-
Notifications
You must be signed in to change notification settings - Fork 9
/
Copy pathfence_aws_credentials_request.yaml
45 lines (45 loc) · 1.35 KB
/
fence_aws_credentials_request.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
# similar to https://github.com/openshift/machine-api-operator/blob/master/install/0000_30_machine-api-operator_00_credentials-request.yaml#L1-L6
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
name: openshift-aws-cloud-fencing
namespace: openshift-cloud-credential-operator
spec:
serviceAccountNames:
- fence-agents-remediation-controller-manager
secretRef:
name: aws-cloud-fencing-credentials-secret
namespace: openshift-operators
providerSpec:
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
# https://github.com/openshift/cloud-credential-operator/blob/master/pkg/apis/cloudcredential/v1/types_aws.go
statementEntries:
- action:
- ec2:StartInstances
- ec2:StopInstances
- ec2:DescribeImages
- ec2:DescribeInstances
- ec2:RunInstances
- ec2:TerminateInstances
- iam:PassRole
- iam:CreateServiceLinkedRole
effect: Allow
resource: "*"
- action:
- kms:Decrypt
- kms:Encrypt
- kms:GenerateDataKey
- kms:GenerateDataKeyWithoutPlainText
- kms:DescribeKey
effect: Allow
resource: '*'
- action:
- kms:RevokeGrant
- kms:CreateGrant
- kms:ListGrants
effect: Allow
resource: '*'
policyCondition:
"Bool":
"kms:GrantIsForAWSResource": true