Pivotal Knowledge Base


How to Configure an IAM User for Deploying PCF on AWS with Minimum Permissions


Pivotal Cloud Foundry (PCF) 1.6.x and greater


When creating a new PCF foundation on Amazon Web Services (AWS), it is suggested to create an Identity and Access Management (IAM) user with full permissions, so that cloud formation can do what it needs to install PCF. To limit the security risk, we need to apply a policy.


The increased security risk and the possibility that the automated process could be modified or interfered with by other AWS components that are not related to the PCF install or update are the reasons for applying this policy. 


The PCF installation with "full Admin privileges" should be reduced to "least privileged" by creating a new policy "PCFInstallationPolicy" with only the privileges required and then applying this policy to the IAM user or role.

In order to set up a policy, you first need to create an IAM user. Once your user is created, you can then apply a policy to limit their access. The recommended policy for this can be found here.

Additional Information




Powered by Zendesk