Pivotal Knowledge Base

Follow

How to configure an IAM user for deploying PCF on AWS with minimum permissions

Environment

Product Version
Pivotal Cloud Foundry (PCF)  1.6.x and greater

Purpose

When creating a new PCF foundation on Amazon Web Services (AWS), it is suggested to create an Identity and Access Management (IAM) user with full permissions, so that cloud formation can do what it needs to install PCF. To limit the security risk, we need to apply a policy.

Cause

 The increased security risk and the possibility that the automated process could be modified or interfered with by other AWS components that are not related to the PCF install or update are the reasons for applying this policy. 

Procedure 

The PCF installation with "full Admin privileges" should be reduced to "least privileged" by creating a new policy "PCFInstallationPolicy" with only the privileges required and then applying this policy to the IAM user or role.

In order to setup a policy, you first need to create an IAM user [1]. Once your user is created, you can then apply a policy [2] to limit their access. The recommended policy for this can be found here.

Additional Information

[1] https://docs.pivotal.io/pivotalcf/customizing/pcf-aws-manual-config.html#pcfaws-iam-user

[2] https://docs.pivotal.io/pivotalcf/customizing/policy-doc.html

Comments

Powered by Zendesk