Skip to content

DOC-2297: Cross-account IAM delegation for BYOC on AWS (draft)#633

Draft
micheleRP wants to merge 9 commits into
mainfrom
DOC-2297-cross-account-iam
Draft

DOC-2297: Cross-account IAM delegation for BYOC on AWS (draft)#633
micheleRP wants to merge 9 commits into
mainfrom
DOC-2297-cross-account-iam

Conversation

@micheleRP

@micheleRP micheleRP commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Summary

Draft documentation for cross-account IAM delegation for BYOC on AWS (ENG-1139, targeted 26.2 / 2026-07-14). AWS-only, new clusters only; existing clusters and Azure/GCP keep the agent-based rpk cloud byoc apply model.

Jira: https://redpandadata.atlassian.net/browse/DOC-2297

Changes

  • Reference: reworked the AWS section of security:partial$iam-policies.adoc from cloudv2 apps/redpanda-agent/infra/aws/redpanda/agent/instance_profile.tf (30 statements) into friendly, anchored sections with Permission | Access | Why it is needed tables and collapsible Terraform. The published partial had drifted ~90 actions behind source; this restores full parity. GCP and Azure sections reformatted to match (same structure), and refreshed from source to close drift.
  • Concept: new "Provisioning models on AWS" section in byoc-arch.adoc (cross-account vs. agent-based comparison).
  • How-to: reworked the existing AWS create page (create-byoc-cluster-aws.adoc) to be cross-account-first, gave it a cross-account-iam-aws page alias, and cross-linked it with the BYOC architecture page. (No separate page or nav entry was added.)
  • What's New: draft July 2026 entry.

Status: DRAFT — not for merge

Open items are marked inline as TODO(team) / TODO(eng), pending SME confirmation (team post + Denis's permission-justification sheet):

  1. Exact Cloud UI / deploy wizard steps (ENG-1129)
  2. Customer role Terraform delivery mechanism
  3. External ID surfacing + step ordering (CIAINFRA-3970)
  4. Exact role name + trust policy content
  5. Confirm the cross-account role grants the same permission set as the agent policy, and feature-gating (Redpanda SQL / AI Gateway / RDS). The "why it is needed" cells across AWS, GCP, and Azure are now filled in with high-confidence descriptions (researched by Sol 5.6). Only 4 permission cells still need eng confirmation:
    • ec2:ModifyVpcEndpointServicePayerResponsibility
    • Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action
    • Microsoft.Network/publicIPPrefixes/join/action
    • Microsoft.Network/virtualNetworks/join/action

Preview pages

Deploy preview is still building; links go live once the Netlify deploy-preview check passes.

🤖 Generated with Claude Code

Rework the AWS IAM policies reference from cloudv2 source, add a
cross-account deploy how-to and concept, plus a draft What's New entry.
AWS-only, new clusters only (ENG-1139, targeted 26.2). Existing clusters
keep the agent-based rpk cloud byoc apply model.

- security: rebuild AWS section of iam-policies.adoc partial from
  instance_profile.tf (30 statements) into friendly, anchored sections
  with why-tables and collapsible Terraform; reframe for cross-account.
  GCP/Azure sections unchanged.
- get-started: new cross-account-iam-aws.adoc how-to + nav entry
- get-started: byoc-arch.adoc provisioning-models section + create-page
  cross-link TIP
- get-started: draft What's New entry (do not publish before GA)

Contains TODO(team)/TODO(eng) placeholders pending SME confirmation.
Draft, not for merge.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@netlify

netlify Bot commented Jul 9, 2026

Copy link
Copy Markdown

Deploy Preview for rp-cloud ready!

Name Link
🔨 Latest commit 70ed98b
🔍 Latest deploy log https://app.netlify.com/projects/rp-cloud/deploys/6a554ee8cbc3760008650d18
😎 Deploy Preview https://deploy-preview-633--rp-cloud.netlify.app
📱 Preview on mobile
Toggle QR Code...

QR Code

Use your smartphone camera to open QR code link.

To edit notification comments on pull requests, go to your Netlify project configuration.

@coderabbitai

coderabbitai Bot commented Jul 9, 2026

Copy link
Copy Markdown
Contributor

Important

Review skipped

Draft detected.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ffc58f53-6cac-4cc4-a360-af530200ff0e

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch DOC-2297-cross-account-iam

Comment @coderabbitai help to get the list of available commands.

micheleRP and others added 8 commits July 9, 2026 17:35
Rebuild the GCP and Azure sections of the iam-policies.adoc partial from
cloudv2 source (role_redpanda_agent.tf, azure/agent/iam.tf) into the same
friendly, anchored sections with Permission | Access | Why it is needed
tables, plus a collapsible full role definition. Both keep the agent-based
framing (no cross-account delegation this release).

Refresh from source also closes drift: GCP adds secretmanager.* and
serviceusage.* and a Redpanda SQL storage role; Azure adds the private
endpoint / private DNS / Log Analytics actions the published page lacked.

Reuses Denis's "why" text where the permission still exists; newer actions
are marked TODO(eng). Reformatted at PM (Denis) request for consistency.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rewrite create-byoc-cluster-aws.adoc so cross-account IAM delegation is the
primary path for new AWS clusters: grant IAM permissions (create the
cross-account role) as a prerequisite, then create the cluster. Retire the
separate cross-account-iam-aws.adoc how-to and fold it in; its IDs are kept
as page-aliases so links redirect to the create page.

- nav: drop the standalone cross-account how-to entry
- byoc-arch.adoc, whats-new-cloud.adoc: repoint links to the create page
- cluster-types/byoc/index.adoc: note cross-account delegation for AWS

The "Grant IAM permissions" section is self-contained so it can be split
into a dedicated prerequisite page later if the real Terraform makes it long.
Still draft: TODO(team) placeholders remain pending SME answers.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a note in the BYOC setup section so readers know the agent-based
rpk cloud byoc apply flow is not the default for new AWS clusters, linking
to the Provisioning models on AWS section.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rewrite the What's New entry to lead with the benefit (simpler, more
transparent deployment) rather than the feature name. Keep 'cross-account
IAM delegation' in a parenthetical for searchability.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the first sentence that echoed the heading; open with the concrete
change instead.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sol 5.6 researched the purpose of each AWS, GCP, and Azure permission in
the cross-account IAM policies partial and supplied these high-confidence
"Why it is needed" descriptions, replacing 131 TODO(eng) placeholders.

A handful of data-row placeholders remain and still need eng confirmation.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t-iam

# Conflicts:
#	modules/get-started/pages/whats-new-cloud.adoc
Apply verified corrections from Sol 5.6's re-review of the IAM policies:

- Soften the AWS scope statement to acknowledge wildcard-scoped actions.
- sts:GetCallerIdentity: Access Read -> N/A (AWS requires no IAM grant).
- ec2:DetachNetworkInterface: Delete -> Write.
- compute.forwardingRules.pscDelete: Write -> Delete.
- iam:PassRole and iam.serviceAccounts.actAs: correct the mechanics
  (pass role to services; attach service account to resources).
- Microsoft.KeyVault/vaults/read: note it does not grant key/secret access.
- generateUserDelegationKey: drop the contradictory long-lived-keys clause.
- Remove a duplicate Microsoft.Storage/storageAccounts/read row.
- byoc-arch: cover both provisioning models and the effect of revoking access.

Four permission TODOs remain for engineering to confirm.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@micheleRP

Copy link
Copy Markdown
Contributor Author

Open questions for engineering

The IAM permission tables are drafted, but a few cells and framing points need SME confirmation before this leaves draft. Every permission gets a customer-facing "Why it is needed" description, so for each item below I need the Redpanda-specific reason, not just what the cloud API does.

1. Permission justifications still marked TODO(eng)

AWS (@jacekseligarp @0xdiba)

  • ec2:ModifyVpcEndpointServicePayerResponsibility: why does provisioning need to change payer responsibility on the cluster's PrivateLink endpoint service? What breaks without it?

Azure (@ncole)

  • Microsoft.ContainerService/managedClusters/listClusterAdminCredential/action: do we use the admin kubeconfig (vs the listClusterUserCredential we already document), and for which operations? Flagging because the admin credential is full cluster-admin access.
  • Microsoft.Network/publicIPPrefixes/join/action: what associates a public IP prefix with cluster resources (predictable egress, load balancer ingress)?
  • Microsoft.Network/virtualNetworks/join/action: which resources join the VNet/subnet under this permission (private endpoints, AKS nodes, NAT)?

2. Accuracy / scope points to confirm

  • Azure public DNS (@ncole): the role grants Microsoft.Network/dnszones/{read,write,delete} and dnszones/SOA/read, but no record-set permissions (dnszones/A/write, and so on), unlike the privateDnsZones block. Azure's model is that dnszones/write manages the zone, not record sets. Does Redpanda create or update public DNS records for cluster endpoints with this role? If yes, what grants that (is a record-set permission missing)? If no, I'll describe it as zone-level only.
  • AWS secretsmanager:DeleteSecret (@jacekseligarp): what secrets does this cover, and which component creates and owns them? The current draft says "user secrets Redpanda created," which is ambiguous.
  • AWS customer prerequisite (@0xdiba): to create the cross-account role and attach policies, what does the customer's own IAM principal actually need? The draft currently shows AWSAdministratorAccess as an example, but (a) the IAM managed policy is AdministratorAccess (AWSAdministratorAccess is the Identity Center permission-set name), and (b) recommending full admin conflicts with the least-privilege framing. What minimum should we document (for example IAMFullAccess, or a specific action set)?

3. Parity and feature-gating (affects which permissions we list)

  • (@0xdiba) Does the AWS cross-account role grant the same permission set as the existing agent instance-profile policy, or does it differ?
  • Which permissions are gated behind optional features (Redpanda SQL, AI Gateway, RDS, ElastiCache) and only present when the customer enables them? I want to mark those clearly.

4. Still open from the original draft (restating for completeness)

(@0xdiba @frenchfrywpepper)

  • Deploy wizard and exact Cloud UI steps (ENG-1129).
  • Delivery mechanism for the customer Terraform file (how does the customer receive it?).
  • Whether the external ID is surfaced in the UI before role creation, and step ordering (CIAINFRA-3970).
  • Exact role name and trust-policy content.

Thanks! Once these are answered I'll resolve the inline TODO(eng)/TODO(team) markers and take this out of draft.

@micheleRP micheleRP requested a review from deniscoady July 13, 2026 20:59
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant