From fb4af83c3025f159c24770daa4eb8b10071dc12b Mon Sep 17 00:00:00 2001 From: stdoutput Date: Wed, 22 Mar 2023 14:54:34 +0100 Subject: [PATCH] [wip] split Azure perms by iam create/create step --- docs/docs/getting-started/install.md | 45 +++++++++++++++++++++------- docs/docs/workflows/config.md | 45 ++-------------------------- 2 files changed, 38 insertions(+), 52 deletions(-) diff --git a/docs/docs/getting-started/install.md b/docs/docs/getting-started/install.md index 47eefd50e..16bb1f17e 100644 --- a/docs/docs/getting-started/install.md +++ b/docs/docs/getting-started/install.md @@ -119,13 +119,25 @@ The following [resource providers need to be registered](https://learn.microsoft By default, Constellation tries to register these automatically if they haven't been registered before. -You need the following permissions for your user account: +To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: +* `Microsoft.Authorization/roleDefinitions/*` +* `Microsoft.Authorization/roleAssignments/*` +* `*/register/action` (can be ommitted if the resource providers mentioned above are already registered and the `ARM_SKIP_PROVIDER_REGISTRATION` environment variable is set to `true` when creating the IAM configuration) +* `Microsoft.ManagedIdentity/userAssignedIdentities/*` +* `Microsoft.Resources/subscriptions/resourcegroups/*` -- `Contributor` (to create cloud resources) -- `User Access Administrator` (to create a service account) +To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions: +* `Microsoft.Insights/components/*` +* `Microsoft.Network/publicIPAddresses/*` +* `Microsoft.Network/virtualNetworks/*` +* `Microsoft.Network/loadBalancers/*` +* `Microsoft.Network/networkSecurityGroups/*` +* `Microsoft.Network/loadBalancers/backendAddressPools/*` +* `Microsoft.Network/virtualNetworks/subnets/*` +* `Microsoft.Compute/virtualMachineScaleSets/*` +* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -If you don't have these permissions with scope *subscription*, ask your administrator to [create the service account and a resource group for your Constellation cluster](first-steps.md). -Your user account needs the `Contributor` permission scoped to this resource group. +Follow Microsoft's guide on [understanding](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-definitions) and [assigning roles](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments). @@ -133,10 +145,21 @@ Your user account needs the `Contributor` permission scoped to this resource gro Create a new project for Constellation or use an existing one. Enable the [Compute Engine API](https://console.cloud.google.com/apis/library/compute.googleapis.com) on it. -You need the following permissions on this project: +To [create the IAM configuration](../workflows/config.md#creating-an-iam-configuration) for Constellation, you need the following permissions: +* `iam.serviceAccountKeys.create` +* `iam.serviceAccountKeys.delete` +* `iam.serviceAccountKeys.get` +* `iam.serviceAccounts.create` +* `iam.serviceAccounts.delete` +* `iam.serviceAccounts.get` +* `iam.serviceAccounts.getAccessToken` +* `resourcemanager.projects.getIamPolicy` +* `resourcemanager.projects.setIamPolicy` -- `compute.*` (or the subset defined by `roles/compute.instanceAdmin.v1`) -- `iam.serviceAccountUser` +To [create a Constellation cluster](../workflows/create.md#the-create-step), you need the following permissions: +* `compute.disks.create` + +To [initialize the cluster](../workflows/create.md#the-init-step), you need the following permissions: Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access). @@ -145,7 +168,7 @@ Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/under To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure. -To create the AWS IAM policies, your user requires the following minimal set of permissions: +To create the IAM configuration for Constellation, you need the following permissions: ```json { @@ -182,7 +205,7 @@ To create the AWS IAM policies, your user requires the following minimal set of } ``` -To create the infrastructure, you can either use a predefined role from Amazon, +To [create a Constellation cluster](../workflows/create.md#the-create-step), you can either use a predefined role from Amazon, such as `PowerUserAccess`, or use the following minimal set of permissions: ```json @@ -269,6 +292,8 @@ such as `PowerUserAccess`, or use the following minimal set of permissions: } ``` +To [initialize the cluster](../workflows/create.md#the-init-step), you need the following permissions: + Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html). diff --git a/docs/docs/workflows/config.md b/docs/docs/workflows/config.md index 79e87eb2d..dae7e0d5a 100644 --- a/docs/docs/workflows/config.md +++ b/docs/docs/workflows/config.md @@ -82,14 +82,7 @@ If you haven't generated a configuration file yet, you can do so by adding the ` -You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session. - -Your Azure account also needs to have at least the following permissions: -* `Microsoft.Authorization/roleDefinitions/*` -* `Microsoft.Authorization/roleAssignments/*` -* `*/register/action` -* `Microsoft.ManagedIdentity/userAssignedIdentities/*` -* `Microsoft.Resources/subscriptions/resourcegroups/*` +You must be authenticated with the [Azure CLI](https://learn.microsoft.com/en-us/cli/azure/install-azure-cli) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash constellation iam create azure --region=westus --resourceGroup=constellTest --servicePrincipal=spTest @@ -112,18 +105,7 @@ Since `clientSecretValue` is a sensitive value, you can leave it empty in the co -You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session. - -Your GCP account also needs to have at least the following permissions: -* `iam.serviceAccountKeys.create` -* `iam.serviceAccountKeys.delete` -* `iam.serviceAccountKeys.get` -* `iam.serviceAccounts.create` -* `iam.serviceAccounts.delete` -* `iam.serviceAccounts.get` -* `iam.serviceAccounts.getAccessToken` -* `resourcemanager.projects.getIamPolicy` -* `resourcemanager.projects.setIamPolicy` +You must be authenticated with the [GCP CLI](https://cloud.google.com/sdk/gcloud) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash constellation iam create gcp --projectID=yourproject-12345 --zone=europe-west2-a --serviceAccountID=constell-test @@ -138,28 +120,7 @@ Paste the output into the corresponding fields of the `constellation-conf.yaml` -You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session. - -Your AWS account also needs to have at least the following permissions: -* `iam:CreatePolicy` -* `iam:CreateRole` -* `iam:GetPolicy` -* `iam:GetRole` -* `iam:GetPolicyVersion` -* `iam:ListRolePolicies` -* `iam:ListAttachedRolePolicies` -* `iam:ListPolicyVersions` -* `iam:ListInstanceProfilesForRole` -* `iam:DeletePolicy` -* `iam:DeleteRole` -* `iam:AttachRolePolicy` -* `iam:CreateInstanceProfile` -* `iam:GetInstanceProfile` -* `iam:RemoveRoleFromInstanceProfile` -* `iam:DetachRolePolicy` -* `iam:DeleteInstanceProfile` -* `iam:AddRoleToInstanceProfile` -* `iam:PassRole` +You must be authenticated with the [AWS CLI](https://aws.amazon.com/en/cli/) in the shell session with a user that has the [required permissions for IAM creation](../getting-started/install.md#set-up-cloud-credentials). ```bash constellation iam create aws --zone=eu-central-1a --prefix=constellTest