From 3220e3bc20f33376535ccc71cd2967e73334f797 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 9 Jul 2026 16:59:33 -0600 Subject: [PATCH 1/6] DOC-2297: draft cross-account IAM delegation for BYOC on AWS Rework the AWS IAM policies reference from cloudv2 source, add a cross-account deploy how-to and concept, plus a draft What's New entry. AWS-only, new clusters only (ENG-1139, targeted 26.2). Existing clusters keep the agent-based rpk cloud byoc apply model. - security: rebuild AWS section of iam-policies.adoc partial from instance_profile.tf (30 statements) into friendly, anchored sections with why-tables and collapsible Terraform; reframe for cross-account. GCP/Azure sections unchanged. - get-started: new cross-account-iam-aws.adoc how-to + nav entry - get-started: byoc-arch.adoc provisioning-models section + create-page cross-link TIP - get-started: draft What's New entry (do not publish before GA) Contains TODO(team)/TODO(eng) placeholders pending SME confirmation. Draft, not for merge. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/ROOT/nav.adoc | 1 + modules/get-started/pages/byoc-arch.adoc | 29 +- .../byoc/aws/create-byoc-cluster-aws.adoc | 6 + .../byoc/aws/cross-account-iam-aws.adoc | 72 + .../get-started/pages/whats-new-cloud.adoc | 6 + modules/security/partials/iam-policies.adoc | 1812 +++++++++++++---- 6 files changed, 1473 insertions(+), 453 deletions(-) create mode 100644 modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 78d6a9346..15069ecf6 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -11,6 +11,7 @@ ** xref:get-started:cluster-types/byoc/index.adoc[BYOC] *** xref:get-started:cluster-types/byoc/aws/index.adoc[AWS] **** xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[] +**** xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[] **** xref:get-started:cluster-types/byoc/aws/vpc-byo-aws.adoc[] *** xref:get-started:cluster-types/byoc/azure/index.adoc[Azure] **** xref:get-started:cluster-types/byoc/azure/create-byoc-cluster-azure.adoc[] diff --git a/modules/get-started/pages/byoc-arch.adoc b/modules/get-started/pages/byoc-arch.adoc index 2a1dd7a8f..003b2c720 100644 --- a/modules/get-started/pages/byoc-arch.adoc +++ b/modules/get-started/pages/byoc-arch.adoc @@ -44,6 +44,33 @@ they have dedicated job queues in the control plane. Agents also manage VPC peer + image::shared:byoc_apply.png[cloud_byoc_apply] -NOTE: To create a Redpanda cluster in your virtual private cloud (VPC), follow the instructions in the Redpanda Cloud UI. The UI contains the parameters necessary to successfully run `rpk cloud byoc apply` with your cloud provider. +NOTE: To create a Redpanda cluster in your virtual private cloud (VPC), follow the instructions in the Redpanda Cloud UI. The UI contains the parameters necessary to successfully run `rpk cloud byoc apply` with your cloud provider. + +== Provisioning models on AWS + +// DOC-2297: cross-account IAM delegation (ENG-1139), 26.2, AWS only, new clusters only. +// TODO(team): confirm wording once the deploy workflow (ENG-1129) and external-ID +// handling (CIAINFRA-3970) are finalized. Do not publish before GA (2026-07-14). + +New BYOC clusters on AWS use *cross-account IAM delegation*. Instead of bootstrapping an agent VM in your account, you create an IAM role that Redpanda's control plane assumes to provision and reconcile your cluster. Redpanda runs the deployment for you, so you do not run `rpk cloud byoc aws apply`. This is the recommended model for new AWS clusters, and it lets you review, audit, and revoke Redpanda's access at any time. + +[cols="1,2,2", options="header"] +|=== +| | Cross-account IAM delegation | Agent-based provisioning + +| Applies to +| New BYOC clusters on AWS +| Existing clusters, and clusters on Azure and GCP + +| Who provisions +| Redpanda's control plane assumes a role you create +| An agent VM that runs in your account + +| How you start it +| Create a cross-account IAM role, then deploy from the Cloud UI +| Run `rpk cloud byoc apply` +|=== + +Cross-account IAM delegation applies only to new clusters on AWS. Migrating an existing cluster is not supported, and the agent-based model described above continues to apply to existing clusters and to clusters on Azure and GCP. To deploy a new AWS cluster with cross-account IAM delegation, see xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[Deploy a BYOC Cluster on AWS with Cross-Account IAM Delegation]. For the permissions the role grants, see xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. include::get-started:partial$no-access.adoc[] \ No newline at end of file diff --git a/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc b/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc index adf9ab19e..acf8804b1 100644 --- a/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc +++ b/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc @@ -6,6 +6,12 @@ To create a Redpanda cluster in your virtual private cloud (VPC), follow the ins NOTE: With standard BYOC clusters, Redpanda manages security policies and resources for your VPC, including subnetworks, service accounts, IAM roles, firewall rules, and storage buckets. For the highest level of security, you can manage these resources yourself with a xref:./vpc-byo-aws.adoc[BYOVPC cluster on AWS]. +// DOC-2297: point new-cluster users to cross-account IAM delegation. Confirm/finalize at GA (2026-07-14). +[TIP] +==== +New BYOC clusters on AWS can use xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[cross-account IAM delegation], where Redpanda provisions your cluster by assuming an IAM role you create, so you do not run `rpk cloud byoc aws apply`. The steps on this page describe the agent-based model, which still applies to existing clusters. See xref:get-started:byoc-arch.adoc#provisioning-models-on-aws[Provisioning models on AWS]. +==== + == Prerequisites Before you deploy a BYOC cluster on AWS, check that the user creating the cluster has the following prerequisites: diff --git a/modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc b/modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc new file mode 100644 index 000000000..6d3d10bed --- /dev/null +++ b/modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc @@ -0,0 +1,72 @@ += Deploy a BYOC Cluster on AWS with Cross-Account IAM Delegation +:description: Create a cross-account IAM role that Redpanda assumes to provision and manage new BYOC clusters on AWS, without running rpk cloud byoc apply. +:page-aliases: deploy:deployment-option/cloud/cluster-types/byoc/aws/cross-account-iam-aws.adoc +:env-aws: true + +// ============================================================================ +// DOC-2297 DRAFT — cross-account IAM delegation (ENG-1139), 26.2, AWS only, new +// clusters only. Blocked on team answers before this can be finalized: +// TODO(team) 1: exact Cloud UI / deployment wizard steps (ENG-1129). +// TODO(team) 2: where the customer gets the role Terraform, and how it is delivered. +// TODO(team) 3: whether the external ID is shown in the UI before role creation, +// and the exact step ordering (CIAINFRA-3970). +// TODO(team) 4: exact role name and trust policy content. +// Do not publish until GA (targeted 2026-07-14) and the above are resolved. +// ============================================================================ + +With cross-account IAM delegation, you create an IAM role in your AWS account that Redpanda assumes to provision and reconcile your BYOC cluster. Redpanda runs the deployment for you, so you do not run `rpk cloud byoc aws apply` or host a provisioning agent in your account. This is the recommended way to deploy new BYOC clusters on AWS. + +[NOTE] +==== +* Cross-account IAM delegation applies to *new* BYOC clusters on *AWS* only. To deploy on Azure or GCP, or to manage a cluster you created before this feature was available, see xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS]. +* Migrating an existing cluster to cross-account IAM delegation is not supported. +* This page does not apply to xref:get-started:cluster-types/byoc/aws/vpc-byo-aws.adoc[BYOVPC clusters]. +==== + +== How it works + +Instead of running a provisioning agent inside your AWS account, Redpanda's control plane assumes an IAM role that you own: + +. You create an IAM role in your AWS account using a Terraform configuration that Redpanda provides. The role has: ++ +-- +* A *permissions policy* that grants the access Redpanda needs to provision and manage your cluster. For the full list and an explanation of each permission, see xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. +* A *trust policy* that allows only Redpanda's control plane to assume the role, scoped by a unique external ID. +-- +. Redpanda's control plane assumes the role using AWS Security Token Service (STS), presenting the external ID, and uses the granted permissions to provision, configure, and reconcile your cluster. + +Because Redpanda assumes a role you control, you can review and audit the exact permissions at any time, and you can revoke access by deleting the role. + +// TODO(team 4): confirm role name, session duration, and trust policy details before publishing. + +== Prerequisites + +* An AWS account with permission to create IAM roles and policies (for example, `AWSAdministratorAccess`). +* Terraform installed, or another way to apply the configuration Redpanda provides. TODO(team 2): confirm the supported tooling and where customers obtain the configuration. +* The external ID that Redpanda generates for your cross-account role. TODO(team 3): confirm where this is shown in the Cloud UI and whether it is available before role creation. + +== Create the cross-account role + +// TODO(team 2, 3): replace this section with the confirmed workflow once the +// Terraform delivery mechanism and external-ID ordering are known. + +. Log in to https://cloud.redpanda.com[Redpanda Cloud^]. +. Start creating a BYOC cluster on AWS and note the external ID that Redpanda generates for your cross-account role. TODO(team 3): confirm exact UI location. +. Apply the Redpanda-provided Terraform configuration in your AWS account to create the IAM role, its permissions policy, and its trust policy (scoped to the external ID from the previous step). TODO(team 2): add the configuration or a link to it. +. Provide the resulting role ARN to Redpanda in the Cloud UI. TODO(team 1): confirm the field and screen. + +== Create the cluster + +// TODO(team 1): align these steps with the deployment wizard (ENG-1129). + +. On the Clusters page, click *Create cluster*, then click *Create* for BYOC. +. Enter a cluster name, then select the resource group, provider (AWS), xref:reference:tiers/byoc-tiers.adoc[region, tier], availability, and Redpanda version. +. Complete the network configuration. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS] for details about the network options. +. Complete the deployment. Redpanda assumes your cross-account role and provisions the cluster. No agent runs in your account, and you do not run `rpk cloud byoc aws apply`. + +include::get-started:partial$no-access.adoc[] + +== Next steps + +* xref:security:authorization/cloud-iam-policies.adoc[Review the AWS IAM policies] that your cross-account role grants. +* xref:networking:byoc/aws/index.adoc[Configure private networking] diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 04e82d7c7..0e4de8946 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -8,6 +8,12 @@ This page lists new features added to Redpanda Cloud. == July 2026 +// DOC-2297 DRAFT entry (ENG-1139), 26.2, AWS only, new clusters only. Targeted GA 2026-07-14. +// TODO(team): confirm wording and links before publishing; do not publish before GA. +=== Cross-account IAM delegation for BYOC on AWS + +New BYOC clusters on AWS can now use cross-account IAM delegation. Instead of running `rpk cloud byoc aws apply` and hosting a provisioning agent in your account, you create an IAM role that Redpanda's control plane assumes to provision and reconcile your cluster. You control the role, so you can review, audit, and revoke Redpanda's access at any time. This model applies to new AWS clusters only; existing clusters and clusters on Azure and GCP continue to use agent-based provisioning. See xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[Deploy a BYOC Cluster on AWS with Cross-Account IAM Delegation] and xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. + === SQL editor in Redpanda Cloud Console Redpanda Cloud Console now includes a built-in SQL editor. For SQL-enabled environments, you can write and run `SELECT` queries against your Redpanda topics directly in the Console without installing a separate PostgreSQL client. The editor supports syntax highlighting, autocomplete, query history, and CSV and JSON export. For Iceberg-enabled topics, an indicator shows when results span both live topic data and Iceberg-committed history. To enable Redpanda SQL, see xref:sql:get-started/deploy-sql-cluster.adoc[Enable Redpanda SQL]. To use the editor, see xref:sql:query-data/sql-editor.adoc[Use the SQL Editor]. diff --git a/modules/security/partials/iam-policies.adoc b/modules/security/partials/iam-policies.adoc index b643f57f8..112b22cdc 100644 --- a/modules/security/partials/iam-policies.adoc +++ b/modules/security/partials/iam-policies.adoc @@ -1,527 +1,1435 @@ -ifdef::env-aws[] -When you run `rpk cloud byoc aws apply` to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the AWS API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users. +ifdef::env-aws[] +// ============================================================================ +// DOC-2297 EDITOR NOTES — resolve before merge, then delete this comment block. +// Rebuilt from cloudv2 apps/redpanda-agent/infra/aws/redpanda/agent/instance_profile.tf +// (30 statements across policy docs redpanda_agent, _agent1, _agent2, _agent3, _oxla). +// TODO(eng) items, confirm with Sarah Haskins / Dimitris Bachtis: +// 1. Does the cross-account (CloudProviderAccess) role grant this SAME permission +// set, or a separate/generated set? This page currently documents the agent +// provisioning policy as the source of truth. +// 2. Provide the customer trust-policy + role Terraform (external_id) for the +// "Cross-account role" section below (currently a placeholder). +// 3. Confirm which statements are feature-gated vs. always granted. Candidates: +// ElastiCache, RDS/Aurora (scoped to ai-gateway-*), Oxla (scoped to oxla-*). +// 4. Supply "why it is needed" text for every cell marked TODO(eng) (Denis's sheet). +// ============================================================================ +To deploy a new BYOC cluster on AWS, you create an IAM role in your AWS account that Redpanda assumes to provision and reconcile cluster resources on your behalf. This role grants the permissions listed on this page. The permissions follow the principle of least privilege: each is scoped to only the resources Redpanda provisions for your cluster. These permissions are _not_ required by Redpanda Cloud end users, and they do not grant human access to your cluster. [NOTE] ==== -* This page lists the IAM permissions Redpanda needs to create xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[BYOC clusters]. This does _not_ pertain to xref:get-started:cluster-types/byoc/aws/vpc-byo-aws.adoc[BYOVPC clusters]. -* IAM permissions are not required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. -==== - -== AWS IAM policies - -IAM policies are assigned to deployed Redpanda agents for BYOC AWS -clusters that use the following AWS services: - -* https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/concepts.html[Amazon Elastic Compute Cloud (AWS EC2)^] -* https://aws.amazon.com/ec2/autoscaling/[Amazon Elastic Compute Cloud Auto Scaling (AWS EC2 Auto Scaling)^] -* https://docs.aws.amazon.com/AmazonS3/latest/userguide/Welcome.html[Amazon Simple Storage Service (AWS S3)^] -* https://aws.amazon.com/route53/[Amazon Route 53^] -* https://docs.aws.amazon.com/amazondynamodb/latest/developerguide/Introduction.html[Amazon DynamoDB^] - -=== Actions allowed with wildcard resources - -The following actions apply only to Redpanda agents with wildcard resources. - -.RedpandaAgentActionsOnlyAllowedWithWildcardResources -[,js,role=no-copy] ----- -statement { - sid = "RedpandaAgentActionsOnlyAllowedWithWildcardResources" - effect = "Allow" - actions = [ - "ec2:CreateTags", - "ec2:DescribeAccountAttributes", - "ec2:DescribeImages", - "ec2:DescribeInstances", - "ec2:DescribeInstanceTypes", - "ec2:CreateLaunchTemplate", - "ec2:CreateLaunchTemplateVersion", - "ec2:DescribeLaunchTemplateVersions", - "ec2:DescribeLaunchTemplates", - "iam:ListPolicies", - "iam:ListRoles", - "iam:GetOpenIDConnectProvider", - "iam:DeleteOpenIDConnectProvider", - "autoscaling:DescribeScalingActivities", - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeTags", - "autoscaling:DescribeTerminationPolicyTypes", - "autoscaling:DescribeInstanceRefreshes", - "autoscaling:DescribeLaunchConfigurations", - "iam:CreateServiceLinkedRole", - "ec2:CreatePlacementGroup", - "ec2:DeletePlacementGroup", - "ec2:DescribePlacementGroups", - "eks:DescribeNodegroup", - "eks:DeleteNodegroup" - ] - resources = [ - "*", - ] - } ----- - -=== Run in EC2 instances - -The following actions apply only to Redpanda agents running in AWS EC2 instances. - -.RedpandaAgentEC2RunInstances -[,js] ----- -statement { - sid = "RedpandaAgentEC2RunInstances" - effect = "Allow" - actions = [ - "ec2:RunInstances", - ] - resources = [ - "arn:aws:ec2:*:${local.aws_account_id}:instance/*", - "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*", - "arn:aws:ec2:*:${local.aws_account_id}:volume/*", - "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", - "arn:aws:ec2:*:${local.aws_account_id}:subnet/*", - "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*", - "arn:aws:ec2:*::image/*", - ] - } ----- - -=== Delete launch templates - -The following actions apply only to Redpanda agents deleting AWS launch templates. - -.RedpandaAgentEC2RunInstances -[,js] ----- -statement { - sid = "RedpandaAgentLaunchTemplateDeletion" - effect = "Allow" - actions = [ - "ec2:DeleteLaunchTemplate", - ] - resources = [ - "arn:aws:ec2:__:${local.aws_account_id}:launch-template/__", - ] - condition { - test = "StringEquals" - variable = "ec2:ResourceTag/redpanda-id" - values = [ - var.redpanda_id, - ] - } - } +* This page lists the permissions Redpanda needs to create and manage xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[BYOC clusters]. It does _not_ apply to xref:get-started:cluster-types/byoc/aws/vpc-byo-aws.adoc[BYOVPC clusters]. +* Cross-account IAM delegation applies to *new* AWS BYOC clusters. Existing clusters continue to use the agent-based model, where the same permissions attach to a Redpanda agent that runs in your account after you run `rpk cloud byoc aws apply`. +==== + +// TODO(eng, item 1): confirm the cross-account role uses this exact permission set before publishing. + +== How to read this page + +Redpanda's provisioning policy is a set of scoped IAM statements. Below, statements are organized into functional groups (compute, networking, storage, identity, secrets, monitoring, and coordination state). Each statement lists the actions it allows and _why_ they are needed, the *resource scope* that constrains them, and the exact Terraform in a collapsible block. + +[cols="1,4", options="header"] +|=== +|Access level |Meaning +|Read |Describe, Get, or List actions. Cannot modify or delete resources. +|Write |Creates or modifies resources. +|Delete |Removes resources. +|Full |Service-wide (`+*+`) action, constrained by the statement's resource scope. See <>. +|=== + +[#aws-service-wide-actions] +== A note on service-wide actions + +A few statements use a service-wide action (`+*+`) rather than listing individual actions. In every case the action is constrained by the statement's resource scope, so the grant is not account-wide: + +[cols="2,3", options="header"] +|=== +|Action |Constrained to +|`+eks:*+` |A single EKS cluster and its add-ons and node groups: `cluster/redpanda-`, `+addon/redpanda-/*+`, `+nodegroup/redpanda-/*+`. +|`+s3:*+` |The cluster management bucket only. +|`+autoscaling:*+` |Auto Scaling groups named `+redpanda-*+` and `+redpanda-agent-*+`. +|=== + +== Compute and Kubernetes + +Provisions and operates the EKS cluster, EC2 nodes, launch templates, and Auto Scaling groups that run the Redpanda data plane. The service-wide actions here (`+eks:*+`, `+autoscaling:*+`) are each scoped to your cluster's resources. +=== Manage the EKS cluster + +*Scope:* Restricted to your cluster's EKS resources: `+arn:aws:eks:*:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}+`, its add-ons, and its node groups. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`+eks:*+` |Full |Required to manage the full lifecycle of the EKS cluster that hosts your Redpanda data plane, including cluster creation, upgrades, node group management, and decommissioning. Required to configure EKS add-ons, access entries, and identity mappings that Redpanda Cloud needs to operate the managed service. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentEKSCluster" + effect = "Allow" + actions = [ + "eks:*", + ] + resources = [ + "arn:aws:eks:*:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}", + "arn:aws:eks:*:${local.aws_account_id}:addon/redpanda-${var.redpanda_id}/*", + "arn:aws:eks:*:${local.aws_account_id}:nodegroup/redpanda-${var.redpanda_id}/*", + ] +} ---- +==== -=== Manage security groups +=== Read the EKS node group service-linked role + +*Scope:* Restricted to the AWS-managed service-linked role for EKS node groups: `arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup`. -The following actions apply only to Redpanda agents managing AWS security groups. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`iam:GetRole` |Read |Required to read the AWS service-linked role that EKS uses to create managed node groups. Without it, node group creation fails with a permission error. +|=== -.RedpandaAgentSecurityGroups -[,js] +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentSecurityGroups" - effect = "Allow" - actions = [ - "ec2:AuthorizeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:CreateSecurityGroup", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress", - "ec2:ModifySecurityGroupRules", - ] - resources = [ - "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", - "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", - ] - } + sid = "RedpandaAgentEKSNodegroupRoleCreation" + effect = "Allow" + actions = [ + "iam:GetRole", + ] + resources = [ + "arn:aws:iam::${local.aws_account_id}:role/aws-service-role/eks-nodegroup.amazonaws.com/AWSServiceRoleForAmazonEKSNodegroup", + ] +} ---- +==== -=== Manage EKS clusters +=== Manage Auto Scaling groups -The following actions apply only to Redpanda agents managing Amazon Elastic -Kubernetes Service (Amazon EKS) clusters. +*Scope:* Restricted to Auto Scaling groups named for your cluster: `+arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*+` and `+.../redpanda-agent-${var.redpanda_id}*+`. -.RedpandaAgentEKSCluster -[,js] +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`+autoscaling:*+` |Full |Required to manage the full lifecycle of the Auto Scaling groups that provide compute capacity for your Redpanda cluster, including creating, scaling, updating, refreshing, and tearing down node groups. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentEKSCluster" - effect = "Allow" - actions = [ - "eks:__", - ] - resources = [ - "arn:aws:eks:__:${local.aws_account_id}:cluster/redpanda-${var.redpanda_id}", - ] - } + sid = "RedpandaAgentAutoscaling" + effect = "Allow" + actions = [ + "autoscaling:*", + ] + resources = [ + "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*", + "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*" + ] +} ---- +==== -=== Manage instance profiles +=== Read and tag Auto Scaling resources + +*Scope:* Account-wide (`+*+`). AWS does not allow these describe and tag actions to be constrained to specific resource ARNs. -The following actions apply only to Redpanda agents managing AWS instance profiles. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`autoscaling:DescribeScalingActivities` |Read |Required to monitor scaling activity for the Auto Scaling groups that back your Redpanda cluster's node groups. +|`autoscaling:DescribeAutoScalingGroups` |Read |Required to read the Auto Scaling groups that manage your Redpanda cluster's compute nodes. +|`autoscaling:DescribeTags` |Read |Required to read tags on the Auto Scaling groups managing your Redpanda cluster's nodes. +|`autoscaling:CreateOrUpdateTags` |Write |TODO(eng): confirm purpose. Tags Auto Scaling groups belonging to your Redpanda cluster. +|`autoscaling:DeleteTags` |Delete |TODO(eng): confirm purpose. Removes tags from your Redpanda cluster's Auto Scaling groups. +|`autoscaling:DescribeTerminationPolicyTypes` |Read |Required to configure appropriate node termination policies for your Redpanda cluster's Auto Scaling groups. +|`autoscaling:DescribeInstanceRefreshes` |Read |Required to monitor instance refresh operations during upgrades and rolling updates of your Redpanda cluster nodes. +|`autoscaling:DescribeLaunchConfigurations` |Read |Required to read the launch configurations associated with your Redpanda cluster's Auto Scaling groups. +|=== -.RedpandaAgentInstanceProfile -[,js] +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentInstanceProfile" - effect = "Allow" - actions = [ - "iam:AddRoleToInstanceProfile", - "iam:RemoveRoleFromInstanceProfile", - "iam:CreateInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:GetInstanceProfile", - "iam:TagInstanceProfile", - ] - resources = [ - "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*", - "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*", - ] - } + sid = "RedpandaAgentAutoScaling" + effect = "Allow" + actions = [ + "autoscaling:DescribeScalingActivities", + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeTags", + "autoscaling:CreateOrUpdateTags", + "autoscaling:DeleteTags", + "autoscaling:DescribeTerminationPolicyTypes", + "autoscaling:DescribeInstanceRefreshes", + "autoscaling:DescribeLaunchConfigurations", + ] + resources = [ + "*", + ] +} ---- +==== -=== Create EKS OIDC providers +=== Launch EC2 instances -The following actions apply only to Redpanda agents creating and accessing AWS -EKS OIDC providers. +*Scope:* Restricted to EC2 instance, network interface, volume, security group, subnet, launch template, and image resources in your account. -.RedpandaAgentEKSOIDCProvider -[,js] +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:RunInstances` |Write |Required to provision the EC2 instances that run your Redpanda broker and worker nodes. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentEKSOIDCProvider" - effect = "Allow" - actions = [ - "iam:CreateOpenIDConnectProvider", - "iam:TagOpenIDConnectProvider", - "iam:UntagOpenIDConnectProvider", - ] - resources = [ - "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", - ] - } + sid = "RedpandaAgentEC2RunInstances" + effect = "Allow" + actions = [ + "ec2:RunInstances", + ] + resources = [ + "arn:aws:ec2:*:${local.aws_account_id}:instance/*", + "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*", + "arn:aws:ec2:*:${local.aws_account_id}:volume/*", + "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", + "arn:aws:ec2:*:${local.aws_account_id}:subnet/*", + "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*", + "arn:aws:ec2:*::image/*", + ] +} +---- +==== + +=== Manage launch templates + +*Scope:* Restricted to launch templates in your account: `+arn:aws:ec2:*:${local.aws_account_id}:launch-template/*+`, further restricted by a condition on the `redpanda-id` resource tag. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:DeleteLaunchTemplate` |Delete |Required to clean up launch templates when you decommission your Redpanda cluster. +|`ec2:ModifyLaunchTemplate` |Write |TODO(eng): confirm purpose. Updates launch templates for your Redpanda cluster's compute nodes. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- statement { - sid = "RedpandaAgentEKSOIDCProviderCACertThumbprintUpdate" - effect = "Allow" - actions = [ - "iam:UpdateOpenIDConnectProviderThumbprint", + sid = "RedpandaAgentLaunchTemplateDeletion" + effect = "Allow" + actions = [ + "ec2:DeleteLaunchTemplate", + "ec2:ModifyLaunchTemplate", + ] + resources = [ + "arn:aws:ec2:*:${local.aws_account_id}:launch-template/*", + ] + condition { + test = "StringEquals" + variable = "ec2:ResourceTag/redpanda-id" + values = [ + var.redpanda_id, ] - resources = [ - "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", - "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com/id/*", + } +} +---- +==== + +=== Terminate EC2 instances + +*Scope:* Account-wide (`+*+`), restricted by a condition on the `redpanda-id` resource tag so only instances belonging to your Redpanda cluster can be terminated. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:TerminateInstances` |Delete |TODO(eng): confirm purpose. Terminates EC2 instances tagged for your Redpanda cluster during scaling, node replacement, or decommissioning. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentTerminateInstances" + effect = "Allow" + actions = [ + "ec2:TerminateInstances", + ] + condition { + test = "StringEquals" + variable = "ec2:ResourceTag/redpanda-id" + values = [ + var.redpanda_id, ] - condition { - test = "StringEquals" - variable = "aws:ResourceTag/redpanda-id" - values = [ - var.redpanda_id, - ] - } } + resources = [ + "*", + ] +} ---- +==== -=== Manage IAM policies +=== Reboot EC2 instances + +*Scope:* Account-wide (`+*+`), restricted by a condition on the `redpanda-id` resource tag so only instances belonging to your Redpanda cluster can be rebooted. -The following actions apply only to Redpanda agents managing AWS IAM policies. - -.RedpandaAgentIAMPolicies -[,js] ----- -statement { - sid = "RedpandaAgentIAMPolicies" - effect = "Allow" - actions = [ - "iam:CreatePolicy", - "iam:DeletePolicy", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:ListPolicyVersions", - "iam:TagPolicy" - ] - resources = [ - "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*", - "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler", - "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}", - ] - } +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:RebootInstances` |Write |TODO(eng): confirm purpose. Reboots EC2 instances tagged for your Redpanda cluster during recovery or maintenance operations. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] ---- +statement { + sid = "RedpandaAgentRebootInstances" + effect = "Allow" + actions = [ + "ec2:RebootInstances", + ] + condition { + test = "StringEquals" + variable = "ec2:ResourceTag/redpanda-id" + values = [ + var.redpanda_id, + ] + } + resources = [ + "*", + ] +} +---- +==== -=== Manage IAM roles +=== Read-only, tagging, and provisioning actions (wildcard resources) -The following actions apply only to Redpanda agents managing AWS IAM roles. - -.RedpandaAgentIAMRoleManagement -[,js] ----- -statement { - sid = "RedpandaAgentIAMRoleManagement" - effect = "Allow" - actions = [ - "iam:CreateRole", - "iam:DeleteRole", - "iam:AttachRolePolicy", - "iam:DetachRolePolicy", - "iam:GetRole", - "iam:TagRole", - "iam:PassRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListRolePolicies", - ] - resources = [ - "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}", - "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}_", - "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}_", - "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}_", - "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}_", - ] - } ----- - -=== Manage S3 buckets - -The following actions apply only to Redpanda agents managing AWS Simple -Storage Service (S3) buckets. - -.RedpandaAgentS3ManagementBucket -[,js] ----- -statement { - sid = "RedpandaAgentS3ManagementBucket" - effect = "Allow" - actions = [ - "s3:*", - ] - resources = [ - data.aws_s3_bucket.management.arn, - "${data.aws_s3_bucket.management.arn}/*", - ] - } ----- - -=== Manage S3 cloud bucket storage - -The following actions apply only to Redpanda agents managing AWS S3 cloud bucket -storage. - -.RedpandaAgentS3ManagementBucket -[,js] ----- - statement { - sid = "RedpandaAgentS3CloudStorageBucket" - effect = "Allow" - actions = [ - "s3:List*", - "s3:Get*", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:PutBucketPolicy", - "s3:DeleteBucketPolicy", - ] - resources = [ - local.redpanda_cloud_storage_bucket_arn, - "${local.redpanda_cloud_storage_bucket_arn}/*", - ] - } ----- - -=== Manage virtual private cloud (VPC) - -The following actions apply only to Redpanda agents managing AWS VPCs. - -.RedpandaAgentVPCManagement -[,js] ----- -statement { - sid = "RedpandaAgentVPCManagement" - effect = "Allow" - actions = [ - "ec2:DescribeVpcs", - "ec2:DescribeVpcAttribute", - "ec2:DescribeSecurityGroups", - "ec2:CreateInternetGateway", - "ec2:DeleteInternetGateway", - "ec2:AttachInternetGateway", - "ec2:DescribeInternetGateways", - "ec2:CreateNatGateway", - "ec2:DeleteNatGateway", - "ec2:DescribeNatGateways", - "ec2:CreateRoute", - "ec2:DeleteRoute", - "ec2:CreateRouteTable", - "ec2:DeleteRouteTable", - "ec2:DescribeRouteTables", - "ec2:AssociateRouteTable", - "ec2:CreateSubnet", - "ec2:DeleteSubnet", - "ec2:DescribeSubnets", - "ec2:CreateVpcEndpoint", - "ec2:ModifyVpcEndpoint", - "ec2:DeleteVpcEndpoints", - "ec2:DescribeVpcEndpoints", - "ec2:DescribeVpcEndpointServices", - "ec2:DescribeVpcPeeringConnections", - "ec2:ModifyVpcPeeringConnectionOptions", - "ec2:DescribeNetworkAcls", - "ec2:DescribeNetworkInterfaces", - "ec2:AttachNetworkInterface", - "ec2:DetachNetworkInterface", - "ec2:DescribeAvailabilityZones", - ] - resources = [ - "*", - ] - } ----- - -=== Delete network interface - -The following actions apply only to Redpanda agents deleting AWS network interfaces. - -.RedpandaAgentNetworkInterfaceDelete -[,js] ----- -statement { - sid = "RedpandaAgentNetworkInterfaceDelete" - effect = "Allow" - actions = [ - "ec2:DeleteNetworkInterface", - ] - resources = [ - "arn:aws:ec2:__:${local.aws_account_id}:network-interface/__", - ] - } +*Scope:* Account-wide (`+*+`). These are read-only describe calls, tag operations, launch-template creation, and service-linked role and placement-group actions that AWS does not allow to be constrained to specific resource ARNs. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:CreateTags` |Write |Required to tag AWS resources Redpanda Cloud provisions on your behalf so they are clearly identifiable as belonging to your Redpanda cluster. +|`ec2:DeleteTags` |Delete |TODO(eng): confirm purpose. Removes tags from resources Redpanda provisioned for your cluster. +|`ec2:DescribeTags` |Read |TODO(eng): confirm purpose. Reads tags on resources Redpanda provisioned for your cluster. +|`ec2:DescribeAccountAttributes` |Read |Required to validate your AWS account supports the configuration needed to run your Redpanda cluster. +|`ec2:DescribeImages` |Read |Required to look up the approved machine images used for Redpanda broker and worker nodes. +|`ec2:DescribeInstances` |Read |Required to monitor the EC2 instances that run your Redpanda cluster and reconcile their state during operations. +|`ec2:DescribeInstanceTypes` |Read |Required to validate that the requested instance types are available in your region before provisioning your Redpanda cluster. +|`ec2:DescribeVolumes` |Read |TODO(eng): confirm purpose. Reads the EBS volumes attached to your Redpanda cluster's nodes. +|`ec2:DescribeNetworkInterfaces` |Read |TODO(eng): confirm purpose. Reads the network interfaces used by your Redpanda cluster's nodes. +|`ec2:CreateLaunchTemplate` |Write |Required to manage the launch templates that define how compute nodes for your Redpanda cluster are provisioned. +|`ec2:CreateLaunchTemplateVersion` |Write |Required to update launch template versions when your Redpanda cluster is upgraded or reconfigured. +|`ec2:DescribeLaunchTemplateVersions` |Read |Required to read launch template versions when reconciling or updating your Redpanda cluster's compute configuration. +|`ec2:DescribeLaunchTemplates` |Read |Required to read the launch templates associated with your Redpanda cluster's compute nodes. +|`iam:ListPolicies` |Read |Required to discover existing IAM policies when provisioning or reconciling your Redpanda cluster's IAM configuration. +|`iam:ListRoles` |Read |Required to discover existing IAM roles when provisioning or reconciling your Redpanda cluster's IAM configuration. +|`iam:GetRole` |Read |TODO(eng): confirm purpose. Reads IAM roles while reconciling your Redpanda cluster's IAM configuration. +|`iam:GetOpenIDConnectProvider` |Read |Required to read the OIDC provider used to federate Redpanda workloads (such as EKS service accounts) with AWS IAM. +|`iam:DeleteOpenIDConnectProvider` |Delete |Required to clean up the OIDC provider when you decommission your Redpanda cluster. +|`iam:CreateServiceLinkedRole` |Write |Required to create the AWS service-linked roles needed by services (such as EKS and Auto Scaling) that run your Redpanda cluster. +|`ec2:CreatePlacementGroup` |Write |Required to manage placement groups that optimize network performance and availability for your Redpanda broker nodes. +|`ec2:DeletePlacementGroup` |Delete |Required to clean up placement groups when you decommission your Redpanda cluster. +|`ec2:DescribePlacementGroups` |Read |Required to read placement groups used by your Redpanda cluster's compute nodes. +|`eks:DescribeNodegroup` |Read |Required to read the EKS node groups that host your Redpanda cluster's workloads. +|`eks:DeleteNodegroup` |Delete |Required to remove EKS node groups when scaling down or decommissioning your Redpanda cluster. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] ---- +statement { + sid = "RedpandaAgentActionsOnlyAllowedWithWildcardResources" + effect = "Allow" + actions = [ + "ec2:CreateTags", + "ec2:DeleteTags", + "ec2:DescribeTags", + "ec2:DescribeAccountAttributes", + "ec2:DescribeImages", + "ec2:DescribeInstances", + "ec2:DescribeInstanceTypes", + "ec2:DescribeVolumes", + "ec2:DescribeNetworkInterfaces", + "ec2:CreateLaunchTemplate", + "ec2:CreateLaunchTemplateVersion", + "ec2:DescribeLaunchTemplateVersions", + "ec2:DescribeLaunchTemplates", + "iam:ListPolicies", + "iam:ListRoles", + "iam:GetRole", + "iam:GetOpenIDConnectProvider", + "iam:DeleteOpenIDConnectProvider", + "iam:CreateServiceLinkedRole", + "ec2:CreatePlacementGroup", + "ec2:DeletePlacementGroup", + "ec2:DescribePlacementGroups", + "eks:DescribeNodegroup", + "eks:DeleteNodegroup" + ] + resources = [ + "*", + ] +} +---- +==== + +== Networking and connectivity + +Creates and manages the VPC, subnets, routes, gateways, security groups, VPC endpoints and endpoint services, load balancers, VPC peering, and Route 53 DNS that isolate cluster traffic and provide connectivity. + +=== Manage the VPC + +*Scope:* Account-wide (`+*+`). AWS does not allow these VPC networking actions to be constrained to specific resource ARNs. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:DescribeVpcs` |Read |Required to read the VPC that hosts your Redpanda cluster and validate its configuration. +|`ec2:DescribeVpcAttribute` |Read |Required to read VPC attributes (such as DNS settings) needed to run your Redpanda cluster. +|`ec2:DescribeSecurityGroups` |Read |Required to read the security groups protecting your Redpanda cluster's network traffic. +|`ec2:DescribeSecurityGroupRules` |Read |TODO(eng): confirm purpose. Reads the individual rules of your Redpanda cluster's security groups. +|`ec2:CreateInternetGateway` |Write |Required to provision the internet gateway used for public connectivity to your Redpanda cluster when applicable. +|`ec2:DeleteInternetGateway` |Delete |Required to remove the internet gateway when you decommission your Redpanda cluster. +|`ec2:AttachInternetGateway` |Write |Required to attach the internet gateway to your Redpanda cluster's VPC. +|`ec2:DescribeInternetGateways` |Read |Required to read the internet gateways associated with your Redpanda cluster's VPC. +|`ec2:CreateNatGateway` |Write |Required to provision NAT gateways so private subnets in your Redpanda cluster's VPC can reach AWS APIs and other required services. +|`ec2:DeleteNatGateway` |Delete |Required to remove NAT gateways when you decommission your Redpanda cluster. +|`ec2:DescribeNatGateways` |Read |Required to read NAT gateways used by your Redpanda cluster's VPC. +|`ec2:CreateRoute` |Write |Required to manage the network routes that direct traffic within and out of your Redpanda cluster's VPC. +|`ec2:DeleteRoute` |Delete |Required to remove routes when reconfiguring or decommissioning your Redpanda cluster's network. +|`ec2:CreateRouteTable` |Write |Required to manage the route tables that control traffic flow in your Redpanda cluster's VPC. +|`ec2:DeleteRouteTable` |Delete |Required to remove route tables when you decommission your Redpanda cluster. +|`ec2:DescribeRouteTables` |Read |Required to read the route tables in your Redpanda cluster's VPC. +|`ec2:AssociateRouteTable` |Write |Required to associate route tables with subnets in your Redpanda cluster's VPC. +|`ec2:CreateSubnet` |Write |Required to provision the subnets that host your Redpanda cluster's nodes across availability zones. +|`ec2:DeleteSubnet` |Delete |Required to remove subnets when you decommission your Redpanda cluster. +|`ec2:DescribeSubnets` |Read |Required to read the subnets that host your Redpanda cluster. +|`ec2:DescribeVpcPeeringConnections` |Read |Required to read VPC peering connections between your network and your Redpanda cluster's VPC. +|`ec2:ModifyVpcPeeringConnectionOptions` |Write |Required to configure DNS resolution and other options on VPC peering connections that link your network to your Redpanda cluster. +|`ec2:DescribeNetworkAcls` |Read |Required to read the network ACLs in your Redpanda cluster's VPC. +|`ec2:DescribeNetworkInterfaces` |Read |Required to read the network interfaces used by your Redpanda cluster's nodes and endpoints. +|`ec2:AttachNetworkInterface` |Write |Required to attach network interfaces to your Redpanda cluster's compute nodes. +|`ec2:DetachNetworkInterface` |Delete |Required to detach network interfaces during reconfiguration or decommissioning of your Redpanda cluster. +|`ec2:DescribeAvailabilityZones` |Read |Required to determine which availability zones are available for placing your Redpanda cluster's nodes. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentVPCManagement" + effect = "Allow" + actions = [ + "ec2:DescribeVpcs", + "ec2:DescribeVpcAttribute", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSecurityGroupRules", + "ec2:CreateInternetGateway", + "ec2:DeleteInternetGateway", + "ec2:AttachInternetGateway", + "ec2:DescribeInternetGateways", + "ec2:CreateNatGateway", + "ec2:DeleteNatGateway", + "ec2:DescribeNatGateways", + "ec2:CreateRoute", + "ec2:DeleteRoute", + "ec2:CreateRouteTable", + "ec2:DeleteRouteTable", + "ec2:DescribeRouteTables", + "ec2:AssociateRouteTable", + "ec2:CreateSubnet", + "ec2:DeleteSubnet", + "ec2:DescribeSubnets", + "ec2:DescribeVpcPeeringConnections", + "ec2:ModifyVpcPeeringConnectionOptions", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaces", + "ec2:AttachNetworkInterface", + "ec2:DetachNetworkInterface", + "ec2:DescribeAvailabilityZones", + ] + resources = [ + "*", + ] +} +---- +==== + +=== Manage VPC endpoints, endpoint services, and load balancers + +*Scope:* Account-wide (`+*+`). AWS does not allow these VPC endpoint, endpoint service, and Elastic Load Balancing actions to be constrained to specific resource ARNs. These support private connectivity (such as PrivateLink) to your Redpanda cluster. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:CreateVpcEndpoint` |Write |Required to provision VPC endpoints (such as PrivateLink) so clients can connect privately to your Redpanda cluster and so your cluster can reach AWS services privately. +|`ec2:ModifyVpcEndpoint` |Write |Required to update VPC endpoint configuration as your Redpanda cluster's private connectivity requirements evolve. +|`ec2:DeleteVpcEndpoints` |Delete |Required to remove VPC endpoints when you decommission your Redpanda cluster or disable private connectivity. +|`ec2:DescribeVpcEndpoints` |Read |Required to read the VPC endpoints associated with your Redpanda cluster. +|`ec2:DescribeVpcEndpointServices` |Read |Required to discover VPC endpoint services when configuring private connectivity for your Redpanda cluster. +|`ec2:AcceptVpcEndpointConnections` |Write |TODO(eng): confirm purpose. Accepts connections to the endpoint service that fronts your Redpanda cluster. +|`ec2:CreateVpcEndpointConnectionNotification` |Write |TODO(eng): confirm purpose. +|`ec2:CreateVpcEndpointServiceConfiguration` |Write |TODO(eng): confirm purpose. Creates the VPC endpoint service that exposes your Redpanda cluster over PrivateLink. +|`ec2:DescribeVpcEndpointServiceConfigurations` |Read |TODO(eng): confirm purpose. +|`ec2:ModifyVpcEndpointServiceConfiguration` |Write |TODO(eng): confirm purpose. +|`ec2:DeleteVpcEndpointServiceConfigurations` |Delete |TODO(eng): confirm purpose. +|`ec2:DeleteVpcEndpointConnectionNotifications` |Delete |TODO(eng): confirm purpose. +|`ec2:DescribeVpcEndpointConnectionNotifications` |Read |TODO(eng): confirm purpose. +|`ec2:DescribeVpcEndpointConnections` |Read |TODO(eng): confirm purpose. +|`ec2:DescribeVpcEndpointServicePermissions` |Read |TODO(eng): confirm purpose. +|`ec2:ModifyVpcEndpointConnectionNotification` |Write |TODO(eng): confirm purpose. +|`ec2:ModifyVpcEndpointServicePayerResponsibility` |Write |TODO(eng): confirm purpose. +|`ec2:ModifyVpcEndpointServicePermissions` |Write |TODO(eng): confirm purpose. +|`ec2:RejectVpcEndpointConnections` |Write |TODO(eng): confirm purpose. +|`ec2:StartVpcEndpointServicePrivateDnsVerification` |Write |TODO(eng): confirm purpose. +|`vpce:AllowMultiRegion` |Write |TODO(eng): confirm purpose. +|`elasticloadbalancing:DescribeLoadBalancers` |Read |TODO(eng): confirm purpose. Reads the load balancers that front your Redpanda cluster's endpoints. +|`elasticloadbalancing:CreateListener` |Write |TODO(eng): confirm purpose. +|`elasticloadbalancing:DeleteListener` |Delete |TODO(eng): confirm purpose. +|`elasticloadbalancing:DescribeListeners` |Read |TODO(eng): confirm purpose. +|`elasticloadbalancing:DescribeListenerAttributes` |Read |TODO(eng): confirm purpose. +|`elasticloadbalancing:CreateTargetGroup` |Write |TODO(eng): confirm purpose. +|`elasticloadbalancing:DeleteTargetGroup` |Delete |TODO(eng): confirm purpose. +|`elasticloadbalancing:DescribeTargetGroups` |Read |TODO(eng): confirm purpose. +|`elasticloadbalancing:RegisterTargets` |Write |TODO(eng): confirm purpose. +|`elasticloadbalancing:DescribeTags` |Read |TODO(eng): confirm purpose. +|`elasticloadbalancing:DescribeLoadBalancerAttributes` |Read |TODO(eng): confirm purpose. +|`elasticloadbalancing:AddTags` |Write |TODO(eng): confirm purpose. +|`elasticloadbalancing:RemoveTags` |Delete |TODO(eng): confirm purpose. +|`elasticloadbalancing:DescribeTargetGroupAttributes` |Read |TODO(eng): confirm purpose. +|`elasticloadbalancing:ModifyTargetGroupAttributes` |Write |TODO(eng): confirm purpose. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentVPCEndpointService" + effect = "Allow" + actions = [ + "ec2:CreateVpcEndpoint", + "ec2:ModifyVpcEndpoint", + "ec2:DeleteVpcEndpoints", + "ec2:DescribeVpcEndpoints", + "ec2:DescribeVpcEndpointServices", + "ec2:AcceptVpcEndpointConnections", + "ec2:CreateVpcEndpointConnectionNotification", + "ec2:CreateVpcEndpointServiceConfiguration", + "ec2:DescribeVpcEndpointServiceConfigurations", + "ec2:ModifyVpcEndpointServiceConfiguration", + "ec2:DeleteVpcEndpointServiceConfigurations", + "ec2:DeleteVpcEndpointConnectionNotifications", + "ec2:DescribeVpcEndpointConnectionNotifications", + "ec2:DescribeVpcEndpointConnections", + "ec2:DescribeVpcEndpointServicePermissions", + "ec2:ModifyVpcEndpointConnectionNotification", + "ec2:ModifyVpcEndpointServiceConfiguration", + "ec2:ModifyVpcEndpointServicePayerResponsibility", + "ec2:ModifyVpcEndpointServicePermissions", + "ec2:RejectVpcEndpointConnections", + "ec2:StartVpcEndpointServicePrivateDnsVerification", + "vpce:AllowMultiRegion", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:CreateListener", + "elasticloadbalancing:DeleteListener", + "elasticloadbalancing:DescribeListeners", + "elasticloadbalancing:DescribeListenerAttributes", + "elasticloadbalancing:CreateTargetGroup", + "elasticloadbalancing:DeleteTargetGroup", + "elasticloadbalancing:DescribeTargetGroups", + "elasticloadbalancing:RegisterTargets", + "elasticloadbalancing:DescribeTags", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:AddTags", + "elasticloadbalancing:RemoveTags", + "elasticloadbalancing:DescribeTargetGroupAttributes", + "elasticloadbalancing:ModifyTargetGroupAttributes", + ] + resources = [ + "*", + ] +} +---- +==== + +=== Manage security groups + +*Scope:* Restricted to security groups in your account and your cluster's VPC: `+arn:aws:ec2:*:${local.aws_account_id}:security-group/*+` and `+arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}+`. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:AuthorizeSecurityGroupEgress` |Write |Required to manage the network security rules that control outbound traffic from your Redpanda cluster. +|`ec2:AuthorizeSecurityGroupIngress` |Write |Required to manage the network security rules that control inbound traffic to your Redpanda cluster (such as Kafka client connections). +|`ec2:CreateSecurityGroup` |Write |Required to create the security groups that isolate and protect your Redpanda cluster's network traffic. +|`ec2:DeleteSecurityGroup` |Delete |Required to remove security groups when you decommission your Redpanda cluster. +|`ec2:RevokeSecurityGroupEgress` |Delete |Required to remove outbound network rules when reconfiguring or decommissioning your Redpanda cluster. +|`ec2:RevokeSecurityGroupIngress` |Delete |Required to remove inbound network rules when reconfiguring or decommissioning your Redpanda cluster. +|`ec2:UpdateSecurityGroupRuleDescriptionsIngress` |Write |Required to keep inbound security group rule descriptions accurate as your Redpanda cluster's network configuration evolves. +|`ec2:UpdateSecurityGroupRuleDescriptionsEgress` |Write |Required to keep outbound security group rule descriptions accurate as your Redpanda cluster's network configuration evolves. +|`ec2:ModifySecurityGroupRules` |Write |Required to update security group rules as your Redpanda cluster's network access requirements change. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentSecurityGroups" + effect = "Allow" + actions = [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:UpdateSecurityGroupRuleDescriptionsIngress", + "ec2:UpdateSecurityGroupRuleDescriptionsEgress", + "ec2:ModifySecurityGroupRules", + ] + resources = [ + "arn:aws:ec2:*:${local.aws_account_id}:security-group/*", + "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", + ] +} +---- +==== === Create VPC peering -The following actions apply only to Redpanda agents creating AWS VPC peering. +*Scope:* Restricted to your cluster's VPC: `+arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}+`. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:CreateVpcPeeringConnection` |Write |Required to establish VPC peering between your network and your Redpanda cluster's VPC for private connectivity. +|=== -.RedpandaAgentVPCPeeringsCreate -[,js] +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentVPCPeeringsCreate" - effect = "Allow" - actions = [ - "ec2:CreateVpcPeeringConnection", - ] - resources = [ - "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", - ] - } + sid = "RedpandaAgentVPCPeeringsCreate" + effect = "Allow" + actions = [ + "ec2:CreateVpcPeeringConnection", + ] + resources = [ + "arn:aws:ec2:*:${local.aws_account_id}:vpc/${local.network_config.vpc_id}", + ] +} ---- +==== === Delete VPC peering -The following actions apply only to Redpanda agents deleting AWS VPC peering. +*Scope:* Restricted to VPC peering connections in your account: `+arn:aws:ec2:*:${local.aws_account_id}:vpc-peering-connection/*+`, further restricted by a condition on the `redpanda-id` resource tag. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:DeleteVpcPeeringConnection` |Delete |Required to tear down VPC peering when you disable private connectivity or decommission your Redpanda cluster. +|`ec2:ModifyVpcPeeringConnectionOptions` |Write |Required to configure DNS resolution and other options on VPC peering connections that link your network to your Redpanda cluster. +|=== -.RedpandaAgentVPCPeeringsDelete -[,js] +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentVPCPeeringsDelete" - effect = "Allow" - actions = [ - "ec2:DeleteVpcPeeringConnection", - "ec2:ModifyVpcPeeringConnectionOptions", - ] - resources = [ - "arn:aws:ec2:__:${local.aws_account_id}:vpc-peering-connection/__", - ] - condition { - test = "StringEquals" - variable = "ec2:ResourceTag/redpanda-id" - values = [ - var.redpanda_id, - ] - } - } + sid = "RedpandaAgentVPCPeeringsDelete" + effect = "Allow" + actions = [ + "ec2:DeleteVpcPeeringConnection", + "ec2:ModifyVpcPeeringConnectionOptions", + ] + resources = [ + "arn:aws:ec2:*:${local.aws_account_id}:vpc-peering-connection/*", + ] + condition { + test = "StringEquals" + variable = "ec2:ResourceTag/redpanda-id" + values = [ + var.redpanda_id, + ] + } +} ---- +==== + +=== Delete network interfaces + +*Scope:* Restricted to network interfaces in your account: `+arn:aws:ec2:*:${local.aws_account_id}:network-interface/*+`. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`ec2:DeleteNetworkInterface` |Delete |Required to remove network interfaces when reconfiguring or decommissioning your Redpanda cluster. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentNetworkInterfaceDelete" + effect = "Allow" + actions = [ + "ec2:DeleteNetworkInterface", + ] + resources = [ + "arn:aws:ec2:*:${local.aws_account_id}:network-interface/*", + ] +} +---- +==== + +=== Manage Route 53 DNS -=== Manage DynamoDB Terraform backend +*Scope:* Account-wide (`+*+`). AWS does not allow these Route 53 actions to be constrained to specific resource ARNs. -The following actions apply only to Redpanda agents managing the AWS DynamoDB -Terraform backend. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`route53:CreateHostedZone` |Write |Required to create the DNS hosted zone used for your Redpanda cluster's endpoints. +|`route53:GetChange` |Read |Required to track the status of DNS record changes made for your Redpanda cluster. +|`route53:ChangeTagsForResource` |Write |Required to tag Route 53 resources so they are clearly identifiable as belonging to your Redpanda cluster. +|`route53:GetHostedZone` |Read |Required to read the DNS hosted zone associated with your Redpanda cluster. +|`route53:ListTagsForResource` |Read |Required to read tags on Route 53 resources during reconciliation of your Redpanda cluster's DNS configuration. +|`route53:ListResourceRecordSets` |Read |Required to read the DNS records that resolve your Redpanda cluster's endpoints. +|`route53:ChangeResourceRecordSets` |Write |Required to manage the DNS records that resolve your Redpanda cluster's Kafka, HTTP, and admin endpoints. +|`route53:GetDNSSEC` |Read |Required to read DNSSEC configuration on the hosted zone used by your Redpanda cluster. +|`route53:DeleteHostedZone` |Delete |Required to remove the DNS hosted zone when you decommission your Redpanda cluster. +|=== -.RedpandaAgentTFBackend -[,js] +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentTFBackend" - effect = "Allow" - actions = [ - "dynamodb:GetItem", - "dynamodb:PutItem", - "dynamodb:DeleteItem", - ] - resources = [ - "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*", - ] - } + sid = "RedpandaAgentRoute53Management" + effect = "Allow" + actions = [ + "route53:CreateHostedZone", + "route53:GetChange", + "route53:ChangeTagsForResource", + "route53:GetHostedZone", + "route53:ListTagsForResource", + "route53:ListResourceRecordSets", + "route53:ChangeResourceRecordSets", + "route53:GetDNSSEC", + "route53:DeleteHostedZone", + ] + resources = [ + "*", + ] +} ---- +==== + +== Storage + +Manages the S3 buckets backing Tiered Storage and the cluster management bucket. The `+s3:*+` action is scoped to the specific management bucket. -=== Manage Route 53 +=== Manage the S3 management bucket -The following actions apply only to Redpanda agents managing the AWS Route 53 -service. +*Scope:* Restricted to the cluster management bucket: `data.aws_s3_bucket.management.arn` and its objects. -.RedpandaAgentRoute53Management -[,js] +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`+s3:*+` |Full |Required to manage the S3 bucket that backs your Redpanda cluster's management data, including full lifecycle (create, configure, read, write, delete). +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentRoute53Management" - effect = "Allow" - actions = [ - "route53:CreateHostedZone", - "route53:GetChange", - "route53:ChangeTagsForResource", - "route53:GetHostedZone", - "route53:ListTagsForResource", - "route53:ListResourceRecordSets", - "route53:ChangeResourceRecordSets", - "route53:GetDNSSEC", - "route53:DeleteHostedZone", - ] - resources = [ - "*", - ] - } + sid = "RedpandaAgentS3ManagementBucket" + effect = "Allow" + actions = [ + "s3:*", + ] + resources = [ + data.aws_s3_bucket.management.arn, + "${data.aws_s3_bucket.management.arn}/*", + ] +} ---- +==== -=== Manage Auto Scaling +=== Manage the S3 Tiered Storage bucket -The following actions apply only to Redpanda agents managing the AWS Auto Scaling. +*Scope:* Restricted to the cluster's cloud storage bucket: `local.redpanda_cloud_storage_bucket_arn` and its objects. -.RedpandaAgentAutoscaling -[,js] +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`s3:PutBucketPolicy` |Write |Required to apply the bucket policies that restrict access to your Redpanda cluster's Tiered Storage bucket. +|`s3:DeleteBucketPolicy` |Delete |Required to remove bucket policies during reconfiguration or cleanup of your Redpanda cluster's storage. +|`+s3:List*+` |Read |Required to list objects used by your Redpanda cluster for Tiered Storage and backups. +|`+s3:Get*+` |Read |Required to read bucket configuration and objects used by your Redpanda cluster for Tiered Storage and backups. +|`s3:CreateBucket` |Write |Required to create the S3 bucket that backs your Redpanda cluster's Tiered Storage and backups. +|`s3:DeleteBucket` |Delete |Required to remove the S3 bucket when you decommission your Redpanda cluster. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] ---- statement { - sid = "RedpandaAgentAutoscaling" - effect = "Allow" - actions = [ - "autoscaling:*", - ] - resources = [ - "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-${var.redpanda_id}*", - "arn:aws:autoscaling:*:${local.aws_account_id}:autoScalingGroup:*:autoScalingGroupName/redpanda-agent-${var.redpanda_id}*" - ] - } + sid = "RedpandaAgentS3CloudStorageBucket" + effect = "Allow" + actions = [ + "s3:PutBucketPolicy", + "s3:DeleteBucketPolicy", + "s3:List*", + "s3:Get*", + "s3:CreateBucket", + "s3:DeleteBucket" + ] + resources = [ + local.redpanda_cloud_storage_bucket_arn, + "${local.redpanda_cloud_storage_bucket_arn}/*", + ] +} ---- +==== + +== Identity and access (IAM) + +Creates the least-privilege roles, policies, instance profiles, and OIDC federation the cluster components need. Every statement here is scoped to resources named for your cluster. + +=== Manage IAM roles + +*Scope:* Restricted to IAM roles named for your cluster (storage manager, agent, connectors, and console roles). + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`iam:CreateRole` |Write |Required to create the IAM roles used by your Redpanda cluster's control plane, data plane, and workload components. +|`iam:DeleteRole` |Delete |Required to remove IAM roles when you decommission your Redpanda cluster. +|`iam:AttachRolePolicy` |Write |Required to attach the necessary IAM policies to your Redpanda cluster's roles. +|`iam:DetachRolePolicy` |Delete |Required to detach IAM policies from roles during reconfiguration or cleanup. +|`iam:TagRole` |Write |Required to tag IAM roles so they are clearly identifiable as belonging to your Redpanda cluster. +|`iam:UntagRole` |Delete |TODO(eng): confirm purpose. Removes tags from your Redpanda cluster's IAM roles. +|`iam:GetRole` |Read |Required to read IAM roles while reconciling your Redpanda cluster's IAM configuration. +|`iam:GetRolePolicy` |Read |TODO(eng): confirm purpose. Reads inline policies on your Redpanda cluster's IAM roles. +|`iam:PassRole` |Write |Required to allow AWS services (such as EC2 and EKS) to assume the IAM roles that Redpanda Cloud provisions for your cluster. +|`iam:UpdateAssumeRolePolicy` |Write |TODO(eng): confirm purpose. Updates the trust policy on your Redpanda cluster's IAM roles. +|`iam:ListAttachedRolePolicies` |Read |Required to read the policies attached to your Redpanda cluster's IAM roles during reconciliation. +|`iam:ListInstanceProfilesForRole` |Read |Required to read the instance profiles associated with your Redpanda cluster's IAM roles during reconciliation. +|`iam:ListRolePolicies` |Read |Required to read the inline policies attached to your Redpanda cluster's IAM roles during reconciliation. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentIAMRoleManagement" + effect = "Allow" + actions = [ + "iam:CreateRole", + "iam:DeleteRole", + "iam:AttachRolePolicy", + "iam:DetachRolePolicy", + "iam:TagRole", + "iam:UntagRole", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:PassRole", + "iam:UpdateAssumeRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfilesForRole", + "iam:ListRolePolicies", + ] + resources = [ + "arn:aws:iam::${local.aws_account_id}:role/redpanda-cloud-storage-manager-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:role/redpanda-agent-${var.redpanda_id}*", + "arn:aws:iam::${local.aws_account_id}:role/redpanda-${var.redpanda_id}*", + "arn:aws:iam::${local.aws_account_id}:role/redpanda-connectors-secrets-manager-${var.redpanda_id}*", + "arn:aws:iam::${local.aws_account_id}:role/redpanda-console-secrets-manager-${var.redpanda_id}*", + ] +} +---- +==== + +=== Manage IAM policies + +*Scope:* Restricted to IAM policies named for your cluster (agent, autoscaler, storage manager, glue manager, secrets managers, and add-on policies). + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`iam:CreatePolicy` |Write |Required to create the IAM policies that grant your Redpanda cluster the minimum AWS permissions it needs to operate. +|`iam:CreatePolicyVersion` |Write |TODO(eng): confirm purpose. Creates new versions of your Redpanda cluster's IAM policies during updates. +|`iam:DeletePolicy` |Delete |Required to remove IAM policies when you decommission your Redpanda cluster. +|`iam:DeletePolicyVersion` |Delete |TODO(eng): confirm purpose. Removes old versions of your Redpanda cluster's IAM policies. +|`iam:GetPolicy` |Read |Required to read IAM policies while reconciling your Redpanda cluster's IAM configuration. +|`iam:GetPolicyVersion` |Read |Required to read specific versions of IAM policies while reconciling your Redpanda cluster's IAM configuration. +|`iam:ListPolicyVersions` |Read |Required to list IAM policy versions while reconciling and updating your Redpanda cluster's IAM configuration. +|`iam:TagPolicy` |Write |Required to tag IAM policies so they are clearly identifiable as belonging to your Redpanda cluster. +|`iam:UntagPolicy` |Delete |TODO(eng): confirm purpose. Removes tags from your Redpanda cluster's IAM policies. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentIAMPolicies" + effect = "Allow" + actions = [ + "iam:CreatePolicy", + "iam:CreatePolicyVersion", + "iam:DeletePolicy", + "iam:DeletePolicyVersion", + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:ListPolicyVersions", + "iam:TagPolicy", + "iam:UntagPolicy" + ] + resources = [ + "arn:aws:iam::${local.aws_account_id}:policy/aws_ebs_csi_driver-redpanda-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/cert_manager_policy-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/external_dns_policy-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/load_balancer_controller-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/redpanda-agent-${var.redpanda_id}*", + "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}*", + "arn:aws:iam::${local.aws_account_id}:policy/redpanda-${var.redpanda_id}-autoscaler", + "arn:aws:iam::${local.aws_account_id}:policy/redpanda-cloud-storage-manager-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/redpanda-glue-manager-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/secrets_manager_policy-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/redpanda-connectors-secrets-manager-${var.redpanda_id}", + "arn:aws:iam::${local.aws_account_id}:policy/redpanda-console-secrets-manager-${var.redpanda_id}", + ] +} +---- +==== + +=== Manage instance profiles + +*Scope:* Restricted to instance profiles named for your cluster: `+redpanda-${var.redpanda_id}*+` and `+redpanda-agent-${var.redpanda_id}*+`. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`iam:AddRoleToInstanceProfile` |Write |Required to attach IAM roles to instance profiles so your Redpanda cluster nodes have the AWS permissions they need to run. +|`iam:RemoveRoleFromInstanceProfile` |Delete |Required to detach IAM roles from instance profiles when reconfiguring or decommissioning your Redpanda cluster. +|`iam:CreateInstanceProfile` |Write |Required to create the instance profiles used by your Redpanda cluster's compute nodes. +|`iam:DeleteInstanceProfile` |Delete |Required to clean up instance profiles when you decommission your Redpanda cluster. +|`iam:GetInstanceProfile` |Read |Required to read the instance profiles associated with your Redpanda cluster. +|`iam:TagInstanceProfile` |Write |Required to tag instance profiles so they are clearly identifiable as belonging to your Redpanda cluster. +|`iam:UntagInstanceProfile` |Delete |TODO(eng): confirm purpose. Removes tags from your Redpanda cluster's instance profiles. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentInstanceProfile" + effect = "Allow" + actions = [ + "iam:AddRoleToInstanceProfile", + "iam:RemoveRoleFromInstanceProfile", + "iam:CreateInstanceProfile", + "iam:DeleteInstanceProfile", + "iam:GetInstanceProfile", + "iam:TagInstanceProfile", + "iam:UntagInstanceProfile", + ] + resources = [ + "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-${var.redpanda_id}*", + "arn:aws:iam::${local.aws_account_id}:instance-profile/redpanda-agent-${var.redpanda_id}*", + ] +} +---- +==== + +=== Create EKS OIDC providers + +*Scope:* Restricted to EKS OIDC providers: `+arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com+` and their IDs. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`iam:CreateOpenIDConnectProvider` |Write |Required to establish the OIDC federation that allows workloads in your Redpanda cluster (such as EKS service accounts) to assume AWS IAM roles. +|`iam:TagOpenIDConnectProvider` |Write |Required to tag the OIDC provider so it is clearly identifiable as belonging to your Redpanda cluster. +|`iam:UntagOpenIDConnectProvider` |Delete |Required to remove tags from the OIDC provider during reconfiguration or cleanup. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentEKSOIDCProvider" + effect = "Allow" + actions = [ + "iam:CreateOpenIDConnectProvider", + "iam:TagOpenIDConnectProvider", + "iam:UntagOpenIDConnectProvider", + ] + resources = [ + "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", + "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com/id/*", + ] +} +---- +==== + +=== Rotate EKS OIDC provider thumbprint + +*Scope:* Restricted to EKS OIDC providers, further restricted by a condition on the `redpanda-id` resource tag. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`iam:UpdateOpenIDConnectProviderThumbprint` |Write |Required to rotate the OIDC provider thumbprint to keep federation with AWS IAM secure and current. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentEKSOIDCProviderCACertThumbprintUpdate" + effect = "Allow" + actions = [ + "iam:UpdateOpenIDConnectProviderThumbprint", + ] + resources = [ + "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com", + "arn:aws:iam::${local.aws_account_id}:oidc-provider/oidc.eks.*.amazonaws.com/id/*", + ] + condition { + test = "StringEquals" + variable = "aws:ResourceTag/redpanda-id" + values = [ + var.redpanda_id, + ] + } +} +---- +==== + +== Secrets management + +Cleans up the AWS Secrets Manager secrets Redpanda creates for your cluster when the cluster is destroyed. + +=== Delete cluster secrets + +*Scope:* Restricted to secrets under `+arn:aws:secretsmanager:${var.region}:*:secret:redpanda/${var.redpanda_id}/*+`, further restricted by a condition on the `owner` resource tag (`console`). + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`secretsmanager:DeleteSecret` |Delete |Required to delete the user secrets Redpanda created for your cluster when the cluster is destroyed. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + effect = "Allow" + actions = [ + "secretsmanager:DeleteSecret" + ] + resources = [ + "arn:aws:secretsmanager:${var.region}:*:secret:redpanda/${var.redpanda_id}/*" + ] + condition { + test = "StringEquals" + values = ["console"] + variable = "aws:ResourceTag/owner" + } +} +---- +==== + +=== List secrets + +*Scope:* Account-wide (`+*+`). AWS does not allow the list action to be constrained to specific resource ARNs. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`secretsmanager:ListSecrets` |Read |Required to find the secrets to delete when your Redpanda cluster is destroyed. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + effect = "Allow" + actions = [ + "secretsmanager:ListSecrets", + ] + resources = [ + "*" + ] +} +---- +==== + +== Monitoring + +=== Read CloudWatch metrics + +*Scope:* Account-wide (`+*+`). AWS does not allow this metrics action to be constrained to specific resource ARNs. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`cloudwatch:GetMetricData` |Read |TODO(eng): confirm purpose. Reads CloudWatch metrics for the AWS resources that run your Redpanda cluster. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentCloudWatch" + effect = "Allow" + actions = [ + "cloudwatch:GetMetricData", + ] + resources = [ + "*", + ] +} +---- +==== + +== Coordination state + +Reads and writes the small amount of state Redpanda uses to serialize Terraform operations safely, and reads the caller identity. + +=== Manage the DynamoDB Terraform backend + +*Scope:* Restricted to the cluster's Terraform state table: `+arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*+`. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`dynamodb:GetItem` |Read |Required to read state that Redpanda Cloud stores in DynamoDB to coordinate operations against your cluster. +|`dynamodb:PutItem` |Write |Required to write coordination state that Redpanda Cloud uses to safely manage operations against your cluster. +|`dynamodb:DeleteItem` |Delete |Required to clean up coordination state stored in DynamoDB during cluster operations and decommissioning. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentTFBackend" + effect = "Allow" + actions = [ + "dynamodb:GetItem", + "dynamodb:PutItem", + "dynamodb:DeleteItem", + ] + resources = [ + "arn:aws:dynamodb:*:${local.aws_account_id}:table/rp-${local.aws_account_id}*", + ] +} +---- +==== + +=== Read the caller identity + +*Scope:* Account-wide (`+*+`). + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`sts:GetCallerIdentity` |Read |Required to confirm the identity Redpanda is operating as when managing your cluster. This is a residual no-op statement retained to avoid AWS policy-detachment conflicts. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentNoopPolicy" + effect = "Allow" + actions = [ + "sts:GetCallerIdentity" + ] + resources = [ + "*" + ] +} +---- +==== + +== Optional feature permissions + +// TODO(eng, item 3): confirm whether these statements are granted only when the +// corresponding feature is enabled, and whether they apply to the cross-account +// role in the Phase 1 release. They are scoped to ai-gateway-* / oxla-* resources. +[NOTE] +==== +The following permissions are scoped to specific feature resources (`+ai-gateway-*+`, `+oxla-*+`) and apply only when you use the corresponding Redpanda features (AI Gateway and Redpanda SQL). TODO(eng): confirm scope for the cross-account role. +==== + +=== Manage ElastiCache for the AI Gateway + +*Scope:* Restricted to ElastiCache resources named `+ai-gateway-${var.redpanda_id}*+`. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`elasticache:CreateUser` |Write |TODO(eng): confirm purpose. Manages the ElastiCache resources backing the AI Gateway feature. +|`elasticache:AddTagsToResource` |Write |TODO(eng): confirm purpose. +|`elasticache:DescribeUsers` |Read |TODO(eng): confirm purpose. +|`elasticache:ListTagsForResource` |Read |TODO(eng): confirm purpose. +|`elasticache:DeleteUser` |Delete |TODO(eng): confirm purpose. +|`elasticache:CreateUserGroup` |Write |TODO(eng): confirm purpose. +|`elasticache:DescribeUserGroups` |Read |TODO(eng): confirm purpose. +|`elasticache:DeleteUserGroup` |Delete |TODO(eng): confirm purpose. +|`elasticache:CreateServerlessCache` |Write |TODO(eng): confirm purpose. +|`elasticache:DeleteServerlessCache` |Delete |TODO(eng): confirm purpose. +|`elasticache:DescribeServerlessCaches` |Read |TODO(eng): confirm purpose. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaElastiCache" + effect = "Allow" + actions = [ + "elasticache:CreateUser", + "elasticache:AddTagsToResource", + "elasticache:DescribeUsers", + "elasticache:ListTagsForResource", + "elasticache:DeleteUser", + "elasticache:CreateUserGroup", + "elasticache:DescribeUserGroups", + "elasticache:DeleteUserGroup", + "elasticache:CreateServerlessCache", + "elasticache:DeleteServerlessCache", + "elasticache:DescribeServerlessCaches", + ] + resources = [ + "arn:aws:elasticache:*:*:*:ai-gateway-${var.redpanda_id}*", + ] +} +---- +==== + +=== Manage RDS Aurora for the AI Gateway + +*Scope:* Restricted to RDS resources named `+ai-gateway-${var.redpanda_id}*+` (clusters, instances, subnet groups, and parameter groups). + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`rds:CreateDBCluster` |Write |TODO(eng): confirm purpose. Manages the Aurora database backing the AI Gateway feature. +|`rds:DeleteDBCluster` |Delete |TODO(eng): confirm purpose. +|`rds:DescribeDBClusters` |Read |TODO(eng): confirm purpose. +|`rds:ModifyDBCluster` |Write |TODO(eng): confirm purpose. +|`rds:CreateDBInstance` |Write |TODO(eng): confirm purpose. +|`rds:DeleteDBInstance` |Delete |TODO(eng): confirm purpose. +|`rds:DescribeDBInstances` |Read |TODO(eng): confirm purpose. +|`rds:ModifyDBInstance` |Write |TODO(eng): confirm purpose. +|`rds:CreateDBSubnetGroup` |Write |TODO(eng): confirm purpose. +|`rds:DeleteDBSubnetGroup` |Delete |TODO(eng): confirm purpose. +|`rds:DescribeDBSubnetGroups` |Read |TODO(eng): confirm purpose. +|`rds:CreateDBClusterParameterGroup` |Write |TODO(eng): confirm purpose. +|`rds:DeleteDBClusterParameterGroup` |Delete |TODO(eng): confirm purpose. +|`rds:DescribeDBClusterParameterGroups` |Read |TODO(eng): confirm purpose. +|`rds:DescribeDBClusterParameters` |Read |TODO(eng): confirm purpose. +|`rds:ModifyDBClusterParameterGroup` |Write |TODO(eng): confirm purpose. +|`rds:AddTagsToResource` |Write |TODO(eng): confirm purpose. +|`rds:ListTagsForResource` |Read |TODO(eng): confirm purpose. +|`rds:RemoveTagsFromResource` |Delete |TODO(eng): confirm purpose. +|`rds:DescribeDBEngineVersions` |Read |TODO(eng): confirm purpose. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaRDSAurora" + effect = "Allow" + actions = [ + "rds:CreateDBCluster", + "rds:DeleteDBCluster", + "rds:DescribeDBClusters", + "rds:ModifyDBCluster", + "rds:CreateDBInstance", + "rds:DeleteDBInstance", + "rds:DescribeDBInstances", + "rds:ModifyDBInstance", + "rds:CreateDBSubnetGroup", + "rds:DeleteDBSubnetGroup", + "rds:DescribeDBSubnetGroups", + "rds:CreateDBClusterParameterGroup", + "rds:DeleteDBClusterParameterGroup", + "rds:DescribeDBClusterParameterGroups", + "rds:DescribeDBClusterParameters", + "rds:ModifyDBClusterParameterGroup", + "rds:AddTagsToResource", + "rds:ListTagsForResource", + "rds:RemoveTagsFromResource", + "rds:DescribeDBEngineVersions", + ] + resources = [ + "arn:aws:rds:*:*:cluster:ai-gateway-${var.redpanda_id}*", + "arn:aws:rds:*:*:db:ai-gateway-${var.redpanda_id}*", + "arn:aws:rds:*:*:subgrp:ai-gateway-${var.redpanda_id}*", + "arn:aws:rds:*:*:cluster-pg:ai-gateway-${var.redpanda_id}*", + ] +} +---- +==== + +=== Describe RDS Aurora resources + +*Scope:* Account-wide (`+*+`). AWS does not allow these describe actions to be constrained to specific resource ARNs. + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`rds:DescribeDBClusters` |Read |TODO(eng): confirm purpose. +|`rds:DescribeDBInstances` |Read |TODO(eng): confirm purpose. +|`rds:DescribeDBSubnetGroups` |Read |TODO(eng): confirm purpose. +|`rds:DescribeDBClusterParameterGroups` |Read |TODO(eng): confirm purpose. +|`rds:DescribeDBClusterParameters` |Read |TODO(eng): confirm purpose. +|`rds:DescribeDBEngineVersions` |Read |TODO(eng): confirm purpose. +|`rds:DescribeGlobalClusters` |Read |TODO(eng): confirm purpose. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaRDSAuroraDescribe" + effect = "Allow" + actions = [ + "rds:DescribeDBClusters", + "rds:DescribeDBInstances", + "rds:DescribeDBSubnetGroups", + "rds:DescribeDBClusterParameterGroups", + "rds:DescribeDBClusterParameters", + "rds:DescribeDBEngineVersions", + "rds:DescribeGlobalClusters", + ] + resources = [ + "*", + ] +} +---- +==== + +=== Manage Redpanda SQL storage buckets + +*Scope:* Restricted to S3 buckets named `+oxla-*+` (the internal resource name for Redpanda SQL). + +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`s3:PutBucketPolicy` |Write |TODO(eng): confirm purpose. Manages the S3 buckets backing the Redpanda SQL feature. +|`s3:DeleteBucketPolicy` |Delete |TODO(eng): confirm purpose. +|`+s3:List*+` |Read |TODO(eng): confirm purpose. +|`+s3:Get*+` |Read |TODO(eng): confirm purpose. +|`s3:CreateBucket` |Write |TODO(eng): confirm purpose. +|`s3:DeleteBucket` |Delete |TODO(eng): confirm purpose. +|`s3:PutBucketTagging` |Write |TODO(eng): confirm purpose. +|`s3:PutBucketPublicAccessBlock` |Write |TODO(eng): confirm purpose. +|`s3:PutEncryptionConfiguration` |Write |TODO(eng): confirm purpose. +|`s3:PutBucketOwnershipControls` |Write |TODO(eng): confirm purpose. +|`s3:DeleteObject` |Delete |TODO(eng): confirm purpose. +|`s3:DeleteObjectVersion` |Delete |TODO(eng): confirm purpose. +|=== + +.Terraform +[%collapsible] +==== +[source,hcl] +---- +statement { + sid = "RedpandaAgentOxlaCreateBucket" + effect = "Allow" + actions = [ + "s3:PutBucketPolicy", + "s3:DeleteBucketPolicy", + "s3:List*", + "s3:Get*", + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:PutBucketTagging", + "s3:PutBucketPublicAccessBlock", + "s3:PutEncryptionConfiguration", + "s3:PutBucketOwnershipControls", + "s3:DeleteObject", + "s3:DeleteObjectVersion" + ] + resources = ["arn:aws:s3:::oxla-*", "arn:aws:s3:::oxla-*/*"] +} +---- +==== endif::[] ifdef::env-gcp[] From 421332463d3d26ae9e92993367249d74389e5134 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 9 Jul 2026 17:35:25 -0600 Subject: [PATCH 2/6] DOC-2297: reformat GCP and Azure IAM policy pages to match AWS Rebuild the GCP and Azure sections of the iam-policies.adoc partial from cloudv2 source (role_redpanda_agent.tf, azure/agent/iam.tf) into the same friendly, anchored sections with Permission | Access | Why it is needed tables, plus a collapsible full role definition. Both keep the agent-based framing (no cross-account delegation this release). Refresh from source also closes drift: GCP adds secretmanager.* and serviceusage.* and a Redpanda SQL storage role; Azure adds the private endpoint / private DNS / Log Analytics actions the published page lacked. Reuses Denis's "why" text where the permission still exists; newer actions are marked TODO(eng). Reformatted at PM (Denis) request for consistency. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/security/partials/iam-policies.adoc | 924 ++++++++++++-------- 1 file changed, 554 insertions(+), 370 deletions(-) diff --git a/modules/security/partials/iam-policies.adoc b/modules/security/partials/iam-policies.adoc index 112b22cdc..5b8a33bb4 100644 --- a/modules/security/partials/iam-policies.adoc +++ b/modules/security/partials/iam-policies.adoc @@ -1433,437 +1433,621 @@ statement { endif::[] ifdef::env-gcp[] -When you run `rpk cloud byoc gcp apply` to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the GCP API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users. +// DOC-2297: reformatted for consistency with AWS. Rebuilt from cloudv2 +// pkg/provisioners/gcp/terraform/agent/role_redpanda_agent.tf. GCP keeps the +// agent-based model (no cross-account delegation in this release). +// TODO(eng): supply "why" text for cells marked TODO(eng); confirm the +// Kubernetes Engine Admin / Storage Object Admin predefined-role grants. +When you run `rpk cloud byoc gcp apply` to create a BYOC cluster, you grant these permissions to the Redpanda Cloud agent service account. The agent uses them to call the GCP API and manage cluster resources on your behalf. The permissions follow the principle of least privilege. They are _not_ required by Redpanda Cloud end users, and your GCP account does not need them for the initial Terraform bootstrap. [NOTE] ==== -* This page lists the IAM permissions the Redpanda agent service account uses to manage xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC cluster] resources. Your GCP account does not need these permissions for the initial Terraform bootstrap. This does _not_ pertain to permissions for xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. -* No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. +This page covers the permissions the Redpanda agent service account uses to manage xref:get-started:cluster-types/byoc/gcp/create-byoc-cluster-gcp.adoc[BYOC cluster] resources. It does _not_ apply to xref:get-started:cluster-types/byoc/gcp/vpc-byo-gcp.adoc[BYOVPC clusters]. ==== -== GCP IAM policies - -The Redpanda agent service account for GCP is granted the following roles/permissions to manage -Redpanda cluster resources: +[NOTE] +==== +These permissions are granted to the Redpanda agent service account within the Redpanda-managed GCP project. Two capabilities are granted as predefined roles rather than individual permissions: *Kubernetes Engine Admin* (full management of the GKE cluster) and *Storage Object Admin* (object access, scoped to a single Tiered Storage bucket). +==== +[cols="1,4", options="header"] +|=== +|Access level |Meaning +|Read |`get`/`list` actions. Cannot modify or delete resources. +|Write |Creates, updates, or uses resources. +|Delete |Removes resources. |=== -| Role/Permission | Description - -| compute.addresses.get -| Allows a user to retrieve a specified address. - -| compute.autoscalers.get -| Allows a user to retrieve a specified autoscaler. - -| compute.autoscalers.list -| Allows a user to list autoscalers in a specified zone. - -| compute.firewalls.create -| Allows a user to create firewall rules to control inbound and outbound traffic for GCP instances. - -| compute.firewalls.delete -| Allows a user or service account to remove existing firewall rules from within a GCP project, modifying the network security configuration. - -| compute.firewalls.get -| Allows a user to view the details and configuration of a specific firewall rule for GCP projects. - -| compute.firewalls.update -| Allows a user to modify a specified firewall. - -| compute.forwardingRules.create -| Allows a user to create new forwarding rules within a project. - -| compute.forwardingRules.delete -| Allows a user to delete existing forwarding rules within a project. - -| compute.forwardingRules.get -| Allows a user to retrieve details about a specific forwarding rule within a project. - -| compute.forwardingRules.pscCreate -| Allows a user to create Private Service Connect forwarding rules within a project. - -| compute.forwardingRules.pscDelete -| Allows a user to delete Private Service Connect forwarding rules within a project. - -| compute.forwardingRules.pscSetLabels -| Allows a user to set or modify labels on Private Service Connect forwarding rules within a project. - -| compute.forwardingRules.pscSetTarget -| Allows a user to update the target service for a Private Service Connect forwarding rule. - -| compute.forwardingRules.pscUpdate -| Allows a user to update Private Service Connect forwarding rules within a project. - -| compute.forwardingRules.setLabels -| Allows a user to set, update, or remove labels on forwarding rules. - -| compute.forwardingRules.setTarget -| Allows a user to update the target of an existing forwarding rule. - -| compute.forwardingRules.use -| Allows a user to use a forwarding rule for traffic routing or other operations, without the ability to modify or delete it. - -| compute.globalOperations.get -| Allows a user to retrieve information about a specific global operation in a GCP project. - -| compute.instanceGroupManagers.create -| Allows a user to create a managed instance group. - -| compute.instanceGroupManagers.delete -| Allows a user to delete a specified managed instance group. - -| compute.instanceGroupManagers.get -| Allows a user or service account to retrieve details like the configuration, status, and properties of an instance group manager within GCP. - -| compute.instanceGroupManagers.update -| Allows a user to modify a specified managed instance group. - -| compute.instanceGroups.create -| Allows a user to create an instance group. - -| compute.instanceGroups.delete -| Allows a user to delete a specified instance group. - -| compute.instanceGroups.get -| Allows a user to retrieve a specified instance group. - -| compute.instanceGroups.update -| Allows a user to modify a specified instance group. - -| compute.instances.create -| Allows a user to create an instance. - -| compute.instances.delete -| Allows a user to delete a specified instance. - -| compute.instances.get -| Allows a user to retrieve a specified instance. - -| compute.instances.list -| Allows a user to list instances contained within a specified zone. - -| compute.instances.reset -| Allows a user to perform a reset on the specified instance. - -| compute.instances.setDeletionProtection -| Allows a user to enable deletion protection on a specified instance. - -| compute.instances.update -| Allows a user to modify a specified instance. - -| compute.instances.use -| Allows a user to use VM instances for operations, such as connecting to or interacting with the VM, but it does not grant the ability to modify or manage the instance itself. - -| compute.instanceTemplates.create -| Allows a user to create an instance template. - -| compute.instanceTemplates.delete -| Allows a user to delete a specified instance template. - -| compute.instanceTemplates.get -| Allows a user to retrieve a specified instance template. - -| compute.networks.create -| Allows a user to create a network. - -| compute.networks.delete -| Allows a user to delete a specified network. - -| compute.networks.getEffectiveFirewalls -| Allows a user to retrieve the effective firewalls for a specified network. - -| compute.networks.update -| Allows a user to modify a specified network. - -| compute.networks.updatePolicy -| Allows a user to update the configuration of existing GCP network resources. - -| compute.networks.use -| Allows a user to use a VPC network and its associated resources for tasks like launching instances or using network services, but it does not grant permission to modify the network itself. - -| compute.projects.get -| Allows a user or service account to retrieve information (such as project metadata, quotas, and configuration settings) about a specific GCP project. - -| compute.regionBackendServices.create -| Allows a user to create backend services in a specific region for a regional load balancer. - -| compute.regionBackendServices.delete -| Allows a user to delete backend services within a specific region. - -| compute.regionBackendServices.get -| Allows a user to retrieve information about a backend service within a specific region. - -| compute.regionBackendServices.use -| Allows a user to use a backend service in a specific region for operations like routing traffic, but does not grant the ability to modify or delete the backend service. - -| compute.regionNetworkEndpointGroups.attachNetworkEndpoints -| Allows a user to attach network endpoints to a regional network endpoint group (NEG). - -| compute.regionNetworkEndpointGroups.create -| Allows a user to create a NEG within a specific region. - -| compute.regionNetworkEndpointGroups.delete -| Allows a user to delete a NEG in a specific region. - -| compute.regionNetworkEndpointGroups.detachNetworkEndpoints -| Allows a user to remove network endpoints from a regional NEG. - -| compute.regionNetworkEndpointGroups.get -| Allows a user to retrieve information about a specific NEG within a region. -| compute.regionNetworkEndpointGroups.use -| Allows a user to use a NEG within a specific region, typically for traffic routing and load balancing operations, without granting the ability to modify or delete the NEG itself. +== Compute and Kubernetes -| compute.regions.get -| Allows a user to retrieve a specified region. +Manages the Compute Engine instances, instance groups and templates, autoscalers, and disks that run the Redpanda data plane, plus the operations and zone/region metadata needed to provision them. Kubernetes cluster management is granted through the Kubernetes Engine Admin role. -| compute.regions.list -| Allows a user to retrieve a list of the available regions in a GCP project. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`compute.autoscalers.get` |Read |Required to read autoscaler configuration so Redpanda Cloud can safely scale the compute backing your cluster. +|`compute.autoscalers.list` |Read |Required to enumerate autoscalers when managing the compute that runs your Redpanda cluster. +|`compute.disks.get` |Read |Required to read details of the persistent disks attached to your cluster's brokers (used when applying labels and validating storage). +|`compute.disks.list` |Read |Required to enumerate the persistent disks belonging to your cluster. +|`compute.disks.setLabels` |Write |Required to apply Redpanda-managed labels to your cluster's persistent disks for identification, cost tracking, and lifecycle management. +|`compute.globalOperations.get` |Read |Required to check the status of long-running GCP operations initiated on your cluster's behalf. +|`compute.globalOperations.list` |Read |Required to inspect long-running GCP operations so Redpanda Cloud can detect quota exhaustion, capacity stockouts, and other provisioning errors affecting your cluster. +|`compute.instanceGroupManagers.create` |Write |Required to create the managed instance groups that run the compute nodes of your Redpanda cluster. +|`compute.instanceGroupManagers.delete` |Delete |Required to delete managed instance groups when nodes or the cluster are being removed. +|`compute.instanceGroupManagers.get` |Read |Required to read managed instance group configuration to validate and reconcile the state of your cluster's compute. +|`compute.instanceGroupManagers.list` |Read |Required to enumerate managed instance groups belonging to your Redpanda cluster. +|`compute.instanceGroupManagers.update` |Write |Required to update managed instance groups when scaling, upgrading, or reconfiguring your cluster. +|`compute.instanceGroups.create` |Write |Required to create the instance groups that back your Redpanda cluster's compute. +|`compute.instanceGroups.delete` |Delete |Required to delete instance groups during cluster changes or teardown. +|`compute.instanceGroups.get` |Read |Required to read instance group details when managing your cluster's compute. +|`compute.instanceGroups.update` |Write |Required to update instance groups as your cluster is scaled or reconfigured. +|`compute.instanceTemplates.create` |Write |Required to create the instance templates that define how your Redpanda cluster's nodes are provisioned. +|`compute.instanceTemplates.delete` |Delete |Required to delete obsolete instance templates during upgrades and teardown. +|`compute.instanceTemplates.get` |Read |Required to read instance template details when validating and provisioning your cluster. +|`compute.instances.create` |Write |Required to provision the compute instances (VMs) that host your Redpanda cluster's brokers and supporting workloads. +|`compute.instances.delete` |Delete |Required to deprovision compute instances when nodes are replaced, scaled down, or the cluster is torn down. +|`compute.instances.get` |Read |Required to read instance details for health checks, validation, and reconciliation of your cluster's compute. +|`compute.instances.list` |Read |Required to enumerate the instances that make up your Redpanda cluster. +|`compute.instances.reset` |Write |Required to reset (hard-reboot) an instance during recovery when a node becomes unresponsive. +|`compute.instances.setDeletionProtection` |Write |Required to apply deletion protection to cluster instances so they cannot be accidentally destroyed. +|`compute.instances.setLabels` |Write |Required to apply Redpanda-managed labels to your cluster's instances for identification, cost tracking, and lifecycle management. +|`compute.instances.update` |Write |Required to update instance configuration as part of scaling, upgrades, or reconfiguration of your cluster. +|`compute.instances.use` |Write |Required so Redpanda Cloud can attach instances to networking resources (such as Private Service Connect network endpoint groups) that provide connectivity to your cluster. +|`compute.projects.get` |Read |Required to read basic GCP project metadata (such as default network settings) needed to provision resources for your cluster. +|`compute.regionOperations.get` |Read |Required to check the status of regional operations initiated on your cluster's behalf (including Private Service Connect operations). +|`compute.regionOperations.list` |Read |TODO(eng): confirm purpose. +|`compute.regions.get` |Read |Required to read region metadata when provisioning resources for your cluster. +|`compute.regions.list` |Read |Required to enumerate available regions when placing and validating your cluster. +|`compute.zoneOperations.get` |Read |Required to check the status of zonal operations so Redpanda Cloud can detect quota exhaustion, capacity stockouts, and other provisioning errors affecting your cluster. +|`compute.zoneOperations.list` |Read |Required to inspect zonal operations for detecting quota and capacity issues that affect your cluster's health. +|`compute.zones.get` |Read |Required to read zone metadata when placing your cluster's compute resources. +|`compute.zones.list` |Read |Required to enumerate available zones when provisioning and validating your cluster. +|=== -| compute.routers.get -| Allows a user to retrieve a specified router. +== Networking and connectivity -| compute.serviceAttachments.create -| Allows a user to create service attachments for Google Cloud services within a specific project or region. +Manages the VPC network, firewall rules, forwarding rules and Private Service Connect endpoints, backend services, network endpoint groups, service attachments, subnetworks, and Cloud DNS zones and records. -| compute.serviceAttachments.delete -| Allows a user to delete service attachments that are configured in a project or region. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`compute.addresses.get` |Read |Required to read static IP address details when provisioning and managing the network endpoints used by your Redpanda cluster. +|`compute.firewalls.create` |Write |Required so Redpanda Cloud can create the firewall rules that protect your cluster's network and allow only intended traffic. +|`compute.firewalls.delete` |Delete |Required so Redpanda Cloud can remove firewall rules it created when they are no longer needed (e.g., cluster changes or teardown). +|`compute.firewalls.get` |Read |Required to inspect existing firewall rules to validate cluster networking and detect drift from the expected configuration. +|`compute.firewalls.update` |Write |Required so Redpanda Cloud can update firewall rules as your cluster's networking requirements change. +|`compute.forwardingRules.create` |Write |Required to create the forwarding rules that establish Private Service Connect (PSC) endpoints so you can privately reach your Redpanda cluster. +|`compute.forwardingRules.delete` |Delete |Required to remove PSC forwarding rules when endpoints or the cluster are torn down. +|`compute.forwardingRules.get` |Read |Required to read PSC forwarding rule details when validating and reconciling private connectivity to your cluster. +|`compute.forwardingRules.pscCreate` |Write |Required to create Private Service Connect forwarding rules that let you privately reach your Redpanda cluster. +|`compute.forwardingRules.pscDelete` |Write |Required to delete Private Service Connect forwarding rules when private connectivity is being removed. +|`compute.forwardingRules.pscSetLabels` |Write |Required to apply Redpanda-managed labels to PSC forwarding rules for identification, cost tracking, and lifecycle management. +|`compute.forwardingRules.pscSetTarget` |Write |Required to configure the target of PSC forwarding rules so private connections resolve to your Redpanda cluster. +|`compute.forwardingRules.pscUpdate` |Write |Required to update PSC forwarding rules as your private connectivity configuration changes. +|`compute.forwardingRules.setLabels` |Write |Required to apply Redpanda-managed labels to forwarding rules for identification, cost tracking, and lifecycle management. +|`compute.forwardingRules.setTarget` |Write |Required to configure forwarding rule targets so traffic is directed to the correct components of your Redpanda cluster. +|`compute.forwardingRules.use` |Write |Required so Redpanda Cloud can attach forwarding rules to your cluster's networking resources. +|`compute.networks.create` |Write |Required to create the VPC network resources that carry your Redpanda cluster's traffic (when Redpanda Cloud manages the network). +|`compute.networks.delete` |Delete |Required to remove VPC network resources that Redpanda Cloud created when they are no longer needed. +|`compute.networks.getEffectiveFirewalls` |Read |Required to inspect the effective firewall rules on your VPC so Redpanda Cloud can validate that cluster networking is correctly configured. +|`compute.networks.update` |Write |Required to update VPC network configuration on networks that Redpanda Cloud manages for your cluster. +|`compute.networks.updatePolicy` |Write |Required to update network-level policies applied to the VPC hosting your cluster. +|`compute.networks.use` |Write |Required so Redpanda Cloud can attach your cluster's resources (instances, service attachments, endpoints) to the VPC network. +|`compute.regionBackendServices.create` |Write |Required to create the regional backend services that route Private Service Connect traffic to your Redpanda cluster. +|`compute.regionBackendServices.delete` |Delete |Required to delete regional backend services when PSC connectivity or the cluster is being torn down. +|`compute.regionBackendServices.get` |Read |Required to read regional backend service details when validating and reconciling private connectivity. +|`compute.regionBackendServices.use` |Write |Required so Redpanda Cloud can attach backend services to forwarding rules and service attachments serving your cluster. +|`compute.regionNetworkEndpointGroups.attachNetworkEndpoints` |Write |Required to attach your cluster's broker instances to the network endpoint groups that back Private Service Connect. +|`compute.regionNetworkEndpointGroups.create` |Write |Required to create the network endpoint groups that expose your cluster's brokers through Private Service Connect. +|`compute.regionNetworkEndpointGroups.delete` |Delete |Required to delete network endpoint groups when PSC connectivity or the cluster is being torn down. +|`compute.regionNetworkEndpointGroups.detachNetworkEndpoints` |Write |Required to detach broker instances from network endpoint groups during scaling, replacement, or teardown. +|`compute.regionNetworkEndpointGroups.get` |Read |Required to read network endpoint group details when validating and reconciling PSC connectivity. +|`compute.regionNetworkEndpointGroups.use` |Write |Required so Redpanda Cloud can attach network endpoint groups to the backend services and forwarding rules serving your cluster. +|`compute.routers.get` |Read |Required to read Cloud Router configuration when validating VPC networking used by your cluster. +|`compute.serviceAttachments.create` |Write |Required to create the Private Service Connect service attachments that publish your Redpanda cluster for private consumption. +|`compute.serviceAttachments.delete` |Delete |Required to delete PSC service attachments when private connectivity or the cluster is being torn down. +|`compute.serviceAttachments.get` |Read |Required to read PSC service attachment details when validating and reconciling private connectivity. +|`compute.serviceAttachments.list` |Read |Required to enumerate PSC service attachments belonging to your cluster. +|`compute.serviceAttachments.update` |Write |Required to update PSC service attachments as private connectivity settings (such as allow-lists) change. +|`compute.subnetworks.get` |Read |Required to read subnetwork details when validating and placing your cluster's resources on the correct subnets. +|`compute.subnetworks.use` |Write |Required so Redpanda Cloud can place your cluster's instances and endpoints in the appropriate subnets. +|`dns.changes.create` |Write |Required to publish DNS record changes so clients can resolve the endpoints of your Redpanda cluster (including external-DNS updates from the underlying GKE cluster). +|`dns.changes.get` |Read |Required to check the status of pending DNS record changes for your cluster's endpoints. +|`dns.changes.list` |Read |Required to enumerate DNS record changes when reconciling the DNS state for your cluster. +|`dns.managedZones.create` |Write |Required to create the managed DNS zones that host your Redpanda cluster's endpoint records. +|`dns.managedZones.delete` |Delete |Required to delete managed DNS zones created by Redpanda Cloud when they are no longer needed. +|`dns.managedZones.get` |Read |Required to read managed DNS zone details when reconciling your cluster's DNS configuration. +|`dns.managedZones.list` |Read |Required to enumerate managed DNS zones associated with your cluster (used by external-DNS and by Redpanda's validation). +|`dns.managedZones.update` |Write |Required to update managed DNS zone configuration as your cluster's DNS needs change. +|`dns.projects.get` |Read |Required to read Cloud DNS project settings when managing DNS for your cluster. +|`dns.resourceRecordSets.create` |Write |Required to create DNS records so clients can resolve your Redpanda cluster's endpoints (used by external-DNS). +|`dns.resourceRecordSets.delete` |Delete |Required to remove DNS records when endpoints are decommissioned or the cluster is torn down. +|`dns.resourceRecordSets.get` |Read |Required to read DNS record details when reconciling your cluster's DNS state. +|`dns.resourceRecordSets.list` |Read |Required to enumerate DNS records associated with your cluster. +|`dns.resourceRecordSets.update` |Write |Required to update DNS records as your cluster's endpoints change. +|=== -| compute.serviceAttachments.get -| Allows a user to retrieve information about an existing service attachment in a project or region. +== Storage -| compute.serviceAttachments.list -| Allows a user to list all service attachments within a project or region. +Reads bucket metadata and manages the IAM policy on the Tiered Storage bucket. Object-level access is granted through the Storage Object Admin role, scoped to a single bucket. -| compute.serviceAttachments.update -| Allows a user to update or modify a service attachment in a project or region. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`storage.buckets.get` |Read |Required to read storage bucket details for the buckets used by your cluster (for example, Tiered Storage). +|`storage.buckets.getIamPolicy` |Read |Required to inspect IAM bindings on your cluster's storage buckets to validate access is correctly configured. +|`storage.buckets.setIamPolicy` |Write |Required to grant your cluster's service accounts access to the storage buckets it uses (for example, Tiered Storage). +|=== -| compute.subnetworks.get -| Allows a user to retrieve a specified subnetwork. +== Identity and access -| compute.zoneOperations.get -| Allows a user to retrieve a specified zone operation. +Creates and manages the custom role, service accounts, and project-level IAM bindings the cluster components need. -| compute.zoneOperations.list -| Allows a user to list zone operations. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`iam.roles.create` |Write |Required to create the custom IAM roles that grant Redpanda Cloud components least-privilege access needed to operate your cluster. +|`iam.roles.delete` |Delete |Required to delete custom IAM roles created by Redpanda Cloud when they are no longer needed. +|`iam.roles.get` |Read |Required to read custom IAM role definitions to validate that the correct permissions are in place for your cluster. +|`iam.roles.list` |Read |Required to enumerate IAM roles when validating and reconciling the permissions granted for your cluster. +|`iam.roles.undelete` |Write |Required to restore an accidentally deleted custom IAM role so your cluster's operation is not disrupted. +|`iam.roles.update` |Write |Required to update custom IAM role definitions as Redpanda Cloud's required permissions evolve. +|`iam.serviceAccounts.actAs` |Write |Required so Redpanda Cloud components can impersonate the service accounts used to operate your cluster (following GCP's least-privilege delegation model). +|`iam.serviceAccounts.create` |Write |Required to create the service accounts used by the various components that run your Redpanda cluster. +|`iam.serviceAccounts.delete` |Delete |Required to delete service accounts created by Redpanda Cloud when they are no longer needed. +|`iam.serviceAccounts.get` |Read |Required to read service account details to validate that your cluster's components have the correct identities. +|`iam.serviceAccounts.getIamPolicy` |Read |Required to inspect service account IAM bindings when validating and reconciling permissions for your cluster. +|`iam.serviceAccounts.setIamPolicy` |Write |Required to grant the necessary IAM bindings on service accounts so cluster components can act on their behalf. +|`iam.serviceAccounts.update` |Write |Required to update service account configuration as your cluster evolves. +|`resourcemanager.projects.get` |Read |Required to read basic project metadata used by all Redpanda Cloud components (cluster provisioning, connectors, and application services) that run in your project. +|`resourcemanager.projects.getIamPolicy` |Read |Required to inspect your project's IAM policy to validate that the necessary bindings for Redpanda Cloud are correctly in place. +|`resourcemanager.projects.setIamPolicy` |Write |Required to grant the project-level IAM bindings needed for Redpanda Cloud to operate your cluster. +|=== -| compute.zones.get -| Allows a user to retrieve a specified zone. +== Secrets management -| compute.zones.list -| Allows a user to retrieve a list of the available zones in a GCP project. +Lists and deletes the Secret Manager secrets Redpanda creates for your cluster. -| dns.changes.create -| Allows a user to create and update DNS resource record sets. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`secretmanager.secrets.delete` |Delete |TODO(eng): confirm purpose. +|`secretmanager.secrets.list` |Read |TODO(eng): confirm purpose. +|=== -| dns.changes.get -| Allows a user to retrieve the information about an existing DNS change. +== Service enablement -| dns.changes.list -| Allows a user to retrieve a list of changes to DNS resource record sets. +Enables and reads the state of the GCP APIs (services) that your cluster depends on. -| dns.managedZones.create -| Allows a user to create a new managed zone. A DNS managed zone holds the Domain Name System (DNS) records for the same DNS name suffix. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`serviceusage.services.enable` |Write |TODO(eng): confirm purpose. +|`serviceusage.services.get` |Read |TODO(eng): confirm purpose. +|=== -| dns.managedZones.delete -| Allows a user or service account to delete managed zones within the Google Cloud DNS project. +== Observability -| dns.managedZones.get -| Allows a user or service account to retrieve information about a specific DNS managed zone. This permission is used in the context of Google Cloud DNS, which is a scalable and reliable domain name system (DNS) service. +Writes log entries for the agent and cluster components. -| dns.managedZones.list -| Allows a user or service account to list the managed zones within a Google Cloud DNS project. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`logging.logEntries.create` |Write |Required so your Redpanda cluster and the underlying GKE cluster can write operational logs to Cloud Logging in your project. +|=== -| dns.managedZones.update -| Allows a user to update or modify the configuration of a managed DNS zone within a Google Cloud DNS project. +== Optional feature permissions -| dns.projects.get -| Allows a user to retrieve information about an existing GCP DNS project. +[NOTE] +==== +The following permissions apply only when you use Redpanda SQL. They are granted through a separate custom role (internally named for `oxla`, the legacy name for Redpanda SQL). TODO(eng): confirm feature-gating. +==== -| dns.resourceRecordSets.create -| Allows a user to create resource record sets within a DNS zone. +=== Manage Redpanda SQL storage buckets -| dns.resourceRecordSets.delete -| Allows a user to delete resource record sets within a DNS zone. +Creates and manages the Cloud Storage bucket that holds Redpanda SQL metadata. -| dns.resourceRecordSets.get -| Allows a user or service account to retrieve information about resource record sets within a managed DNS zone. +[cols="3,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`storage.buckets.create` |Write |TODO(eng): confirm purpose. +|`storage.buckets.delete` |Delete |TODO(eng): confirm purpose. +|`storage.buckets.update` |Write |TODO(eng): confirm purpose. +|`storage.objects.delete` |Delete |TODO(eng): confirm purpose. +|`storage.objects.list` |Read |TODO(eng): confirm purpose. +|=== -| dns.resourceRecordSets.list -| Allows a user or service account to retrieve a list of resource record sets that are part of a particular DNS zone. +== Full role definition -| dns.resourceRecordSets.update -| Allows a user or service account to make changes to the resource records in a DNS zone. +The complete set of permissions in the Redpanda agent custom role: -| iam.roles.create -| Allows a user to create a custom role for a GCP project or an organization. +.Terraform +[%collapsible] +==== +[source,hcl] +---- +permissions = [ + "compute.addresses.get", + "compute.autoscalers.get", + "compute.autoscalers.list", + "compute.firewalls.create", + "compute.firewalls.delete", + "compute.firewalls.get", + "compute.firewalls.update", + "compute.forwardingRules.use", + "compute.globalOperations.get", + "compute.globalOperations.list", + "compute.instanceGroupManagers.create", + "compute.instanceGroupManagers.delete", + "compute.instanceGroupManagers.get", + "compute.instanceGroupManagers.list", + "compute.instanceGroupManagers.update", + "compute.instanceGroups.create", + "compute.instanceGroups.delete", + "compute.instanceGroups.get", + "compute.instanceGroups.update", + "compute.instances.create", + "compute.instances.delete", + "compute.instances.get", + "compute.instances.list", + "compute.instances.reset", + "compute.instances.setDeletionProtection", + "compute.instances.update", + "compute.instanceTemplates.create", + "compute.instanceTemplates.delete", + "compute.instanceTemplates.get", + "compute.instances.setLabels", + "compute.disks.get", + "compute.disks.list", + "compute.disks.setLabels", + "compute.networks.create", + "compute.networks.delete", + "compute.networks.getEffectiveFirewalls", + "compute.networks.update", + "compute.networks.updatePolicy", + "compute.projects.get", + "compute.regionOperations.get", + "compute.regionOperations.list", + "compute.regions.get", + "compute.regions.list", + "compute.routers.get", + "compute.serviceAttachments.create", + "compute.serviceAttachments.delete", + "compute.serviceAttachments.get", + "compute.serviceAttachments.list", + "compute.serviceAttachments.update", + "compute.subnetworks.get", + "compute.subnetworks.use", + "compute.zoneOperations.get", + "compute.zoneOperations.list", + "compute.zones.get", + "compute.zones.list", + "dns.changes.create", + "dns.changes.get", + "dns.changes.list", + "dns.managedZones.create", + "dns.managedZones.delete", + "dns.managedZones.get", + "dns.managedZones.list", + "dns.managedZones.update", + "dns.projects.get", + "dns.resourceRecordSets.create", + "dns.resourceRecordSets.delete", + "dns.resourceRecordSets.get", + "dns.resourceRecordSets.list", + "dns.resourceRecordSets.update", + "iam.roles.create", + "iam.roles.delete", + "iam.roles.get", + "iam.roles.list", + "iam.roles.undelete", + "iam.roles.update", + "iam.serviceAccounts.actAs", + "iam.serviceAccounts.create", + "iam.serviceAccounts.delete", + "iam.serviceAccounts.get", + "iam.serviceAccounts.getIamPolicy", + "iam.serviceAccounts.setIamPolicy", + "iam.serviceAccounts.update", + "logging.logEntries.create", + "resourcemanager.projects.get", + "resourcemanager.projects.getIamPolicy", + "resourcemanager.projects.setIamPolicy", + "storage.buckets.get", + "storage.buckets.getIamPolicy", + "storage.buckets.setIamPolicy", + "compute.forwardingRules.create", + "compute.forwardingRules.delete", + "compute.forwardingRules.get", + "compute.forwardingRules.setLabels", + "compute.forwardingRules.setTarget", + "compute.forwardingRules.pscCreate", + "compute.forwardingRules.pscDelete", + "compute.forwardingRules.pscSetLabels", + "compute.forwardingRules.pscSetTarget", + "compute.forwardingRules.pscUpdate", + "compute.instances.use", + "compute.networks.use", + "compute.regionBackendServices.create", + "compute.regionBackendServices.delete", + "compute.regionBackendServices.get", + "compute.regionBackendServices.use", + "compute.regionNetworkEndpointGroups.attachNetworkEndpoints", + "compute.regionNetworkEndpointGroups.create", + "compute.regionNetworkEndpointGroups.delete", + "compute.regionNetworkEndpointGroups.detachNetworkEndpoints", + "compute.regionNetworkEndpointGroups.get", + "compute.regionNetworkEndpointGroups.use", + "secretmanager.secrets.list", + "secretmanager.secrets.delete", + "serviceusage.services.enable", + "serviceusage.services.get", +] +---- +==== +endif::[] -| iam.roles.delete -| Allows a user to delete a custom role from a GCP project or an organization. +ifdef::env-azure[] +// DOC-2297: reformatted for consistency with AWS. Rebuilt from cloudv2 +// pkg/provisioners/azure/terraform/agent/iam.tf. Azure keeps the agent-based +// model (no cross-account delegation in this release). +// TODO(eng): supply "why" text for cells marked TODO(eng). +When you run `rpk cloud byoc azure apply` to create a BYOC cluster, you grant these permissions to the Redpanda Cloud agent. The agent uses them to call the Azure API and manage cluster resources on your behalf. The permissions follow the principle of least privilege. They are _not_ required by Redpanda Cloud end users. -| iam.roles.get -| Allows a user to retrieve information about a specific role, including its permissions. +[NOTE] +==== +This page covers the permissions Redpanda needs to create xref:get-started:cluster-types/byoc/azure/create-byoc-cluster-azure.adoc[BYOC clusters]. It does _not_ apply to xref:get-started:cluster-types/byoc/azure/vnet-azure.adoc[BYOVNet clusters]. +==== -| iam.roles.list -| Allows a user to list predefined roles, or the custom roles for a project or an organization. +[NOTE] +==== +Azure RBAC for the agent is scoped to the cluster resource groups, for example `rg-rpcloud-`, `rg-rpcloud--network`, and `rg-rpcloud--storage`. Permissions are granted through a single custom role definition; the full definition is available at the end of this page. +==== -| iam.roles.undelete -| Allows a user to undelete a custom role from an organization or a project. +[cols="1,4", options="header"] +|=== +|Access level |Meaning +|Read |`/read` actions. Cannot modify or delete resources. +|Write |`/write` and `/action` operations. +|Delete |`/delete` actions. +|=== -| iam.roles.update -| Allows a user to update an IAM custom role. +== Compute and Kubernetes -| iam.serviceAccounts.actAs -| Allows a service account to act as another service account or user within a GCP project. This permission is used to delegate authority to one service account to impersonate or perform actions on behalf of another service account or user. +Manages the AKS managed clusters and their agent (node) pools that run the Redpanda data plane. -| iam.serviceAccounts.create -| Allows a user to create a service account for a project. +[cols="4,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`Microsoft.ContainerService/managedClusters/agentPools/delete` |Delete |Required to remove AKS node pools when scaling down or decommissioning your Redpanda cluster. +|`Microsoft.ContainerService/managedClusters/agentPools/read` |Read |Needed so Redpanda Cloud can inspect the state of the AKS node pools that host your Redpanda brokers. +|`Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action` |Write |Required to apply node image upgrades so the underlying OS running your Redpanda brokers stays patched and secure. +|`Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.ContainerService/managedClusters/agentPools/write` |Write |Required to provision and scale the AKS node pools that run your Redpanda brokers and supporting workloads. +|`Microsoft.ContainerService/managedClusters/delete` |Delete |Required to tear down the AKS cluster that hosts Redpanda when you decommission your environment. +|`Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action` |Write |TODO(eng): confirm purpose. +|`Microsoft.ContainerService/managedClusters/listClusterUserCredential/action` |Write |Required so Redpanda Cloud can obtain kubeconfig credentials to operate and manage the AKS cluster running your Redpanda deployment. +|`Microsoft.ContainerService/managedClusters/read` |Read |Needed so Redpanda Cloud can read the configuration and status of the AKS cluster hosting your Redpanda deployment. +|`Microsoft.ContainerService/managedClusters/upgradeProfiles/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.ContainerService/managedClusters/write` |Write |Required to create and update the AKS cluster that hosts your managed Redpanda deployment. +|=== -| iam.serviceAccounts.delete -| Allows a user to delete a service account for a project. +== Networking and connectivity -| iam.serviceAccounts.get -| Allows a user or service account to retrieve metadata and configuration information about a particular service account within a project. This includes information such as the email address, display name, and IAM policies associated with the service account. +Joins the cluster to the virtual network and subnets, manages public and private DNS zones and private endpoints, reads Private Link services, and manages public IP addresses. -| iam.serviceAccounts.getIamPolicy -| Allows a user to retrieve the IAM policy for a service account. +[cols="4,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`Microsoft.Network/dnszones/SOA/read` |Read |Needed to read DNS zone SOA records when reconciling the DNS configuration that exposes your Redpanda cluster endpoints. +|`Microsoft.Network/dnszones/delete` |Delete |Required to remove DNS records for your Redpanda cluster endpoints when the cluster is decommissioned. +|`Microsoft.Network/dnszones/read` |Read |Needed so Redpanda Cloud can look up the DNS zone used to publish endpoints for your Redpanda cluster. +|`Microsoft.Network/dnszones/write` |Write |Required to create and update DNS records so clients can resolve your Redpanda cluster endpoints. +|`Microsoft.Network/privateDnsZones/A/delete` |Delete |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/A/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/A/write` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/SOA/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/SOA/write` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/delete` |Delete |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/join/action` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete` |Delete |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/virtualNetworkLinks/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/virtualNetworkLinks/write` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/privateDnsZones/write` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/privateEndpoints/delete` |Delete |TODO(eng): confirm purpose. +|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete` |Delete |TODO(eng): confirm purpose. +|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/privateEndpoints/read` |Read |TODO(eng): confirm purpose. +|`Microsoft.Network/privateEndpoints/write` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/privatelinkservices/read` |Read |Needed so Redpanda Cloud can inspect Private Link services used to expose your Redpanda cluster privately to your VNets. +|`Microsoft.Network/publicIPAddresses/delete` |Delete |Required to release public IP addresses when networking resources for your Redpanda cluster are decommissioned. +|`Microsoft.Network/publicIPAddresses/read` |Read |Needed so Redpanda Cloud can inspect the public IP addresses associated with your cluster's ingress endpoints. +|`Microsoft.Network/publicIPAddresses/write` |Write |Required to allocate the public IP addresses used for the ingress endpoints of your Redpanda cluster (when public access is enabled). +|`Microsoft.Network/publicIPPrefixes/join/action` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/virtualNetworks/join/action` |Write |TODO(eng): confirm purpose. +|`Microsoft.Network/virtualNetworks/read` |Read |Needed so Redpanda Cloud can inspect the virtual network in which your Redpanda cluster is deployed. +|`Microsoft.Network/virtualNetworks/subnets/delete` |Delete |Required to remove subnets provisioned for your Redpanda cluster when it is decommissioned. +|`Microsoft.Network/virtualNetworks/subnets/join/action` |Write |Required so AKS nodes, load balancers, and private endpoints for your Redpanda cluster can attach to the designated subnets. +|`Microsoft.Network/virtualNetworks/subnets/read` |Read |Needed so Redpanda Cloud can inspect the subnets used by your Redpanda cluster. +|`Microsoft.Network/virtualNetworks/subnets/write` |Write |Required to create and configure the subnets that host the AKS nodes and networking resources for your Redpanda cluster. +|=== -| iam.serviceAccounts.setIamPolicy -| Allows a user to set the IAM policy for a service account. +== Storage -| iam.serviceAccounts.update -| Allows a user to modify the service account for a project. +Manages the storage accounts and blob containers backing Tiered Storage, and reads the Key Vault. -| logging.logEntries.create -| Allows a user to write log entries. +[cols="4,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`Microsoft.KeyVault/vaults/read` |Read |Needed so Redpanda Cloud can look up the Key Vault used to store cluster secrets and encryption keys. +|`Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action` |Write |TODO(eng): confirm purpose. +|`Microsoft.Storage/storageAccounts/blobServices/containers/delete` |Delete |Required to remove the blob container used for tiered storage when the associated Redpanda cluster is decommissioned. +|`Microsoft.Storage/storageAccounts/blobServices/containers/read` |Read |Needed so Redpanda Cloud can inspect the blob container that backs tiered storage for your cluster. +|`Microsoft.Storage/storageAccounts/blobServices/containers/write` |Write |Required to create and configure the blob container used for tiered storage of your Redpanda topic data. +|`Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action` |Write |Required to issue short-lived user delegation keys for scoped, time-bound access to blobs, avoiding the use of long-lived storage account keys. +|`Microsoft.Storage/storageAccounts/blobServices/read` |Read |Needed so Redpanda Cloud can inspect the blob service configuration on the storage account backing your cluster. +|`Microsoft.Storage/storageAccounts/blobServices/write` |Write |Required to configure blob service settings (such as retention and versioning) on the storage account that backs tiered storage. +|`Microsoft.Storage/storageAccounts/delete` |Delete |Required to remove the storage account provisioned for your Redpanda cluster when it is decommissioned. +|`Microsoft.Storage/storageAccounts/fileServices/read` |Read |Needed to read file service metadata on the storage account so Redpanda Cloud can reconcile its full configuration. +|`Microsoft.Storage/storageAccounts/fileServices/shares/read` |Read |Needed to read file share metadata on the storage account so Redpanda Cloud can reconcile its full configuration. +|`Microsoft.Storage/storageAccounts/listkeys/action` |Write |Required to retrieve storage account keys used for authenticated access to the storage account backing your Redpanda cluster. +|`Microsoft.Storage/storageAccounts/queueServices/read` |Read |Needed to read queue service metadata on the storage account so Redpanda Cloud can reconcile its full configuration. +|`Microsoft.Storage/storageAccounts/read` |Read |Needed so Redpanda Cloud can inspect the storage account used for tiered storage of your Redpanda topic data. +|`Microsoft.Storage/storageAccounts/read` |Read |Needed so Redpanda Cloud can inspect the storage account used for tiered storage of your Redpanda topic data. +|`Microsoft.Storage/storageAccounts/write` |Write |Required to create and configure the storage account that backs tiered storage for your Redpanda cluster. +|=== + +== Identity and access + +Manages the role assignments, role definitions, and user-assigned managed identities (including federated credentials) the cluster components need. + +[cols="4,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`Microsoft.Authorization/roleAssignments/delete` |Delete |Required to remove role assignments when tearing down or reconfiguring identities used by your Redpanda cluster. +|`Microsoft.Authorization/roleAssignments/read` |Read |Needed so Redpanda Cloud can verify the correct role assignments are in place for the managed identities powering your cluster. +|`Microsoft.Authorization/roleAssignments/write` |Write |Required to grant the managed identities used by your Redpanda cluster the specific roles they need on your Azure resources. +|`Microsoft.Authorization/roleDefinitions/delete` |Delete |Required to remove the least-privilege custom role definitions Redpanda creates when your cluster is decommissioned. +|`Microsoft.Authorization/roleDefinitions/read` |Read |Needed so Redpanda Cloud can inspect existing custom role definitions before managing identities and permissions in your subscription. +|`Microsoft.Authorization/roleDefinitions/write` |Write |Required to create and update the scoped custom role definitions that give Redpanda workloads only the permissions they need. +|`Microsoft.ManagedIdentity/userAssignedIdentities/assign/action` |Write |Required to attach user-assigned managed identities to the AKS and storage resources that make up your Redpanda cluster. +|`Microsoft.ManagedIdentity/userAssignedIdentities/delete` |Delete |Required to remove user-assigned managed identities when your Redpanda cluster is decommissioned. +|`Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete` |Delete |Required to remove federated identity credentials when Redpanda workloads are torn down or reconfigured. +|`Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read` |Read |Needed so Redpanda Cloud can verify the federated identity credentials that let Redpanda workloads authenticate to Azure without static secrets. +|`Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write` |Write |Required to create federated identity credentials so Redpanda workloads running in AKS can authenticate to Azure services securely via workload identity, without long-lived secrets. +|`Microsoft.ManagedIdentity/userAssignedIdentities/read` |Read |Needed so Redpanda Cloud can inspect the user-assigned managed identities used by your cluster. +|`Microsoft.ManagedIdentity/userAssignedIdentities/write` |Write |Required to create and update the user-assigned managed identities that Redpanda workloads use to access Azure resources on your behalf. +|=== -| resourcemanager.projects.get -| Allows a user or service account to view project details, such as project ID, name, labels, and other project-level settings. This permission controls the ability to retrieve the metadata and configuration of a project in GCP using the Resource Manager API. +== Monitoring -| resourcemanager.projects.getIamPolicy -| Allows a user or service account to retrieve the IAM access control policy for a specified project. Permission is denied if the policy or the resource does not exist. +Reads Log Analytics workspace keys used to reconcile node pools. -| resourcemanager.projects.setIamPolicy -| Allows a user or service account to set the IAM access control policy for the specified project. +[cols="4,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`Microsoft.OperationalInsights/workspaces/sharedkeys/read` |Read |TODO(eng): confirm purpose. +|=== -| storage.buckets.get -| Allows a user to retrieve metadata and configuration information about a specific bucket in Google Cloud Storage. Users with this permission can view details such as the bucket's name, location, storage class, access control settings, and other attributes. +== Resource group -| storage.buckets.getIamPolicy -| Allows a user to retrieve the IAM policy for a bucket. +Reads the resource groups the cluster is deployed into. -| storage.buckets.setIamPolicy -| Allows a user to set the IAM policy for a bucket. +[cols="4,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`Microsoft.Resources/subscriptions/resourcegroups/read` |Read |Needed so Redpanda Cloud can verify the target resource group exists and confirm it has the correct permissions before deploying your cluster. +|=== -| Storage Object Admin -| Grants full control of bucket objects. The Redpanda Agent Storage Admin grant is scoped to a single bucket. +== Data-plane actions -| Kubernetes Engine Admin -| Full management of Kubernetes clusters and their Kubernetes API objects. +These `data_actions` let Redpanda read and write your topic data in the Tiered Storage blob containers. +[cols="4,1,5", options="header"] +|=== +|Permission |Access |Why it is needed +|`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action` |Write |Required so Redpanda can write topic data to the blob storage container used for tiered storage. _(Data-plane action.)_ +|`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete` |Delete |Required so Redpanda can remove expired or compacted objects from the blob storage container used for tiered storage, according to your retention policies. _(Data-plane action.)_ +|`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action` |Write |Required so Redpanda can reorganize objects in the tiered storage container as part of normal data lifecycle operations. _(Data-plane action.)_ +|`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read` |Read |Required so Redpanda can read topic data stored in the tiered storage blob container when serving consumer reads. _(Data-plane action.)_ +|`Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write` |Write |Required so Redpanda can upload topic segments to the blob storage container that backs tiered storage for your cluster. _(Data-plane action.)_ |=== -endif::[] +== Full role definition -ifdef::env-azure[] -When you run `rpk cloud byoc azure apply` to create a BYOC cluster, you grant IAM permissions to the Redpanda Cloud agent. IAM permissions allow the agent to access the Azure API to create and manage cluster resources. The permissions follow the principle of least privilege, limiting access to only what is necessary. IAM permissions are not required by Redpanda Cloud users. +The complete set of `actions` and `data_actions` in the agent custom role: -[NOTE] +.Terraform +[%collapsible] +==== +[source,hcl] +---- +actions = [ + "Microsoft.Resources/subscriptions/resourcegroups/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/delete", + "Microsoft.Storage/storageAccounts/blobServices/containers/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/write", + "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", + "Microsoft.Network/dnszones/read", + "Microsoft.Network/dnszones/write", + "Microsoft.Network/dnszones/delete", + "Microsoft.Network/dnszones/SOA/read", + "Microsoft.Network/privatelinkservices/read", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.ContainerService/managedClusters/read", + "Microsoft.ContainerService/managedClusters/delete", + "Microsoft.ContainerService/managedClusters/write", + "Microsoft.ContainerService/managedClusters/upgradeProfiles/read", + "Microsoft.ContainerService/managedClusters/agentPools/read", + "Microsoft.ContainerService/managedClusters/agentPools/write", + "Microsoft.ContainerService/managedClusters/agentPools/delete", + "Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action", + "Microsoft.ContainerService/managedClusters/agentPools/upgradeProfiles/read", + "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", + "Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action", + "Microsoft.Network/virtualNetworks/read", + "Microsoft.Network/virtualNetworks/subnets/join/action", + "Microsoft.Network/virtualNetworks/subnets/read", + "Microsoft.Network/virtualNetworks/subnets/write", + "Microsoft.Network/virtualNetworks/subnets/delete", + "Microsoft.Authorization/roleAssignments/read", + "Microsoft.Authorization/roleAssignments/write", + "Microsoft.Authorization/roleAssignments/delete", + "Microsoft.Authorization/roleDefinitions/write", + "Microsoft.Authorization/roleDefinitions/read", + "Microsoft.Authorization/roleDefinitions/delete", + "Microsoft.ManagedIdentity/userAssignedIdentities/read", + "Microsoft.ManagedIdentity/userAssignedIdentities/write", + "Microsoft.ManagedIdentity/userAssignedIdentities/delete", + "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", + "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read", + "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write", + "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete", + "Microsoft.Storage/storageAccounts/read", + "Microsoft.Storage/storageAccounts/write", + "Microsoft.Storage/storageAccounts/delete", + "Microsoft.Storage/storageAccounts/blobServices/read", + "Microsoft.Storage/storageAccounts/blobServices/write", + "Microsoft.Storage/storageAccounts/PrivateEndpointConnectionsApproval/action", + "Microsoft.Network/privateEndpoints/read", + "Microsoft.Network/privateEndpoints/write", + "Microsoft.Network/privateEndpoints/delete", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/read", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/write", + "Microsoft.Network/privateEndpoints/privateDnsZoneGroups/delete", + "Microsoft.Network/privateDnsZones/read", + "Microsoft.Network/privateDnsZones/write", + "Microsoft.Network/privateDnsZones/delete", + "Microsoft.Network/privateDnsZones/join/action", + "Microsoft.Network/privateDnsZones/SOA/read", + "Microsoft.Network/privateDnsZones/SOA/write", + "Microsoft.Network/privateDnsZones/A/read", + "Microsoft.Network/privateDnsZones/A/write", + "Microsoft.Network/privateDnsZones/A/delete", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks/read", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks/write", + "Microsoft.Network/privateDnsZones/virtualNetworkLinks/delete", + "Microsoft.Network/virtualNetworks/join/action", + "Microsoft.Network/publicIPAddresses/read", + "Microsoft.Network/publicIPAddresses/write", + "Microsoft.Network/publicIPAddresses/delete", + "Microsoft.Network/publicIPPrefixes/join/action", + "Microsoft.Storage/storageAccounts/queueServices/read", + "Microsoft.Storage/storageAccounts/fileServices/read", + "Microsoft.Storage/storageAccounts/fileServices/shares/read", + "Microsoft.Storage/storageAccounts/listkeys/action", + "Microsoft.KeyVault/vaults/read", + "Microsoft.OperationalInsights/workspaces/sharedkeys/read", +] +data_actions = [ + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", + "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action", +] +---- ==== -* This page lists the IAM permissions Redpanda needs to create xref:get-started:cluster-types/byoc/azure/create-byoc-cluster-azure.adoc[BYOC clusters]. This _does not_ pertain to xref:get-started:cluster-types/byoc/azure/vnet-azure.adoc[BYOVNet clusters]. -* No IAM permissions are required for Redpanda Cloud users. IAM policies do not grant user access to a cluster; rather, they grant the deployed Redpanda agent access, so that brokers can communicate with the BYOC clusters. -==== - -Azure RBAC (role-based access control) is scoped to resource groups. For example: - -``` -"/subscriptions//resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg", - "/subscriptions//resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-network", - "/subscriptions//resourceGroups/rg-rpcloud-cqh5itt4650ot3irs5mg-storage" - ], - "permissions": [ - { -``` - -== Azure IAM policies - -IAM policies are assigned to deployed Redpanda agents for BYOC Azure -clusters that use the following Azure services: - - actions = [ - # Ability to read the resource group - "Microsoft.Resources/subscriptions/resourcegroups/read", - # Storage Containers - "Microsoft.Storage/storageAccounts/blobServices/containers/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/write", - "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action", - # Create DNS Zones - "Microsoft.Network/dnszones/read", - "Microsoft.Network/dnszones/write", - "Microsoft.Network/dnszones/delete", - # Workaround for TF needing to import the zone when it already exists. - "Microsoft.Network/dnszones/SOA/read", - # Private link read - "Microsoft.Network/privatelinkservices/read", - # The agent needs access to the storage account in order to access the data - "Microsoft.Storage/storageAccounts/read", - # Manage AKS Clusters - "Microsoft.ContainerService/managedClusters/read", - "Microsoft.ContainerService/managedClusters/delete", - "Microsoft.ContainerService/managedClusters/write", - "Microsoft.ContainerService/managedClusters/agentPools/read", - "Microsoft.ContainerService/managedClusters/agentPools/write", - "Microsoft.ContainerService/managedClusters/agentPools/delete", - "Microsoft.ContainerService/managedClusters/agentPools/upgradeNodeImageVersion/action", - # Without this, cannot create node pools to the specified AKS cluster - "Microsoft.ContainerService/managedClusters/listClusterUserCredential/action", - # Allows joining to a VNet - "Microsoft.Network/virtualNetworks/read", - "Microsoft.Network/virtualNetworks/subnets/join/action", - "Microsoft.Network/virtualNetworks/subnets/read", - "Microsoft.Network/virtualNetworks/subnets/write", - "Microsoft.Network/virtualNetworks/subnets/delete", - # Allow agent to manage role assignments for the Redpanda cluster - "Microsoft.Authorization/roleAssignments/read", - "Microsoft.Authorization/roleAssignments/write", - "Microsoft.Authorization/roleAssignments/delete", - # Allow agent to manage role definitions for the Redpana cluster - "Microsoft.Authorization/roleDefinitions/write", - "Microsoft.Authorization/roleDefinitions/read", - "Microsoft.Authorization/roleDefinitions/delete", - # Allow agent to manage identities for the Redpanda cluster - "Microsoft.ManagedIdentity/userAssignedIdentities/read", - "Microsoft.ManagedIdentity/userAssignedIdentities/write", - "Microsoft.ManagedIdentity/userAssignedIdentities/delete", - "Microsoft.ManagedIdentity/userAssignedIdentities/assign/action", - "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read", - "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write", - "Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete", - # Allow agent to manage tiered storage bucket for the Redpanda cluster - "Microsoft.Storage/storageAccounts/read", - "Microsoft.Storage/storageAccounts/write", - "Microsoft.Storage/storageAccounts/delete", - "Microsoft.Storage/storageAccounts/blobServices/read", - "Microsoft.Storage/storageAccounts/blobServices/write", - # Allow agent to read public IPs - "Microsoft.Network/publicIPAddresses/read", - "Microsoft.Network/publicIPAddresses/write", - "Microsoft.Network/publicIPAddresses/delete", - # Creating the RP storage account requires these additional permissions to workaround https://github.com/hashicorp/terraform-provider-azurerm/issues/25521 - "Microsoft.Storage/storageAccounts/queueServices/read", - "Microsoft.Storage/storageAccounts/fileServices/read", - "Microsoft.Storage/storageAccounts/fileServices/shares/read", - "Microsoft.Storage/storageAccounts/listkeys/action", - # Read the keyvault - "Microsoft.KeyVault/vaults/read" - ] - data_actions = [ - # Storage Containers - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action", - "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action" - ] endif::[] From 1be0a3d7c68114177706f9ad1f7feb714bbbee2e Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 9 Jul 2026 20:49:12 -0600 Subject: [PATCH 3/6] DOC-2297: make AWS create page cross-account-first; consolidate Rewrite create-byoc-cluster-aws.adoc so cross-account IAM delegation is the primary path for new AWS clusters: grant IAM permissions (create the cross-account role) as a prerequisite, then create the cluster. Retire the separate cross-account-iam-aws.adoc how-to and fold it in; its IDs are kept as page-aliases so links redirect to the create page. - nav: drop the standalone cross-account how-to entry - byoc-arch.adoc, whats-new-cloud.adoc: repoint links to the create page - cluster-types/byoc/index.adoc: note cross-account delegation for AWS The "Grant IAM permissions" section is self-contained so it can be split into a dedicated prerequisite page later if the real Terraform makes it long. Still draft: TODO(team) placeholders remain pending SME answers. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/ROOT/nav.adoc | 1 - modules/get-started/pages/byoc-arch.adoc | 2 +- .../byoc/aws/create-byoc-cluster-aws.adoc | 80 ++++++++++++------- .../byoc/aws/cross-account-iam-aws.adoc | 72 ----------------- .../pages/cluster-types/byoc/index.adoc | 3 + .../get-started/pages/whats-new-cloud.adoc | 2 +- 6 files changed, 55 insertions(+), 105 deletions(-) delete mode 100644 modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc diff --git a/modules/ROOT/nav.adoc b/modules/ROOT/nav.adoc index 15069ecf6..78d6a9346 100644 --- a/modules/ROOT/nav.adoc +++ b/modules/ROOT/nav.adoc @@ -11,7 +11,6 @@ ** xref:get-started:cluster-types/byoc/index.adoc[BYOC] *** xref:get-started:cluster-types/byoc/aws/index.adoc[AWS] **** xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[] -**** xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[] **** xref:get-started:cluster-types/byoc/aws/vpc-byo-aws.adoc[] *** xref:get-started:cluster-types/byoc/azure/index.adoc[Azure] **** xref:get-started:cluster-types/byoc/azure/create-byoc-cluster-azure.adoc[] diff --git a/modules/get-started/pages/byoc-arch.adoc b/modules/get-started/pages/byoc-arch.adoc index 003b2c720..50308f107 100644 --- a/modules/get-started/pages/byoc-arch.adoc +++ b/modules/get-started/pages/byoc-arch.adoc @@ -71,6 +71,6 @@ New BYOC clusters on AWS use *cross-account IAM delegation*. Instead of bootstra | Run `rpk cloud byoc apply` |=== -Cross-account IAM delegation applies only to new clusters on AWS. Migrating an existing cluster is not supported, and the agent-based model described above continues to apply to existing clusters and to clusters on Azure and GCP. To deploy a new AWS cluster with cross-account IAM delegation, see xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[Deploy a BYOC Cluster on AWS with Cross-Account IAM Delegation]. For the permissions the role grants, see xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. +Cross-account IAM delegation applies only to new clusters on AWS. Migrating an existing cluster is not supported, and the agent-based model described above continues to apply to existing clusters and to clusters on Azure and GCP. To deploy a new AWS cluster with cross-account IAM delegation, see xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS]. For the permissions the role grants, see xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. include::get-started:partial$no-access.adoc[] \ No newline at end of file diff --git a/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc b/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc index acf8804b1..6f1738f42 100644 --- a/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc +++ b/modules/get-started/pages/cluster-types/byoc/aws/create-byoc-cluster-aws.adoc @@ -1,41 +1,65 @@ = Create a BYOC Cluster on AWS -:description: Use the Redpanda Cloud UI to create a BYOC cluster on AWS. -:page-aliases: get-started:cluster-types/byoc/create-byoc-cluster-aws.adoc, cloud:create-byoc-cluster-aws.adoc, deploy:deployment-option/cloud/create-byoc-cluster-aws.adoc +:description: Create a new BYOC cluster on AWS with cross-account IAM delegation, where Redpanda assumes an IAM role you create to provision and manage the cluster. +:page-aliases: get-started:cluster-types/byoc/create-byoc-cluster-aws.adoc, cloud:create-byoc-cluster-aws.adoc, deploy:deployment-option/cloud/create-byoc-cluster-aws.adoc, get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc, deploy:deployment-option/cloud/cluster-types/byoc/aws/cross-account-iam-aws.adoc + +// ============================================================================ +// DOC-2297 DRAFT — new AWS BYOC clusters use cross-account IAM delegation +// (ENG-1139, targeted 26.2 / 2026-07-14). Blocked on team answers: +// TODO(team) 1: exact Cloud UI / deployment wizard steps (ENG-1129). +// TODO(team) 2: where customers get the role Terraform, and how it is delivered. +// TODO(team) 3: whether the external ID is shown before role creation, and the +// exact step ordering (CIAINFRA-3970). +// TODO(team) 4: exact role name and trust policy content. +// TODO(team) 5: confirm whether agent-based creation (rpk cloud byoc aws apply) +// is still offered for NEW AWS clusters, or fully replaced. +// Do not publish until GA and the above are resolved. +// ============================================================================ + +New BYOC clusters on AWS use *cross-account IAM delegation*: you create an IAM role in your AWS account, and Redpanda's control plane assumes that role to provision and reconcile your cluster. Redpanda runs the deployment for you, so you do not run `rpk cloud byoc aws apply` or host a provisioning agent in your account. Because you own the role, you can review, audit, and revoke Redpanda's access at any time. See also xref:get-started:byoc-arch.adoc#provisioning-models-on-aws[Provisioning models on AWS]. -To create a Redpanda cluster in your virtual private cloud (VPC), follow the instructions in the Redpanda Cloud UI. The UI contains the parameters necessary to successfully run `rpk cloud byoc apply`. See also: xref:get-started:byoc-arch.adoc[BYOC architecture]. - -NOTE: With standard BYOC clusters, Redpanda manages security policies and resources for your VPC, including subnetworks, service accounts, IAM roles, firewall rules, and storage buckets. For the highest level of security, you can manage these resources yourself with a xref:./vpc-byo-aws.adoc[BYOVPC cluster on AWS]. - -// DOC-2297: point new-cluster users to cross-account IAM delegation. Confirm/finalize at GA (2026-07-14). -[TIP] +[NOTE] ==== -New BYOC clusters on AWS can use xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[cross-account IAM delegation], where Redpanda provisions your cluster by assuming an IAM role you create, so you do not run `rpk cloud byoc aws apply`. The steps on this page describe the agent-based model, which still applies to existing clusters. See xref:get-started:byoc-arch.adoc#provisioning-models-on-aws[Provisioning models on AWS]. +* With standard BYOC clusters, Redpanda manages security policies and resources for your VPC, including subnetworks, service accounts, IAM roles, firewall rules, and storage buckets. For the highest level of security, you can manage these resources yourself with a xref:./vpc-byo-aws.adoc[BYOVPC cluster on AWS]. +* Cross-account IAM delegation applies to *new AWS clusters* only. Migrating an existing cluster is not supported, and existing clusters continue to use the xref:get-started:byoc-arch.adoc#provisioning-models-on-aws[agent-based model]. TODO(team 5): confirm whether agent-based creation is still offered for new AWS clusters. ==== -== Prerequisites +== How it works -Before you deploy a BYOC cluster on AWS, check that the user creating the cluster has the following prerequisites: +You grant Redpanda access before you create the cluster, in two parts: -* A minimum version of Redpanda `rpk` v24.1. See xref:manage:rpk/rpk-install.adoc[]. -* The user authenticating to AWS has `AWSAdministratorAccess` access to create the IAM policies specified in xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. +* A *permissions policy* that grants the access Redpanda needs to provision and manage your cluster. For the full list and an explanation of each permission, see xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. +* A *trust policy* that allows only Redpanda's control plane to assume the role, scoped by a unique external ID. -* The user has the AWS variables necessary to authenticate. Use either: -+ --- -** `AWS_PROFILE` or -** `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` +Redpanda then assumes the role using AWS Security Token Service (STS), presenting the external ID, and provisions your cluster. + +// TODO(team 4): confirm role name, session duration, and trust policy details. + +== Prerequisites -To verify access, you should be able to successfully run `aws sts get-caller-identity` for your region. For more information, see the https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-caller-identity.html[AWS CLI reference^]. --- +* An AWS account with permission to create IAM roles and policies (for example, `AWSAdministratorAccess`). +* Terraform installed, or another way to apply the configuration Redpanda provides. TODO(team 2): confirm the supported tooling and where customers obtain the configuration. -== Create a BYOC cluster +== Grant IAM permissions + +Create the cross-account IAM role that Redpanda assumes to provision your cluster. + +// TODO(team 2, 3): replace with the confirmed workflow once the Terraform delivery +// mechanism and external-ID ordering are known. . Log in to https://cloud.redpanda.com[Redpanda Cloud^]. -. On the Clusters page, click *Create cluster*, then click *Create* for BYOC. +. Start creating a BYOC cluster on AWS and note the external ID that Redpanda generates for your cross-account role. TODO(team 3): confirm exact UI location. +. Apply the Redpanda-provided Terraform configuration in your AWS account to create the IAM role, its permissions policy, and its trust policy (scoped to the external ID from the previous step). TODO(team 2): add the configuration or a link to it. +. Provide the resulting role ARN to Redpanda in the Cloud UI. TODO(team 1): confirm the field and screen. + +== Create the cluster + +// TODO(team 1): align these steps with the deployment wizard (ENG-1129). + +. On the Clusters page, click *Create cluster*, then click *Create* for BYOC. . Enter a cluster name, then select the resource group, provider (AWS), xref:reference:tiers/byoc-tiers.adoc[region, tier], availability, and Redpanda version. + [NOTE] -==== +==== * If you plan to create a private network in your own VPC, select the region where your VPC is located. * Three availability zones provide two backups in case one availability zone goes down. ==== @@ -55,12 +79,7 @@ NOTE: After the cluster is created, you can change the API Gateway access on the To route all cluster egress through your own AWS Transit Gateway and hub VPC instead of a per-VPC NAT Gateway, set the *Transit Gateway ID* field on this page. The field is only available on clusters with a private connection type, and is only visible if centralized egress is enabled for your organization. This option is in beta. See xref:networking:byoc/aws/nat-free-egress.adoc[]. ==== . Click *Next*. -. On the Deploy page, follow the steps to log in to Redpanda Cloud and deploy the agent. -+ -As part of agent deployment: -+ -** Redpanda assigns the permission required to run the agent. For details about these permissions, see xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. -** Redpanda allocates one Elastic IP (EIP) address in AWS for each BYOC cluster. +. Complete the deployment. Redpanda assumes your cross-account role and provisions the cluster. No agent runs in your account, and you do not run `rpk cloud byoc aws apply`. Redpanda allocates one Elastic IP (EIP) address in AWS for each BYOC cluster. include::get-started:partial$no-access.adoc[] @@ -70,4 +89,5 @@ include::get-started:partial$custom-tags-aws.adoc[] == Next steps -xref:networking:byoc/aws/index.adoc[Configure private networking] +* xref:security:authorization/cloud-iam-policies.adoc[Review the AWS IAM policies] that your cross-account role grants. +* xref:networking:byoc/aws/index.adoc[Configure private networking] diff --git a/modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc b/modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc deleted file mode 100644 index 6d3d10bed..000000000 --- a/modules/get-started/pages/cluster-types/byoc/aws/cross-account-iam-aws.adoc +++ /dev/null @@ -1,72 +0,0 @@ -= Deploy a BYOC Cluster on AWS with Cross-Account IAM Delegation -:description: Create a cross-account IAM role that Redpanda assumes to provision and manage new BYOC clusters on AWS, without running rpk cloud byoc apply. -:page-aliases: deploy:deployment-option/cloud/cluster-types/byoc/aws/cross-account-iam-aws.adoc -:env-aws: true - -// ============================================================================ -// DOC-2297 DRAFT — cross-account IAM delegation (ENG-1139), 26.2, AWS only, new -// clusters only. Blocked on team answers before this can be finalized: -// TODO(team) 1: exact Cloud UI / deployment wizard steps (ENG-1129). -// TODO(team) 2: where the customer gets the role Terraform, and how it is delivered. -// TODO(team) 3: whether the external ID is shown in the UI before role creation, -// and the exact step ordering (CIAINFRA-3970). -// TODO(team) 4: exact role name and trust policy content. -// Do not publish until GA (targeted 2026-07-14) and the above are resolved. -// ============================================================================ - -With cross-account IAM delegation, you create an IAM role in your AWS account that Redpanda assumes to provision and reconcile your BYOC cluster. Redpanda runs the deployment for you, so you do not run `rpk cloud byoc aws apply` or host a provisioning agent in your account. This is the recommended way to deploy new BYOC clusters on AWS. - -[NOTE] -==== -* Cross-account IAM delegation applies to *new* BYOC clusters on *AWS* only. To deploy on Azure or GCP, or to manage a cluster you created before this feature was available, see xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS]. -* Migrating an existing cluster to cross-account IAM delegation is not supported. -* This page does not apply to xref:get-started:cluster-types/byoc/aws/vpc-byo-aws.adoc[BYOVPC clusters]. -==== - -== How it works - -Instead of running a provisioning agent inside your AWS account, Redpanda's control plane assumes an IAM role that you own: - -. You create an IAM role in your AWS account using a Terraform configuration that Redpanda provides. The role has: -+ --- -* A *permissions policy* that grants the access Redpanda needs to provision and manage your cluster. For the full list and an explanation of each permission, see xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. -* A *trust policy* that allows only Redpanda's control plane to assume the role, scoped by a unique external ID. --- -. Redpanda's control plane assumes the role using AWS Security Token Service (STS), presenting the external ID, and uses the granted permissions to provision, configure, and reconcile your cluster. - -Because Redpanda assumes a role you control, you can review and audit the exact permissions at any time, and you can revoke access by deleting the role. - -// TODO(team 4): confirm role name, session duration, and trust policy details before publishing. - -== Prerequisites - -* An AWS account with permission to create IAM roles and policies (for example, `AWSAdministratorAccess`). -* Terraform installed, or another way to apply the configuration Redpanda provides. TODO(team 2): confirm the supported tooling and where customers obtain the configuration. -* The external ID that Redpanda generates for your cross-account role. TODO(team 3): confirm where this is shown in the Cloud UI and whether it is available before role creation. - -== Create the cross-account role - -// TODO(team 2, 3): replace this section with the confirmed workflow once the -// Terraform delivery mechanism and external-ID ordering are known. - -. Log in to https://cloud.redpanda.com[Redpanda Cloud^]. -. Start creating a BYOC cluster on AWS and note the external ID that Redpanda generates for your cross-account role. TODO(team 3): confirm exact UI location. -. Apply the Redpanda-provided Terraform configuration in your AWS account to create the IAM role, its permissions policy, and its trust policy (scoped to the external ID from the previous step). TODO(team 2): add the configuration or a link to it. -. Provide the resulting role ARN to Redpanda in the Cloud UI. TODO(team 1): confirm the field and screen. - -== Create the cluster - -// TODO(team 1): align these steps with the deployment wizard (ENG-1129). - -. On the Clusters page, click *Create cluster*, then click *Create* for BYOC. -. Enter a cluster name, then select the resource group, provider (AWS), xref:reference:tiers/byoc-tiers.adoc[region, tier], availability, and Redpanda version. -. Complete the network configuration. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS] for details about the network options. -. Complete the deployment. Redpanda assumes your cross-account role and provisions the cluster. No agent runs in your account, and you do not run `rpk cloud byoc aws apply`. - -include::get-started:partial$no-access.adoc[] - -== Next steps - -* xref:security:authorization/cloud-iam-policies.adoc[Review the AWS IAM policies] that your cross-account role grants. -* xref:networking:byoc/aws/index.adoc[Configure private networking] diff --git a/modules/get-started/pages/cluster-types/byoc/index.adoc b/modules/get-started/pages/cluster-types/byoc/index.adoc index c4d69cf76..c0bbf2ba1 100644 --- a/modules/get-started/pages/cluster-types/byoc/index.adoc +++ b/modules/get-started/pages/cluster-types/byoc/index.adoc @@ -11,6 +11,9 @@ Bring Your Own Cloud (BYOC) lets you run Redpanda in your own cloud environment Your data never leaves your environment, giving you extra security and control. See xref:get-started:byoc-arch.adoc[BYOC architecture] for details. Redpanda manages provisioning, monitoring, upgrades, and security policies, and it manages required resources in your VPC or VNet, including subnets (subnetworks in GCP), IAM roles, and object storage resources (for example, S3 buckets or Azure Storage accounts). You get hands-off operations with a 99.99% uptime guarantee while keeping full control of your data. +// DOC-2297: AWS-only, new clusters, targeted 26.2. Confirm/finalize at GA. +On AWS, new BYOC clusters use xref:get-started:byoc-arch.adoc#provisioning-models-on-aws[cross-account IAM delegation]: you create an IAM role that Redpanda assumes to provision your cluster, instead of running `rpk cloud byoc apply`. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS]. + If you want to manage the networking infrastructure yourself, create a Bring Your Own Virtual Private Cloud (BYOVPC) or Bring Your Own Virtual Network (BYOVNet) cluster. With BYOVPC/BYOVNet, the Redpanda agent does not create or change resources in your account. This is ideal for organizations with stringent compliance requirements or existing network configurations, when you need full control over the network lifecycle. Compared to standard BYOC, BYOVPC/BYOVNet provides more security, but the configuration is more complex. See the xref:get-started:cloud-overview.adoc#shared-responsibility-model[shared responsibility model] to understand what you manage versus what Redpanda manages. IMPORTANT: Don't deploy other workloads on the BYOC infrastructure that Redpanda manages. \ No newline at end of file diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index 0e4de8946..fe00bc90c 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -12,7 +12,7 @@ This page lists new features added to Redpanda Cloud. // TODO(team): confirm wording and links before publishing; do not publish before GA. === Cross-account IAM delegation for BYOC on AWS -New BYOC clusters on AWS can now use cross-account IAM delegation. Instead of running `rpk cloud byoc aws apply` and hosting a provisioning agent in your account, you create an IAM role that Redpanda's control plane assumes to provision and reconcile your cluster. You control the role, so you can review, audit, and revoke Redpanda's access at any time. This model applies to new AWS clusters only; existing clusters and clusters on Azure and GCP continue to use agent-based provisioning. See xref:get-started:cluster-types/byoc/aws/cross-account-iam-aws.adoc[Deploy a BYOC Cluster on AWS with Cross-Account IAM Delegation] and xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. +New BYOC clusters on AWS can now use cross-account IAM delegation. Instead of running `rpk cloud byoc aws apply` and hosting a provisioning agent in your account, you create an IAM role that Redpanda's control plane assumes to provision and reconcile your cluster. You control the role, so you can review, audit, and revoke Redpanda's access at any time. This model applies to new AWS clusters only; existing clusters and clusters on Azure and GCP continue to use agent-based provisioning. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS] and xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. === SQL editor in Redpanda Cloud Console From 0fe372ce80b9bd67590e726ddbcb90dfecfda792 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 9 Jul 2026 21:00:41 -0600 Subject: [PATCH 4/6] DOC-2297: forward-reference cross-account model from BYOC setup Add a note in the BYOC setup section so readers know the agent-based rpk cloud byoc apply flow is not the default for new AWS clusters, linking to the Provisioning models on AWS section. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/get-started/pages/byoc-arch.adoc | 3 +++ 1 file changed, 3 insertions(+) diff --git a/modules/get-started/pages/byoc-arch.adoc b/modules/get-started/pages/byoc-arch.adoc index 50308f107..9fc8a5405 100644 --- a/modules/get-started/pages/byoc-arch.adoc +++ b/modules/get-started/pages/byoc-arch.adoc @@ -30,6 +30,9 @@ In the Redpanda Cloud UI, you can identify which plane you're in by the side nav In a BYOC architecture, you deploy the data plane in your own VPC. All network connections into the data plane take place through either a public endpoint, or for private clusters, through Redpanda Cloud network connections such as VPC peering, AWS PrivateLink, Azure Private Link, or GCP Private Service Connect. Customer data never leaves the data plane. +// DOC-2297: forward-reference so readers know the agent flow is not the AWS-new default. +NOTE: On AWS, new clusters use <>. The agent-based setup described here applies to existing AWS clusters and to clusters on Azure and GCP. + A BYOC cluster is initially set up from the control plane. This is a two-step process performed by `rpk cloud byoc apply`: . You bootstrap a virtual machine (VM) in your VPC. From f3385537f500d4e2f0cf9fb3ccd1a2c00ad765eb Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 9 Jul 2026 21:13:39 -0600 Subject: [PATCH 5/6] DOC-2297: plainer, benefit-first What's New entry Rewrite the What's New entry to lead with the benefit (simpler, more transparent deployment) rather than the feature name. Keep 'cross-account IAM delegation' in a parenthetical for searchability. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/get-started/pages/whats-new-cloud.adoc | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index fe00bc90c..a94e58f42 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -10,9 +10,9 @@ This page lists new features added to Redpanda Cloud. // DOC-2297 DRAFT entry (ENG-1139), 26.2, AWS only, new clusters only. Targeted GA 2026-07-14. // TODO(team): confirm wording and links before publishing; do not publish before GA. -=== Cross-account IAM delegation for BYOC on AWS +=== Simpler, more transparent BYOC deployment on AWS -New BYOC clusters on AWS can now use cross-account IAM delegation. Instead of running `rpk cloud byoc aws apply` and hosting a provisioning agent in your account, you create an IAM role that Redpanda's control plane assumes to provision and reconcile your cluster. You control the role, so you can review, audit, and revoke Redpanda's access at any time. This model applies to new AWS clusters only; existing clusters and clusters on Azure and GCP continue to use agent-based provisioning. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS] and xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. +Deploying a new BYOC cluster on AWS is now simpler and gives you more control. Instead of running a command-line tool to bootstrap the cluster yourself, you grant Redpanda access through a standard AWS IAM role that you create (using cross-account IAM delegation), and Redpanda deploys and maintains the cluster for you. Because the role lives in your own AWS account, you can see exactly what Redpanda is allowed to do, and you can change or remove that access at any time. This applies to new clusters on AWS. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS] and xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. === SQL editor in Redpanda Cloud Console From 2bb02aad143ac01b4f2b6fae4c059f640f92d917 Mon Sep 17 00:00:00 2001 From: micheleRP Date: Thu, 9 Jul 2026 21:15:31 -0600 Subject: [PATCH 6/6] DOC-2297: trim redundant opening in What's New entry Drop the first sentence that echoed the heading; open with the concrete change instead. Co-Authored-By: Claude Opus 4.8 (1M context) --- modules/get-started/pages/whats-new-cloud.adoc | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/modules/get-started/pages/whats-new-cloud.adoc b/modules/get-started/pages/whats-new-cloud.adoc index a94e58f42..78533c3d1 100644 --- a/modules/get-started/pages/whats-new-cloud.adoc +++ b/modules/get-started/pages/whats-new-cloud.adoc @@ -12,7 +12,7 @@ This page lists new features added to Redpanda Cloud. // TODO(team): confirm wording and links before publishing; do not publish before GA. === Simpler, more transparent BYOC deployment on AWS -Deploying a new BYOC cluster on AWS is now simpler and gives you more control. Instead of running a command-line tool to bootstrap the cluster yourself, you grant Redpanda access through a standard AWS IAM role that you create (using cross-account IAM delegation), and Redpanda deploys and maintains the cluster for you. Because the role lives in your own AWS account, you can see exactly what Redpanda is allowed to do, and you can change or remove that access at any time. This applies to new clusters on AWS. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS] and xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. +When you create a new BYOC cluster on AWS, you no longer run a command-line tool to bootstrap it yourself. Instead, you grant Redpanda access through a standard AWS IAM role that you create (using cross-account IAM delegation), and Redpanda deploys and maintains the cluster for you. Because the role lives in your own AWS account, you can see exactly what Redpanda is allowed to do, and you can change or remove that access at any time. This applies to new clusters on AWS. See xref:get-started:cluster-types/byoc/aws/create-byoc-cluster-aws.adoc[Create a BYOC Cluster on AWS] and xref:security:authorization/cloud-iam-policies.adoc[AWS IAM policies]. === SQL editor in Redpanda Cloud Console