitação deve ser permitida.
## Documento da política JSON
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "ReadPermissions",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeCapacityReservations",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:GetOpenIDConnectProvider",
"iam:GetRole",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:GetAccountLimit",
"servicequotas:GetServiceQuota"
],
"Resource" : "*"
},
{
"Sid" : "PassRoleToEC2",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:*:iam::*:role/*-ROSA-Worker-Role"
],
"Effect" : "Allow",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid" : "ManageInstanceProfiles",
"Effect" : "Allow",
"Action" : [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile"
],
"Resource" : [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
]
},
{
"Sid" : "CreateInstanceProfiles",
"Effect" : "Allow",
"Action" : [
"iam:CreateInstanceProfile",
"iam:TagInstanceProfile"
],
"Resource" : [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "GetSecretValue",
"Effect" : "Allow",
"Action" : [
"secretsmanager:GetSecretValue"
],
"Resource" : [
"*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "Route53ManageRecords",
"Effect" : "Allow",
"Action" : [
"route53:ChangeResourceRecordSets"
],
"Resource" : "*",
"Condition" : {
"ForAllValues:StringLike" : {
"route53:ChangeResourceRecordSetsNormalizedRecordNames" : [
"*.openshiftapps.com",
"*.devshift.org",
"*.hypershift.local",
"*.openshiftusgov.com",
"*.devshiftusgov.com"
]
}
}
},
{
"Sid" : "Route53Manage",
"Effect" : "Allow",
"Action" : [
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone"
],
"Resource" : "*"
},
{
"Sid" : "CreateTags",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : [
"RunInstances"
]
}
}
},
{
"Sid" : "RunInstancesNoCondition",
"Effect" : "Allow",
"Action" : "ec2:RunInstances",
"Resource" : [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Sid" : "RunInstancesRestrictedRequestTag",
"Effect" : "Allow",
"Action" : "ec2:RunInstances",
"Resource" : [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "RunInstancesRedHatOwnedAMIs",
"Effect" : "Allow",
"Action" : [
"ec2:RunInstances"
],
"Resource" : [
"arn:aws:ec2:*:*:image/*"
],
"Condition" : {
"StringEquals" : {
"ec2:Owner" : [
"531415883065",
"251351625822",
"210686502322"
]
}
}
},
{
"Sid" : "ManageInstancesRestrictedResourceTag",
"Effect" : "Allow",
"Action" : [
"ec2:TerminateInstances",
"ec2:GetConsoleOutput"
],
"Resource" : "arn:aws:ec2:*:*:instance/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "CreateGrantRestrictedResourceTag",
"Effect" : "Allow",
"Action" : [
"kms:CreateGrant"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat" : "true"
},
"StringLike" : {
"kms:ViaService" : "ec2.*.amazonaws.com"
},
"Bool" : {
"kms:GrantIsForAWSResource" : true
}
}
},
{
"Sid" : "ManagedKMSRestrictedResourceTag",
"Effect" : "Allow",
"Action" : [
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat" : "true"
}
}
},
{
"Sid" : "CreateSecurityGroups",
"Effect" : "Allow",
"Action" : [
"ec2:CreateSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "DeleteSecurityGroup",
"Effect" : "Allow",
"Action" : [
"ec2:DeleteSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "SecurityGroupIngressEgress",
"Effect" : "Allow",
"Action" : [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "CreateSecurityGroupsVPCNoCondition",
"Effect" : "Allow",
"Action" : [
"ec2:CreateSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid" : "CreateTagsRestrictedActions",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : [
"CreateSecurityGroup"
]
}
}
},
{
"Sid" : "CreateTagsK8sSubnet",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition" : {
"ForAllValues:StringLike" : {
"aws:TagKeys" : [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid" : "DeleteTagsK8sSubnet",
"Effect" : "Allow",
"Action" : [
"ec2:DeleteTags"
],
"Resource" : [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition" : {
"Null" : {
"aws:TagKeys" : "false"
},
"ForAllValues:StringLike" : {
"aws:TagKeys" : [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid" : "ListPoliciesAttachedToRoles",
"Effect" : "Allow",
"Action" : [
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies"
],
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
}
]
}
```
## Saiba mais
+ [Crie um conjunto de permissões usando políticas AWS gerenciadas no IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html)
+ [Adicionar e remover permissões de identidade IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [Compreenda o controle de versionamento das políticas do IAM](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [Comece com políticas AWS gerenciadas e adote permissões com privilégios mínimos](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)