-
Notifications
You must be signed in to change notification settings - Fork 140
/
iaas-user-roles.html.md.erb
40 lines (24 loc) · 2.68 KB
/
iaas-user-roles.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
---
title: IaaS Permissions Guidelines
owner: Program Management
---
This topic describes practices recommended by <%= vars.company_name %> for creating secure IaaS user roles.
The connection between <%= vars.platform_name %> and IaaS providers requires IaaS accounts with appropriate permissions.
These accounts act on behalf of the operator to access IaaS functionality,
such as creating VMs, managing networks and storage, and other related services.
<%= vars.ops_manager %> and <%= vars.app_runtime_full %> (<%= vars.app_runtime_abbr %>) can be configured with IaaS users in different ways depending on your IaaS. Other product tiles and services might also use their own IaaS credentials. Refer to the documentation for those product tiles or services to configure them securely.
##<a id="lpus"></a> Least Privileged Users (LPUs)
<%= vars.company_name %> recommends following the principle of least privilege by scoping privileges to the most restrictive permissions possible for a given role.
In the event that someone gains access to credentials by mistake or through malicious intent, LPUs limit the scope of the breach.
<%= vars.company_name %> recommends following best practices for the particular IaaS you are deploying.
##<a id="aws"></a>AWS Guidelines
See the recommendations detailed in the [AWS Permissions Guidelines](./aws-iaas-user-roles.html) topic.
##<a id="azure"></a>Azure Guidelines
See the permissions recommendations in [Preparing to Deploy <%= vars.ops_manager %> on Azure Manually](/platform/ops-manager/<%= vars.current_major_version.sub('.', '-') %>/azure/prepare-env-manual.html), and use the minimum permissions necessary when creating your service principal.
##<a id="gcp"></a>GCP Guidelines
For GCP, <%= vars.company_name %> recommends using two different accounts with the least privilege.
Use one account with the minimum permissions required to create desired GCP resources in your GCP project, then create a separate service account with the minimum permissions required to deploy <%= vars.app_runtime_abbr %> and other tiles. For more information about creating the service account, see _Step 1: Set up IAM Service Accounts_ in [Preparing to Deploy <%= vars.ops_manager %> on GCP Manually](/platform/ops-manager/<%= vars.current_major_version.sub('.', '-') %>/gcp/prepare-env-manual.html#iam_account).
##<a id="openstack"></a>OpenStack Guidelines
<%= vars.company_name %> recommends following the principle of least privilege by scoping privileges to the most restrictive permissions possible for a given role.
##<a id="vsphere"></a>vSphere Guidelines
See the vCenter permissions recommendations in the [Installing <%= vars.platform_name %> on vSphere](vsphere.html#permissions) topic.