本文為英文版的機器翻譯版本，如內容有任何歧義或不一致之處，概以英文版為準。

# ROSA 身分型政策範例
<a name="security-iam-id-based-policy-examples"></a>

根據預設， IAM 使用者 和 角色沒有建立或修改 AWS 資源的許可。他們也無法使用 AWS 管理主控台 AWS CLI或 AWS API 執行任務。 IAM 管理員必須建立 IAM 政策，授予使用者和角色對所需指定資源執行特定 API 操作的許可。然後，管理員必須將這些政策連接到需要這些許可的 IAM 使用者 或 群組。

若要了解如何使用這些範例 JSON 政策文件建立 IAM 身分型政策，請參閱《*IAM 使用者指南*》中的[在 JSON 標籤上建立政策](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-json-editor)。

## 使用 ROSA 主控台
<a name="security-iam-id-based-policy-examples-console"></a>

若要 ROSA 從 主控台訂閱 ，您的 IAM 主體必須具有必要的 AWS Marketplace 許可。許可允許主體訂閱和取消訂閱 中的 ROSA 產品清單 AWS Marketplace ，並檢視 AWS Marketplace 訂閱。若要新增必要的許可，請前往 [ROSA 主控台](https://console.aws.amazon.com/rosa)，並將 AWS 受管政策連接至`ROSAManageSubscription`您的 IAM 主體。如需 `ROSAManageSubscription` 的相關資訊，請參閱 [AWS 受管政策：ROSAManageSubscription](security-iam-awsmanpol.md#security-iam-awsmanpol-rosamanagesubscription)。

## 授權 ROSA 與 HCP 管理 AWS 資源
<a name="security-iam-id-based-policy-examples-rosa-hcp-aws-managed"></a>

具有託管控制平面 (HCP) 的 ROSA 使用具有服務操作和支援所需許可的 AWS 受管政策。您可以使用 ROSA CLI 或 IAM 主控台將這些政策連接到 中的服務角色 AWS 帳戶。

如需詳細資訊，請參閱[AWS 的 受管政策 ROSA](security-iam-awsmanpol.md)。

## 授權 ROSA classic 來管理 AWS 資源
<a name="security-iam-id-based-policy-examples-rosa-classic-customer-managed"></a>

ROSA classic 使用客戶受管 IAM 政策，具有 服務預先定義的許可。您可以使用 ROSA CLI 來建立這些政策，並將其連接到您 中的服務角色 AWS 帳戶。 ROSA 需要這些政策按照服務的定義進行設定，以確保持續操作和服務支援。

**注意**  
若未先諮詢 Red Hat，您不應更改 ROSA 傳統政策。這樣做可能會使 Red Hat 的 99.95% 叢集運作時間服務層級協議失效。具有託管控制平面的 ROSA 使用具有更有限許可集的 AWS 受管政策。如需詳細資訊，請參閱[AWS 的 受管政策 ROSA](security-iam-awsmanpol.md)。

有兩種類型的客戶受管政策 ROSA：帳戶政策和運算子政策。帳戶政策會連接到 服務用來與 Red Hat 建立信任關係 IAM 的角色，以進行網站可靠性工程師 (SRE) 支援、叢集建立和運算功能。運算子政策會連接到 OpenShift 運算子用於與輸入、儲存、映像登錄檔和節點管理相關的叢集操作 IAM 的角色。每個帳戶政策建立一次 AWS 帳戶，而每個叢集建立一次運算子政策。

如需詳細資訊，請參閱[ROSA 傳統帳戶政策](security-iam-rosa-classic-account-policies.md)及[ROSA 傳統運算子政策](security-iam-rosa-classic-operator-policies.md)。

## 允許使用者檢視他們自己的許可
<a name="security-iam-id-based-policy-examples-view-own-permissions"></a>

此範例示範如何建立政策， IAM 使用者 允許 檢視連接至其使用者身分的內嵌和受管政策。此政策包含在主控台或使用 以程式設計方式完成此動作的許可 AWS CLI。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "iam:GetUserPolicy",
                "iam:ListGroupsForUser",
                "iam:ListAttachedUserPolicies",
                "iam:ListUserPolicies",
                "iam:GetUser"
            ],
            "Effect": "Allow",
            "Resource": ["arn:aws:iam::*:user/${aws:username}"]
        },
        {
            "Action": [
                "iam:GetGroupPolicy",
                "iam:GetPolicyVersion",
                "iam:GetPolicy",
                "iam:ListAttachedGroupPolicies",
                "iam:ListGroupPolicies",
                "iam:ListPolicyVersions",
                "iam:ListPolicies",
                "iam:ListUsers"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

# ROSA 傳統帳戶政策
<a name="security-iam-rosa-classic-account-policies"></a>

本節提供 ROSA classic 所需的帳戶政策詳細資訊。ROSA classic 需要這些許可，才能管理叢集執行的資源 AWS ，並啟用叢集的 Red Hat 網站可靠性工程師支援。您可以指派自訂字首給政策名稱，但這些政策應如此頁面所定義命名 （例如 `ManagedOpenShift-Installer-Role-Policy`)。

帳戶政策專屬於 OpenShift 次要發行版本，且可回溯相容。在建立或升級叢集之前，您應該執行 來驗證政策版本和叢集版本是否相同`rosa list account-roles`。如果政策版本低於叢集版本，請執行 `rosa upgrade account-roles`以升級角色和連接的政策。您可以針對相同次要發行版本的多個叢集使用相同的帳戶政策和角色。

## 【字首】-Installer-Role-Policy
<a name="security-iam-id-based-policy-examples-rosa-classic-installer-policy"></a>

您可以將 `[Prefix]-Installer-Role-Policy` 連接到 IAM 實體。您必須先將此政策連接至名為 的 IAM 角色，才能建立 ROSA 傳統叢集`[Prefix]-Installer-Role`。此政策會授予必要的許可，允許 ROSA 安裝程式管理建立叢集所需的 AWS 資源。

### 許可政策
<a name="installer-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateDhcpOptions",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AttachNetworkInterface",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CopyImage",
                "ec2:CreateDhcpOptions",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreateNetworkInterface",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNatGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSnapshot",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DeleteVpc",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeregisterImage",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstanceCreditSpecifications",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePrefixLists",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeRouteTables",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcs",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:GetConsoleOutput",
                "ec2:GetEbsDefaultKmsKeyId",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:ReleaseAddress",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "iam:AddRoleToInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:TagInstanceProfile",
                "iam:GetRole",
                "iam:GetRolePolicy",
                "iam:GetUser",
                "iam:ListAttachedRolePolicies",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:ListRolePolicies",
                "iam:ListRoles",
                "iam:ListUserPolicies",
                "iam:ListUsers",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:SimulatePrincipalPolicy",
                "iam:TagRole",
                "iam:UntagRole",
                "route53:ChangeResourceRecordSets",
                "route53:ChangeTagsForResource",
                "route53:CreateHostedZone",
                "route53:DeleteHostedZone",
                "route53:GetAccountLimit",
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53:ListTagsForResource",
                "route53:UpdateHostedZoneComment",
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:DeleteObject",
                "s3:DeleteObjectVersion",
                "s3:GetAccelerateConfiguration",
                "s3:GetBucketAcl",
                "s3:GetBucketCORS",
                "s3:GetBucketLocation",
                "s3:GetBucketLogging",
                "s3:GetBucketObjectLockConfiguration",
                "s3:GetBucketPolicy",
                "s3:GetReplicationConfiguration",
                "s3:GetBucketRequestPayment",
                "s3:GetBucketTagging",
                "s3:GetBucketVersioning",
                "s3:GetBucketWebsite",
                "s3:GetEncryptionConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetObject",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:GetObjectVersion",
                "s3:GetReplicationConfiguration",
                "s3:ListBucket",
                "s3:ListBucketVersions",
                "s3:PutBucketAcl",
                "s3:PutBucketTagging",
                "s3:PutBucketVersioning",
                "s3:PutEncryptionConfiguration",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:PutObjectTagging",
                "servicequotas:GetServiceQuota",
                "servicequotas:ListAWSDefaultServiceQuotas",
                "sts:AssumeRole",
                "sts:AssumeRoleWithWebIdentity",
                "sts:GetCallerIdentity",
                "tag:GetResources",
                "tag:UntagResources",
                "ec2:CreateVpcEndpointServiceConfiguration",
                "ec2:DeleteVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcEndpointServices",
                "ec2:ModifyVpcEndpointServicePermissions",
                "kms:DescribeKey",
                "cloudwatch:GetMetricData"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "secretsmanager:GetSecretValue"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "aws:ResourceTag/red-hat-managed": "true"
                }
            }
        }
    ]
}
```

## 【字首】-ControlPlane-Role-Policy
<a name="security-iam-id-based-policy-examples-rosa-classic-control-plane-policy"></a>

您可以將 `[Prefix]-ControlPlane-Role-Policy` 連接到 IAM 實體。您必須先將此政策連接至名為 的 IAM 角色，才能建立 ROSA 傳統叢集`[Prefix]-ControlPlane-Role`。此政策會將必要的許可授予 ROSA classic，以管理託管 ROSA 控制平面的 Amazon EC2 和 Elastic Load Balancing 資源，以及讀取 KMS keys。

### 許可政策
<a name="control-plane-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:AttachVolume",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteVolume",
                "ec2:Describe*",
                "ec2:DetachVolume",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifyVolume",
                "ec2:RevokeSecurityGroupIngress",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:Describe*",
                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "kms:DescribeKey"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-Worker-Role-Policy
<a name="security-iam-id-based-policy-examples-rosa-classic-worker-policy"></a>

您可以將 `[Prefix]-Worker-Role-Policy` 連接到 IAM 實體。您必須先將此政策連接至名為 的 IAM 角色，才能建立 ROSA 傳統叢集`[Prefix]-Worker-Role`。此政策會將必要的許可授予 ROSA classic，以描述做為工作者節點執行的 EC2 執行個體。

### 許可政策
<a name="worker-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeRegions"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-Support-Role-Policy
<a name="security-iam-id-based-policy-examples-rosa-classic-support-policy"></a>

您可以將 `[Prefix]-Support-Role-Policy` 連接到 IAM 實體。您必須先將此政策連接至名為 的 IAM 角色，才能建立 ROSA 傳統叢集`[Prefix]-Support-Role`。此政策授予 Red Hat 網站可靠性工程所需的許可，以觀察、診斷和支援 ROSA 傳統叢集使用 AWS 的資源，包括變更叢集節點狀態的能力。

### 許可政策
<a name="support-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "cloudtrail:DescribeTrails",
                "cloudtrail:LookupEvents",
                "cloudwatch:GetMetricData",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "ec2-instance-connect:SendSerialConsoleSSHPublicKey",
                "ec2:CopySnapshot",
                "ec2:CreateNetworkInsightsPath",
                "ec2:CreateSnapshot",
                "ec2:CreateSnapshots",
                "ec2:CreateTags",
                "ec2:DeleteNetworkInsightsAnalysis",
                "ec2:DeleteNetworkInsightsPath",
                "ec2:DeleteTags",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAddressesAttribute",
                "ec2:DescribeAggregateIdFormat",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeByoipCidrs",
                "ec2:DescribeCapacityReservations",
                "ec2:DescribeCarrierGateways",
                "ec2:DescribeClassicLinkInstances",
                "ec2:DescribeClientVpnAuthorizationRules",
                "ec2:DescribeClientVpnConnections",
                "ec2:DescribeClientVpnEndpoints",
                "ec2:DescribeClientVpnRoutes",
                "ec2:DescribeClientVpnTargetNetworks",
                "ec2:DescribeCoipPools",
                "ec2:DescribeCustomerGateways",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeEgressOnlyInternetGateways",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:DescribeIdentityIdFormat",
                "ec2:DescribeIdFormat",
                "ec2:DescribeImageAttribute",
                "ec2:DescribeImages",
                "ec2:DescribeInstanceAttribute",
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeIpv6Pools",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeLaunchTemplates",
                "ec2:DescribeLocalGatewayRouteTables",
                "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
                "ec2:DescribeLocalGatewayRouteTableVpcAssociations",
                "ec2:DescribeLocalGateways",
                "ec2:DescribeLocalGatewayVirtualInterfaceGroups",
                "ec2:DescribeLocalGatewayVirtualInterfaces",
                "ec2:DescribeManagedPrefixLists",
                "ec2:DescribeNatGateways",
                "ec2:DescribeNetworkAcls",
                "ec2:DescribeNetworkInsightsAnalyses",
                "ec2:DescribeNetworkInsightsPaths",
                "ec2:DescribeNetworkInterfaces",
                "ec2:DescribePlacementGroups",
                "ec2:DescribePrefixLists",
                "ec2:DescribePrincipalIdFormat",
                "ec2:DescribePublicIpv4Pools",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeRouteTables",
                "ec2:DescribeScheduledInstances",
                "ec2:DescribeSecurityGroupReferences",
                "ec2:DescribeSecurityGroupRules",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSnapshotAttribute",
                "ec2:DescribeSnapshots",
                "ec2:DescribeSpotFleetInstances",
                "ec2:DescribeStaleSecurityGroups",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeTransitGatewayAttachments",
                "ec2:DescribeTransitGatewayConnectPeers",
                "ec2:DescribeTransitGatewayConnects",
                "ec2:DescribeTransitGatewayMulticastDomains",
                "ec2:DescribeTransitGatewayPeeringAttachments",
                "ec2:DescribeTransitGatewayRouteTables",
                "ec2:DescribeTransitGateways",
                "ec2:DescribeTransitGatewayVpcAttachments",
                "ec2:DescribeVolumeAttribute",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DescribeVolumeStatus",
                "ec2:DescribeVpcAttribute",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcClassicLinkDnsSupport",
                "ec2:DescribeVpcEndpointConnectionNotifications",
                "ec2:DescribeVpcEndpointConnections",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeVpcEndpointServiceConfigurations",
                "ec2:DescribeVpcEndpointServicePermissions",
                "ec2:DescribeVpcEndpointServices",
                "ec2:DescribeVpcPeeringConnections",
                "ec2:DescribeVpcs",
                "ec2:DescribeVpnConnections",
                "ec2:DescribeVpnGateways",
                "ec2:GetAssociatedIpv6PoolCidrs",
                "ec2:GetConsoleOutput",
                "ec2:GetManagedPrefixListEntries",
                "ec2:GetSerialConsoleAccessStatus",
                "ec2:GetTransitGatewayAttachmentPropagations",
                "ec2:GetTransitGatewayMulticastDomainAssociations",
                "ec2:GetTransitGatewayPrefixListReferences",
                "ec2:GetTransitGatewayRouteTableAssociations",
                "ec2:GetTransitGatewayRouteTablePropagations",
                "ec2:ModifyInstanceAttribute",
                "ec2:RebootInstances",
                "ec2:RunInstances",
                "ec2:SearchLocalGatewayRoutes",
                "ec2:SearchTransitGatewayMulticastGroups",
                "ec2:SearchTransitGatewayRoutes",
                "ec2:StartInstances",
                "ec2:StartNetworkInsightsAnalysis",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListenerCertificates",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeSSLPolicies",
                "elasticloadbalancing:DescribeTags",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "iam:GetRole",
                "iam:ListRoles",
                "kms:CreateGrant",
                "route53:GetHostedZone",
                "route53:GetHostedZoneCount",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "s3:GetBucketTagging",
                "s3:GetObjectAcl",
                "s3:GetObjectTagging",
                "s3:ListAllMyBuckets",
                "sts:DecodeAuthorizationMessage",
                "tiros:CreateQuery",
                "tiros:GetQueryAnswer",
                "tiros:GetQueryExplanation"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "s3:ListBucket"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::managed-velero*",
                "arn:aws:s3:::*image-registry*"
            ]
        }
    ]
}
```

# ROSA 傳統運算子政策
<a name="security-iam-rosa-classic-operator-policies"></a>

本節提供 ROSA 傳統所需的運算子政策詳細資訊。您必須先將這些政策連接到相關的運算子角色，才能建立 ROSA 傳統叢集。每個叢集都需要一組唯一的運算子角色。

需要這些許可才能允許 OpenShift 運算子管理 ROSA 傳統叢集節點。您可以將自訂字首指派給政策名稱，以簡化政策管理 （例如 `ManagedOpenShift-openshift-ingress-operator-cloud-credentials`)。

## 【字首】-openshift-ingress-operator-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-ingress-operator-policy"></a>

您可以將 `[Prefix]-openshift-ingress-operator-cloud-credentials` 連接到 IAM 實體。此政策會將必要的許可授予輸入運算子，以佈建和管理負載平衡器和 DNS 組態以進行外部叢集存取。此政策也允許輸入運算子讀取和篩選 Route 53 資源標籤值，以探索託管區域。如需 運算子的詳細資訊，請參閱 [OpenShift GitHub 文件中的 OpenShift 傳入運算](https://github.com/openshift/cluster-ingress-operator)子。 OpenShift GitHub 

### 許可政策
<a name="ingress-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "route53:ListHostedZones",
                "route53:ListTagsForResources",
                "route53:ChangeResourceRecordSets",
                "tag:GetResources"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-cluster-csi-drivers-ebs-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-csi-operator-policy"></a>

您可以將 `[Prefix]-openshift-cluster-csi-drivers-ebs-cloud-credentials` 連接到 IAM 實體。此政策授予 Amazon EBS CSI Driver Operator 在 ROSA 傳統叢集上安裝和維護 Amazon EBS CSI 驅動程式所需的許可。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [aws-ebs-csi-driver-operator](https://github.com/openshift/aws-ebs-csi-driver-operator#aws-ebs-csi-driver-operator)。

### 許可政策
<a name="ebs-csi-driver-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:AttachVolume",
                "ec2:CreateSnapshot",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:DeleteSnapshot",
                "ec2:DeleteTags",
                "ec2:DeleteVolume",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeInstances",
                "ec2:DescribeSnapshots",
                "ec2:DescribeTags",
                "ec2:DescribeVolumes",
                "ec2:DescribeVolumesModifications",
                "ec2:DetachVolume",
                "ec2:EnableFastSnapshotRestores",
                "ec2:ModifyVolume"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-machine-api-aws-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-machine-config-operator-policy"></a>

您可以將 `[Prefix]-openshift-machine-api-aws-cloud-credentials` 連接到 IAM 實體。此政策會將必要的許可授予 Machine Config Operator，以描述、執行和終止以工作者節點管理的 Amazon EC2 執行個體。此政策也授予許可，允許使用 對工作者節點根磁碟區進行磁碟加密 AWS KMS keys。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [machine-config-operator](https://github.com/openshift/machine-config-operator)。

### 許可政策
<a name="machine-config-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:CreateTags",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeDhcpOptions",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeInternetGateways",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeRegions",
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets",
                "iam:CreateServiceLinkedRole"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kms:Decrypt",
                "kms:Encrypt",
                "kms:GenerateDataKey",
                "kms:GenerateDataKeyWithoutPlainText",
                "kms:DescribeKey"
            ],
            "Effect": "Allow",
            "Resource": "*"
        },
        {
            "Action": [
                "kms:RevokeGrant",
                "kms:CreateGrant",
                "kms:ListGrants"
            ],
            "Effect": "Allow",
            "Resource": "*",
            "Condition": {
                "Bool": {
                    "kms:GrantIsForAWSResource": true
                }
            }
        }
    ]
}
```

## 【字首】-openshift-cloud-credential-operator-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-cloud-credential-operator-policy"></a>

您可以將 `[Prefix]-openshift-cloud-credential-operator-cloud-credentials` 連接到 IAM 實體。此政策授予 Cloud Credential Operator 擷取 IAM 使用者 詳細資訊的必要許可，包括存取金鑰 IDs、連接的內嵌政策文件、使用者的建立日期、路徑、使用者 ID 和 Amazon Resource Name (ARN)。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [cloud-credential-operator](https://github.com/openshift/cloud-credential-operator)。

### 許可政策
<a name="cloud-credential-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "iam:GetUser",
                "iam:GetUserPolicy",
                "iam:ListAccessKeys"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-image-registry-installer-cloud-credentials
<a name="security-iam-id-based-policy-examples-rosa-classic-image-registry-operator-policy"></a>

您可以將 `[Prefix]-openshift-image-registry-installer-cloud-credentials` 連接到 IAM 實體。此政策會將必要的許可授予映像登錄運算子，以佈建和管理 ROSA Classic 叢集內映像登錄檔和相依服務的資源，包括 Amazon S3。這是必要的，以便運算子可以安裝和維護 ROSA 傳統叢集的內部登錄檔。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的[映像登錄運算子](https://github.com/openshift/cluster-image-registry-operator#image-registry-operator)。

### 許可政策
<a name="image-registry-operator-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "s3:CreateBucket",
                "s3:DeleteBucket",
                "s3:PutBucketTagging",
                "s3:GetBucketTagging",
                "s3:PutBucketPublicAccessBlock",
                "s3:GetBucketPublicAccessBlock",
                "s3:PutEncryptionConfiguration",
                "s3:GetEncryptionConfiguration",
                "s3:PutLifecycleConfiguration",
                "s3:GetLifecycleConfiguration",
                "s3:GetBucketLocation",
                "s3:ListBucket",
                "s3:GetObject",
                "s3:PutObject",
                "s3:DeleteObject",
                "s3:ListBucketMultipartUploads",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```

## 【字首】-openshift-cloud-network-config-controller-cloud-cr
<a name="security-iam-id-based-policy-examples-rosa-classic-cloud-network-config-controller-policy"></a>

您可以將 `[Prefix]-openshift-cloud-network-config-controller-cloud-cr` 連接到 IAM 實體。此政策會將必要的許可授予 Cloud Network Config Controller Operator，以佈建和管理供 ROSA 傳統叢集聯網浮水印使用的聯網資源。運算子使用這些許可來管理 Amazon EC2 執行個體的私有 IP 地址，做為 ROSA 傳統叢集的一部分。如需 運算子的詳細資訊，請參閱 OpenShift GitHub 文件中的 [Cloud-network-config-controller](https://github.com/openshift/cloud-network-config-controller#cloud-network-config-controller-cncc)。

### 許可政策
<a name="cloud-network-config-controller-permissions-policy"></a>

此政策文件中定義的許可會指定允許或拒絕哪些動作。

```
{
    "Version":"2012-10-17",		 	 	 
    "Statement": [
        {
            "Action": [
                "ec2:DescribeInstances",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypes",
                "ec2:UnassignPrivateIpAddresses",
                "ec2:AssignPrivateIpAddresses",
                "ec2:UnassignIpv6Addresses",
                "ec2:AssignIpv6Addresses",
                "ec2:DescribeSubnets",
                "ec2:DescribeNetworkInterfaces"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ]
}
```