From fb4af83c3025f159c24770daa4eb8b10071dc12b Mon Sep 17 00:00:00 2001
From: stdoutput <moritz.sanft@outlook.de>
Date: Wed, 22 Mar 2023 14:54:34 +0100
Subject: [PATCH] [wip] split Azure perms by iam create/create step

---
 docs/docs/getting-started/install.md | 45 +++++++++++++++++++++-------
 docs/docs/workflows/config.md        | 45 ++--------------------------
 2 files changed, 38 insertions(+), 52 deletions(-)

diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md
index 47eefd50e..16bb1f17e 100644
--- a/docs/docs/getting-started/install.md
+++ b/docs/docs/getting-started/install.md
@@ -119,13 +119,25 @@ The following [resource providers need to be registered](https://learn.microsoft
 
 By default, Constellation tries to register these automatically if they haven't been registered before.
 
-You need the following permissions for your user account:
+To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions:
+* `Microsoft.Authorization/roleDefinitions/*`
+* `Microsoft.Authorization/roleAssignments/*`
+* `*/register/action` (can be ommitted if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration)
+* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
+* `Microsoft.Resources/subscriptions/resourcegroups/*`
 
-- `Contributor` (to create cloud resources)
-- `User Access Administrator` (to create a service account)
+To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
+* `Microsoft.Insights/components/*`
+* `Microsoft.Network/publicIPAddresses/*`
+* `Microsoft.Network/virtualNetworks/*`
+* `Microsoft.Network/loadBalancers/*`
+* `Microsoft.Network/networkSecurityGroups/*`
+* `Microsoft.Network/loadBalancers/backendAddressPools/*`
+* `Microsoft.Network/virtualNetworks/subnets/*`
+* `Microsoft.Compute/virtualMachineScaleSets/*`
+* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
 
-If you don't have these permissions with scope *subscription*, ask your administrator to [create the service account and a resource group for your Constellation cluster](first-steps.md).
-Your user account needs the `Contributor` permission scoped to this resource group.
+Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments).
 
 </tabItem>
 <tabItem value="gcp" label="GCP">
@@ -133,10 +145,21 @@ Your user account needs the `Contributor` permission scoped to this resource gro
 Create a new project for Constellation or use an existing one.
 Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it.
 
-You need the following permissions on this project:
+To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions:
+* `iam.serviceAccountKeys.create`
+* `iam.serviceAccountKeys.delete`
+* `iam.serviceAccountKeys.get`
+* `iam.serviceAccounts.create`
+* `iam.serviceAccounts.delete`
+* `iam.serviceAccounts.get`
+* `iam.serviceAccounts.getAccessToken`
+* `resourcemanager.projects.getIamPolicy`
+* `resourcemanager.projects.setIamPolicy`
 
-- `compute.*` (or the subset defined by `roles/compute.instanceAdmin.v1`)
-- `iam.serviceAccountUser`
+To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions:
+* `compute.disks.create`
+
+To [initialize the cluster](../workflows/create.md#the-init-step), you need the following permissions:
 
 Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
 
@@ -145,7 +168,7 @@ Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/under
 
 To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure.
 
-To create the AWS IAM policies, your user requires the following minimal set of permissions:
+To create the IAM configuration for Constellation, you need the following permissions:
 
 ```json
 {
@@ -182,7 +205,7 @@ To create the AWS IAM policies, your user requires the following minimal set of
 }
 ```
 
-To create the infrastructure, you can either use a predefined role from Amazon,
+To [create a Constellation cluster](../workflows/create.md#the-create-step), you can either use a predefined role from Amazon,
 such as `PowerUserAccess`, or use the following minimal set of permissions:
 
 ```json
@@ -269,6 +292,8 @@ such as `PowerUserAccess`, or use the following minimal set of permissions:
 }
 ```
 
+To [initialize the cluster](../workflows/create.md#the-init-step), you need the following permissions:
+
 Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
 
 </tabItem>
diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md
index 79e87eb2d..dae7e0d5a 100644
--- a/docs/docs/workflows/config.md
+++ b/docs/docs/workflows/config.md
@@ -82,14 +82,7 @@ If you haven't generated a configuration file yet, you can do so by adding the `
 <tabs groupId="csp">
 <tabItem value="azure" label="Azure">
 
-You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session.
-
-Your Azure account also needs to have at least the following permissions:
-* `Microsoft.Authorization/roleDefinitions/*`
-* `Microsoft.Authorization/roleAssignments/*`
-* `*/register/action`
-* `Microsoft.ManagedIdentity/userAssignedIdentities/*`
-* `Microsoft.Resources/subscriptions/resourcegroups/*`
+You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
 
 ```bash
 constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest
@@ -112,18 +105,7 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co
 </tabItem>
 <tabItem value="gcp" label="GCP">
 
-You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session.
-
-Your GCP account also needs to have at least the following permissions:
-* `iam.serviceAccountKeys.create`
-* `iam.serviceAccountKeys.delete`
-* `iam.serviceAccountKeys.get`
-* `iam.serviceAccounts.create`
-* `iam.serviceAccounts.delete`
-* `iam.serviceAccounts.get`
-* `iam.serviceAccounts.getAccessToken`
-* `resourcemanager.projects.getIamPolicy`
-* `resourcemanager.projects.setIamPolicy`
+You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
 
 ```bash
 constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test
@@ -138,28 +120,7 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml`
 </tabItem>
 <tabItem value="aws" label="AWS">
 
-You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session.
-
-Your AWS account also needs to have at least the following permissions:
-* `iam:CreatePolicy`
-* `iam:CreateRole`
-* `iam:GetPolicy`
-* `iam:GetRole`
-* `iam:GetPolicyVersion`
-* `iam:ListRolePolicies`
-* `iam:ListAttachedRolePolicies`
-* `iam:ListPolicyVersions`
-* `iam:ListInstanceProfilesForRole`
-* `iam:DeletePolicy`
-* `iam:DeleteRole`
-* `iam:AttachRolePolicy`
-* `iam:CreateInstanceProfile`
-* `iam:GetInstanceProfile`
-* `iam:RemoveRoleFromInstanceProfile`
-* `iam:DetachRolePolicy`
-* `iam:DeleteInstanceProfile`
-* `iam:AddRoleToInstanceProfile`
-* `iam:PassRole`
+You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials).
 
 ```bash
 constellation iam create aws --zone=eu-central-1a --prefix=constellTest