AWS managed policies for ROSA - Red Hat OpenShift Service on AWS

AWS managed policies for ROSA

An AWS managed policy is a standalone policy that is created and administered by AWS. AWS managed policies are designed to provide permissions for many common use cases so that you can start assigning permissions to users, groups, and roles.

Keep in mind that AWS managed policies might not grant least-privilege permissions for your specific use cases because they’re available for all AWS customers to use. We recommend that you reduce permissions further by defining customer managed policies that are specific to your use cases.

You cannot change the permissions defined in AWS managed policies. If AWS updates the permissions defined in an AWS managed policy, the update affects all principal identities (users, groups, and roles) that the policy is attached to. AWS is most likely to update an AWS managed policy when a new AWS service is launched or new API operations become available for existing services. For more information, see AWS managed policies in the IAM User Guide.

AWS managed policy: ROSAManageSubscription

You can attach the ROSAManageSubscription policy to your IAM entities. Before you enable ROSA in the AWS ROSA console, you must first attach this policy to a console role.

This policy grants the AWS Marketplace permissions required for you to manage the ROSA subscription.

Permissions details

This policy includes the following permissions.

  • aws-marketplace:Subscribe - Grants permission to subscribe to the AWS Marketplace product for ROSA.

  • aws-marketplace:Unsubscribe - Allows principals to remove subscriptions to AWS Marketplace products.

  • aws-marketplace:ViewSubscriptions - Allows principals to view subscriptions from AWS Marketplace. This is required so that the IAM principal can view the available AWS Marketplace subscriptions.

To view the full JSON policy document, see ROSAManageSubscription in the AWS Managed Policy Reference Guide.

ROSA with HCP account policies

This section provides details about the account policies that are required for ROSA with hosted control planes (HCP). These AWS managed policies add permissions used by ROSA with HCP IAM roles. The permissions are required for Red Hat site reliability engineering (SRE) technical support, cluster installation, and control plane and compute functionality.

Note

AWS managed policies are intended for use by ROSA with hosted control planes (HCP). ROSA classic clusters use customer managed IAM policies. For more information about ROSA classic policies, see ROSA classic account policies and ROSA classic operator policies.

AWS managed policy: ROSAWorkerInstancePolicy

You can attach ROSAWorkerInstancePolicy to your IAM entities. Before you create a ROSA with hosted control planes cluster, you must first attach this policy to a worker IAM role.

Permissions details

This policy includes the following permissions that allow the ROSA service to complete the following tasks:

  • ec2 — Review AWS Region and Amazon EC2 instance details as part of the lifecycle management of worker nodes in a ROSA cluster.

To view the full JSON policy document, see ROSAWorkerInstancePolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSASRESupportPolicy

You can attach ROSASRESupportPolicy to your IAM entities.

Before you create a ROSA with hosted control planes cluster, you must first attach this policy to a support IAM role. This policy grants required permissions to Red Hat site reliability engineers (SREs) to directly observe, diagnose, and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state.

Permissions details

This policy includes the following permissions that allow Red Hat SREs to complete the following tasks:

  • cloudtrail — Read AWS CloudTrail events and trails relevant to the cluster.

  • cloudwatch — Read Amazon CloudWatch metrics relevant to the cluster.

  • ec2 — Read, describe, and review Amazon EC2 components related to the cluster’s health such as security groups, VPC endpoint connections, and volume status. Launch, stop, reboot, and terminate Amazon EC2 instances.

  • elasticloadbalancing — Read, describe, and review Elastic Load Balancing parameters related to the cluster’s health.

  • iam — Evaluate IAM roles that relate to the cluster’s health.

  • route53 — Review DNS settings related to the cluster’s health.

  • stsDecodeAuthorizationMessage — Read IAM messages for debugging purposes.

To view the full JSON policy document, see ROSASRESupportPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSAInstallerPolicy

You can attach ROSAInstallerPolicy to your IAM entities.

Before you create a ROSA with hosted control planes cluster, you must first attach this policy to an IAM role named [Prefix]-ROSA-Worker-Role. This policy allows entities to add any role that follows the [Prefix]-ROSA-Worker-Role pattern to an instance profile. This policy grants necessary permissions to the installer to manage AWS resources that support ROSA cluster installation.

Permissions details

This policy includes the following permissions that allow the installer to complete the following tasks:

  • ec2 — Run Amazon EC2 instances using AMIs hosted in AWS accounts owned and managed by Red Hat. Describe Amazon EC2 instances, volumes, and network resources associated with Amazon EC2 nodes. This permission is required so that the Kubernetes control plane can join instances to a cluster, and the cluster can evaluate its presence within Amazon VPC. Tag subnets using tag keys matching "kubernetes.io/cluster/*". This is required to ensure that the load balancer used for cluster ingress is created only in applicable subnets.

  • elasticloadbalancing — Add load balancers to target nodes on a cluster. Remove load balancers from target nodes on a cluster. This permission is required so that the Kubernetes control plane can dynamically provision load balancers requested by Kubernetes services and OpenShift application services.

  • kms — Read an AWS KMS key, create and manage grants to Amazon EC2, and return a unique symmetric data key for use outside of AWS KMS. This is required for the use of encrypted etcd data when etcd encryption is enabled at cluster creation.

  • iam — Validate IAM roles and policies. Dynamically provision and manage Amazon EC2 instance profiles relevant to the cluster. Add tags to an IAM instance profile by using the iam:TagInstanceProfile permission. Provide installer error messages when cluster installation fails due to a missing customer-specified cluster OIDC provider.

  • route53 — Manage Route 53 resources needed to create clusters.

  • servicequotas — Evaluate service quotas required to create a cluster.

  • sts — Create temporary AWS STS credentials for ROSA components. Assume the credentials for cluster creation.

  • secretsmanager — Read a secret value to securely allow customer-managed OIDC configuration as part of cluster provisioning.

To view the full JSON policy document, see ROSAInstallerPolicy in the AWS Managed Policy Reference Guide.

ROSA with HCP operator policies

This section provides details about the operator policies that are required for ROSA with hosted control planes (HCP). You can attach these AWS managed policies to the operator roles needed to use ROSA with HCP. The permissions are required to allow OpenShift operators to manage ROSA with HCP cluster nodes.

Note

AWS managed policies are intended for use by ROSA with hosted control planes (HCP). ROSA classic clusters use customer managed IAM policies. For more information about ROSA classic policies, see ROSA classic account policies and ROSA classic operator policies.

AWS managed policy: ROSAAmazonEBSCSIDriverOperatorPolicy

You can attach ROSAAmazonEBSCSIDriverOperatorPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants necessary permissions to the Amazon EBS CSI Driver Operator to install and maintain the Amazon EBS CSI driver on a ROSA cluster. For more information about the operator, see aws-ebs-csi-driver operator in the OpenShift GitHub documentation.

Permissions details

This policy includes the following permissions that allow the Amazon EBS Driver Operator to complete the following tasks:

  • ec2 — Create, modify, attach, detach, and delete Amazon EBS volumes that are attached to Amazon EC2 instances. Create and delete Amazon EBS volume snapshots and list Amazon EC2 instances, volumes, and snapshots.

To view the full JSON policy document, see ROSAAmazonEBSCSIDriverOperatorPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSAIngressOperatorPolicy

You can attach ROSAIngressOperatorPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants required permissions to the Ingress Operator to provision and manage load balancers and DNS configurations for ROSA clusters. The policy allows read access to tag values. The operator then filters the tag values for Route 53 resources to discover hosted zones. For more information about the operator, see OpenShift Ingress Operator in the OpenShift GitHub documentation.

Permissions details

This policy includes the following permissions that allow the Ingress Operator to complete the following tasks:

  • elasticloadbalancing — Describe the state of provisioned load balancers.

  • route53 — List Route 53 hosted zones and edit records that manage the DNS controlled by the ROSA cluster.

  • tag — Manage tagged resources by using the tag:GetResources permission.

To view the full JSON policy document, see ROSAIngressOperatorPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSAImageRegistryOperatorPolicy

You can attach ROSAImageRegistryOperatorPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants required permissions to the Image Registry Operator to provision and manage resources for the ROSA in-cluster image registry and dependent services, including S3. This is required so that the operator can install and maintain the internal registry of a ROSA cluster. For more information about the operator, see Image Registry Operator in the OpenShift GitHub documentation.

Permissions details

This policy includes the following permissions that allow the Image Registry Operator to complete the following actions:

  • s3 — Manage and evaluate Amazon S3 buckets as persistent storage for container image content and cluster metadata.

To view the full JSON policy document, see ROSAImageRegistryOperatorPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSACloudNetworkConfigOperatorPolicy

You can attach ROSACloudNetworkConfigOperatorPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants required permissions to the Cloud Network Config Controller Operator to provision and manage networking resources for the ROSA cluster networking overlay. The operator uses these permissions to manage private IP addresses for Amazon EC2 instances as part of the ROSA cluster. For more information about the operator, see Cloud-network-config-controller in the OpenShift GitHub documentation.

Permissions details

This policy includes the following permissions that allow the Cloud Network Config Controller Operator to complete the following tasks:

  • ec2 — Read, assign, and describe configurations for connecting Amazon EC2 instances, Amazon VPC subnets, and elastic network interfaces in a ROSA cluster.

To view the full JSON policy document, see ROSACloudNetworkConfigOperatorPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSAKubeControllerPolicy

You can attach ROSAKubeControllerPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants required permissions to the kube controller to manage Amazon EC2, Elastic Load Balancing, and AWS KMS resources for a ROSA with hosted control planes cluster. For more information about this controller, see Controller architecture in the OpenShift documentation.

Permissions details

This policy includes the following permissions that allow the kube controller to complete the following tasks:

  • ec2 — Create, delete, and add tags to Amazon EC2 instance security groups. Add inbound rules to security groups. Describe Availability Zones, Amazon EC2 instances, route tables, security groups, VPCs, and subnets.

  • elasticloadbalancing — Create and manage load balancers and their policies. Create and manage load balancer listeners. Register targets with target groups and manage target groups. Register and de-register Amazon EC2 instances with a load balancer, and add tags to load balancers.

  • kms — Retrieve detailed information about an AWS KMS key. This is required for the use of encrypted etcd data when etcd encryption is enabled at cluster creation.

To view the full JSON policy document, see ROSAKubeControllerPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSANodePoolManagementPolicy

You can attach ROSANodePoolManagementPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants required permissions to the NodePool controller to describe, run, and terminate Amazon EC2 instances managed as worker nodes. This policy also grants permissions to allow for disk encryption of the worker node root volume using AWS KMS keys. For more information about this controller, see Controller architecture in the OpenShift documentation.

Permissions details

This policy includes the following permissions that allow the NodePool controller to complete the following tasks:

  • ec2 — Run Amazon EC2 instances using AMIs hosted in AWS accounts owned and managed by Red Hat. Manage EC2 lifecycles in the ROSA cluster. Dynamically create and integrate worker nodes with Elastic Load Balancing, Amazon VPC, Route 53, Amazon EBS, and Amazon EC2.

  • iam — Use Elastic Load Balancing via the service-linked role named AWSServiceRoleForElasticLoadBalancing. Assign roles to Amazon EC2 instance profiles.

  • kms — Read an AWS KMS key, create and manage grants to Amazon EC2, and return a unique symmetric data key for use outside of AWS KMS. This is required to allow for disk encryption of the worker node root volume.

To view the full JSON policy document, see ROSANodePoolManagementPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSAKMSProviderPolicy

You can attach ROSAKMSProviderPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants required permissions to the built-in AWS Encryption Provider to manage AWS KMS keys that support etcd data encryption. This policy allows Amazon EC2 to use KMS keys that the AWS Encryption Provider provides to encrypt and decrypt etcd data. For more information about this provider, see AWS Encryption Provider in the Kubernetes GitHub documentation.

Permissions details

This policy includes the following permissions that allow the AWS Encryption Provider to complete the following tasks:

  • kms — Encrypt, decrypt, and retrieve an AWS KMS key. This is required for the use of encrypted etcd data when etcd encryption is enabled at cluster creation.

To view the full JSON policy document, see ROSAKMSProviderPolicy in the AWS Managed Policy Reference Guide.

AWS managed policy: ROSAControlPlaneOperatorPolicy

You can attach ROSAControlPlaneOperatorPolicy to your IAM entities. You must attach this policy to an operator IAM role to allow a ROSA with hosted control planes cluster to make calls to other AWS services. A unique set of operator roles is required for each cluster.

This policy grants required permissions to the Control Plane Operator to manage Amazon EC2 and Route 53 resources for ROSA with hosted control planes clusters. For more information about this operator, see Controller architecture in the OpenShift documentation.

Permissions details

This policy includes the following permissions that allow the Control Plane Operator to complete the following tasks:

  • ec2 — Create and manage Amazon VPC endpoints.

  • route53 — List and change Route 53 record sets and list hosted zones.

To view the full JSON policy document, see ROSAControlPlaneOperatorPolicy in the AWS Managed Policy Reference Guide.

ROSA updates to AWS managed policies

View details about updates to AWS managed policies for ROSA since this service began tracking these changes. For automatic alerts about changes to this page, subscribe to the RSS feed on the Document history page.

Change Description Date

ROSANodePoolManagementPolicy — Policy updated

ROSA updated the policy to allow the ROSA node pool manager to describe DHCP option sets in order to set the proper private DNS names. To learn more, see AWS managed policy: ROSANodePoolManagementPolicy.

May 2, 2024

ROSAInstallerPolicy — Policy updated

ROSA updated the policy to allow the ROSA installer to add tags to subnets using tag keys matching "kubernetes.io/cluster/*". To learn more, see AWS managed policy: ROSAInstallerPolicy.

April 24, 2024

ROSASRESupportPolicy — Policy updated

ROSA updated the policy to allow the SRE role to retrieve information on instance profiles that have been tagged by ROSA as red-hat-managed. To learn more, see AWS managed policy: ROSASRESupportPolicy.

April 10, 2024

ROSAInstallerPolicy — Policy updated

ROSA updated the policy to allow the ROSA installer to validate that AWS managed policies for ROSA are attached to IAM roles used by ROSA. This update also allows the installer to identify whether customer managed policies have been attached to ROSA roles. To learn more, see AWS managed policy: ROSAInstallerPolicy.

April 10, 2024

ROSAInstallerPolicy — Policy updated

ROSA updated the policy to allow the service to provide installer alert messages when cluster installation fails due to a missing customer-specified cluster OIDC provider. This update also allows the service to retrieve existing DNS name servers so that cluster provisioning operations are idempotent. To learn more, see AWS managed policy: ROSAInstallerPolicy.

January 26, 2024

ROSASRESupportPolicy — Policy updated

ROSA updated the policy to allow the service to perform read operations on security groups using the DescribeSecurityGroups API. To learn more, see AWS managed policy: ROSASRESupportPolicy.

January 22, 2024

ROSAImageRegistryOperatorPolicy — Policy updated

ROSA updated the policy to allow the Image Registry Operator to take actions on Amazon S3 buckets in Regions with 14-character names. To learn more, see AWS managed policy: ROSAImageRegistryOperatorPolicy.

December 12, 2023

ROSAKubeControllerPolicy — Policy updated

ROSA updated the policy to allow the kube-controller-manager to describe Availability Zones, Amazon EC2 instances, route tables, security groups, VPCs, and subnets. To learn more, see AWS managed policy: ROSAKubeControllerPolicy.

October 16, 2023

ROSAManageSubscription — Policy updated

ROSA updated the policy to add the ROSA with hosted control planes ProductId. To learn more, see AWS managed policy: ROSAManageSubscription.

August 1, 2023

ROSAKubeControllerPolicy — Policy updated

ROSA updated the policy to allow the kube-controller-manager to create Network Load Balancers as Kubernetes service load balancers. Network Load Balancers provide greater ability to handle volatile workloads and support static IP addresses for the load balancer. To learn more, see AWS managed policy: ROSAKubeControllerPolicy.

July 13, 2023

ROSANodePoolManagementPolicy — New policy added

ROSA added a new policy to allow the NodePool controller to describe, run, and terminate Amazon EC2 instances managed as worker nodes. This policy also enables disk encryption of the worker node root volume using AWS KMS keys. To learn more, see AWS managed policy: ROSANodePoolManagementPolicy.

June 8, 2023

ROSAInstallerPolicy — New policy added

ROSA added a new policy to allow the installer to manage AWS resources that support cluster installation. To learn more, see AWS managed policy: ROSAInstallerPolicy.

June 6, 2023

ROSASRESupportPolicy — New policy added

ROSA added a new policy to allow Red Hat SREs to directly observe, diagnose and support AWS resources associated with ROSA clusters, including the ability to change ROSA cluster node state. To learn more, see AWS managed policy: ROSASRESupportPolicy.

June 1, 2023

ROSAKMSProviderPolicy — New policy added

ROSA added a new policy to allow the built-in AWS Encryption Provider to manage AWS KMS keys to support etcd data encryption. To learn more, see AWS managed policy: ROSAKMSProviderPolicy.

April 27, 2023

ROSAKubeControllerPolicy — New policy added

ROSA added a new policy to allow the kube controller to manage Amazon EC2, Elastic Load Balancing, and AWS KMS resources for ROSA with hosted control planes clusters. To learn more, see AWS managed policy: ROSAKubeControllerPolicy.

April 27, 2023

ROSAImageRegistryOperatorPolicy — New policy added

ROSA added a new policy to allow the Image Registry Operator to provision and manage resources for the ROSA in-cluster image registry and dependent services, including S3. To learn more, see AWS managed policy: ROSAImageRegistryOperatorPolicy.

April 27, 2023

ROSAControlPlaneOperatorPolicy — New policy added

ROSA added a new policy to allow the Control Plane Operator to manage Amazon EC2 and Route 53 resources for ROSA with hosted control planes clusters. To learn more, see AWS managed policy: ROSAControlPlaneOperatorPolicy.

April 24, 2023

ROSACloudNetworkConfigOperatorPolicy — New policy added

ROSA added a new policy to allow the Cloud Network Config Controller Operator to provision and manage networking resources for the ROSA cluster networking overlay. To learn more, see AWS managed policy: ROSACloudNetworkConfigOperatorPolicy.

April 20, 2023

ROSAIngressOperatorPolicy — New policy added

ROSA added a new policy to allow the Ingress Operator to provision and manage load balancers and DNS configurations for ROSA clusters. To learn more, see AWS managed policy: ROSAIngressOperatorPolicy.

April 20, 2023

ROSAAmazonEBSCSIDriverOperatorPolicy — New policy added

ROSA added a new policy to allow the Amazon EBS CSI Driver Operator to install and maintain the Amazon EBS CSI driver on a ROSA cluster. To learn more, see AWS managed policy: ROSAAmazonEBSCSIDriverOperatorPolicy.

April 20, 2023

ROSAWorkerInstancePolicy — New policy added

ROSA added a new policy to allow the service to manage cluster resources. To learn more, see AWS managed policy: ROSAWorkerInstancePolicy.

April 20, 2023

ROSAManageSubscription – New policy added

ROSA added a new policy to grant the AWS Marketplace permissions required to manage the ROSA subscription. To learn more, see AWS managed policy: ROSAManageSubscription.

April 11, 2022

Red Hat OpenShift Service on AWS started tracking changes

Red Hat OpenShift Service on AWS started tracking changes for its AWS managed policies.

March 2, 2022