Skip to content

Latest commit

 

History

History
98 lines (84 loc) · 3.44 KB

3.4-AWSFederatedRole.md

File metadata and controls

98 lines (84 loc) · 3.44 KB

3.4 AWSFederatedRole

3.4.1 AWSFederatedRole CR

The AWSFederatedRole CR contains a definition of the desired AWS Role, with both managed and custom Policies included

apiVersion: aws.managed.openshift.io/v1alpha1
kind: AWSFederatedRole
metadata:
  name: example-role
  namespace: aws-account-operator
spec:
  roleDisplayName: Example Role
  roleDescription: This is an example Role
  # Custom Policy definition
  awsCustomPolicy:
    name:  ExampleCustomPolicy
    description: Description of Example Custom Policy
    # list of statements for the policy
    awsStatements:
      - effect: Allow
        action:
        - "aws-portal:ViewAccount"
        - "aws-portal:ViewBilling"
        resource:
        - "*"
  # list of  AWS managed
  awsManagedPolicies:
   - "AWSAccountUsageReportAccess"
   - "AmazonEC2ReadOnlyAccess"
   - "AmazonS3ReadOnlyAccess"
   - "IAMReadOnlyAccess"

3.4.2 AWSFederatedRole Controller

The AWSFederatedRole controller is triggered when an AWSFederatedRole is created in any namespace. It is responsible for the following behaviors:

  1. Building AWS Policy Doc from Role definition in the spec.
  2. Attempting to validate the Role in AWS by creating the Role, and deleting it if successful.
  3. Setting the status to Valid or Failed.
  4. If the status is Valid or Failed, stop all reconciling.
  5. If an AWSFederatedRole is deleted, cleaning up any instances of the Role in AWS by cleaning up any AWSFederatedAccountAccesses using the AWSFederatedRole.
  6. If an AWSFederatedRole is updated, triggering an update for any AWSFederatedAccountAccess instances of that role.

Constants and Globals

None

Spec

spec:
  roleDisplayName: Example Role
  roleDescription: This is an example Role
  # Custom Policy definition
  awsCustomPolicy:
    name:  ExampleCustomPolicy
    description: Description of Example Custom Policy
    # list of statements for the policy
    awsStatements:
      - effect: Allow
        action:
        - "aws-portal:ViewAccount"
        - "aws-portal:ViewBilling"
        resource:
        - "*"
  # list of  AWS managed
  awsManagedPolicies:
   - "AWSAccountUsageReportAccess"
   - "AmazonEC2ReadOnlyAccess"## 2.2 Account
   - "AmazonS3ReadOnlyAccess"
   - "IAMReadOnlyAccess"
  • roleDisplayName is a human-readable name for the Role.
  • roleDescription is a human-readable description of what the Role does.
  • awsCustomPolicy is a representation of an AWS Policy to be created as part of the Role. It contains a Policy name, a description, and a list of AWS Statements which Allow or Deny specific actions on specific resources.
  • awsManagedPolicies is a list of AWS pre-defined policies to add to the Role.

Status

  conditions:
  - lastProbeTime: {Time Stamp}
    lastTransitionTime: {Time Stamp}
    message: All managed and custom policies are validated
    reason: AllPoliciesValid
    status: "True"
    type: Valid
  state: Valid
  • conditions indicates the last states the AWSFederatedRole had and supporting details. In general, for AWSFederatedRoles, only one condition is expected, and it should match the state.
  • state is the current state of the CR. Possible values are Valid and Failed.

Metrics

None