From e51f38ded12a5ffd27c2814a77517cc2c765c44b Mon Sep 17 00:00:00 2001 From: Jared Hocutt Date: Thu, 28 Sep 2023 20:12:38 -0400 Subject: [PATCH] Create IAM user for install and add permissions to default role Signed-off-by: Jared Hocutt --- hack/cloudformation.yaml | 24 ++++++++++++++++++++++++ 1 file changed, 24 insertions(+) diff --git a/hack/cloudformation.yaml b/hack/cloudformation.yaml index 80f8c85..7f0c585 100644 --- a/hack/cloudformation.yaml +++ b/hack/cloudformation.yaml @@ -290,6 +290,7 @@ Resources: DefaultInstanceRole: Type: AWS::IAM::Role + DependsOn: InstallIamUser Properties: RoleName: !Sub ${AWS::StackName}-default-role AssumeRolePolicyDocument: @@ -324,9 +325,15 @@ Resources: - - "arn:aws:s3:::" - !If [GenerateS3BucketName, !Sub "ocp4-disconnected-${AWS::AccountId}-${AWS::Region}", !Ref S3TransferBucketName] - "/*" + - Effect: Allow + Action: + - iam:CreateAccessKey + Resource: + - !GetAtt InstallIamUser.Arn - Effect: Allow Action: - cloudformation:DescribeStacks + - ec2:DescribeSubnets Resource: "*" DefaultInstanceProfile: @@ -337,6 +344,19 @@ Resources: Roles: - !Ref DefaultInstanceRole + InstallIamUser: + Type: AWS::IAM::User + Properties: + UserName: !Sub ${AWS::StackName}-install-user + Policies: + - PolicyName: AdministratorAccess + PolicyDocument: + Version: "2012-10-17" + Statement: + - Effect: Allow + Action: "*" + Resource: "*" + ############################################################################# # NAT Instance ############################################################################# @@ -732,3 +752,7 @@ Outputs: HighSideInstancePrivateIp: Description: A reference to the private IP to the High Side instance Value: !GetAtt HighSideInstance.PrivateIp + + InstallIamUser: + Description: A reference to the IAM User to use for installing OpenShift + Value: !Ref InstallIamUser