DOC-2297: Cross-account IAM delegation for BYOC on AWS (draft)#633
DOC-2297: Cross-account IAM delegation for BYOC on AWS (draft)#633micheleRP wants to merge 9 commits into
Conversation
Rework the AWS IAM policies reference from cloudv2 source, add a cross-account deploy how-to and concept, plus a draft What's New entry. AWS-only, new clusters only (ENG-1139, targeted 26.2). Existing clusters keep the agent-based rpk cloud byoc apply model. - security: rebuild AWS section of iam-policies.adoc partial from instance_profile.tf (30 statements) into friendly, anchored sections with why-tables and collapsible Terraform; reframe for cross-account. GCP/Azure sections unchanged. - get-started: new cross-account-iam-aws.adoc how-to + nav entry - get-started: byoc-arch.adoc provisioning-models section + create-page cross-link TIP - get-started: draft What's New entry (do not publish before GA) Contains TODO(team)/TODO(eng) placeholders pending SME confirmation. Draft, not for merge. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
✅ Deploy Preview for rp-cloud ready!
To edit notification comments on pull requests, go to your Netlify project configuration. |
|
Important Review skippedDraft detected. Please check the settings in the CodeRabbit UI or the ⚙️ Run configurationConfiguration used: Organization UI Review profile: CHILL Plan: Pro Run ID: You can disable this status message by setting the Use the checkbox below for a quick retry:
✨ Finishing Touches🧪 Generate unit tests (beta)
Comment |
Rebuild the GCP and Azure sections of the iam-policies.adoc partial from cloudv2 source (role_redpanda_agent.tf, azure/agent/iam.tf) into the same friendly, anchored sections with Permission | Access | Why it is needed tables, plus a collapsible full role definition. Both keep the agent-based framing (no cross-account delegation this release). Refresh from source also closes drift: GCP adds secretmanager.* and serviceusage.* and a Redpanda SQL storage role; Azure adds the private endpoint / private DNS / Log Analytics actions the published page lacked. Reuses Denis's "why" text where the permission still exists; newer actions are marked TODO(eng). Reformatted at PM (Denis) request for consistency. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rewrite create-byoc-cluster-aws.adoc so cross-account IAM delegation is the primary path for new AWS clusters: grant IAM permissions (create the cross-account role) as a prerequisite, then create the cluster. Retire the separate cross-account-iam-aws.adoc how-to and fold it in; its IDs are kept as page-aliases so links redirect to the create page. - nav: drop the standalone cross-account how-to entry - byoc-arch.adoc, whats-new-cloud.adoc: repoint links to the create page - cluster-types/byoc/index.adoc: note cross-account delegation for AWS The "Grant IAM permissions" section is self-contained so it can be split into a dedicated prerequisite page later if the real Terraform makes it long. Still draft: TODO(team) placeholders remain pending SME answers. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Add a note in the BYOC setup section so readers know the agent-based rpk cloud byoc apply flow is not the default for new AWS clusters, linking to the Provisioning models on AWS section. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Rewrite the What's New entry to lead with the benefit (simpler, more transparent deployment) rather than the feature name. Keep 'cross-account IAM delegation' in a parenthetical for searchability. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Drop the first sentence that echoed the heading; open with the concrete change instead. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Sol 5.6 researched the purpose of each AWS, GCP, and Azure permission in the cross-account IAM policies partial and supplied these high-confidence "Why it is needed" descriptions, replacing 131 TODO(eng) placeholders. A handful of data-row placeholders remain and still need eng confirmation. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
…t-iam # Conflicts: # modules/get-started/pages/whats-new-cloud.adoc
Apply verified corrections from Sol 5.6's re-review of the IAM policies: - Soften the AWS scope statement to acknowledge wildcard-scoped actions. - sts:GetCallerIdentity: Access Read -> N/A (AWS requires no IAM grant). - ec2:DetachNetworkInterface: Delete -> Write. - compute.forwardingRules.pscDelete: Write -> Delete. - iam:PassRole and iam.serviceAccounts.actAs: correct the mechanics (pass role to services; attach service account to resources). - Microsoft.KeyVault/vaults/read: note it does not grant key/secret access. - generateUserDelegationKey: drop the contradictory long-lived-keys clause. - Remove a duplicate Microsoft.Storage/storageAccounts/read row. - byoc-arch: cover both provisioning models and the effect of revoking access. Four permission TODOs remain for engineering to confirm. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Open questions for engineeringThe IAM permission tables are drafted, but a few cells and framing points need SME confirmation before this leaves draft. Every permission gets a customer-facing "Why it is needed" description, so for each item below I need the Redpanda-specific reason, not just what the cloud API does. 1. Permission justifications still marked
|
Summary
Draft documentation for cross-account IAM delegation for BYOC on AWS (ENG-1139, targeted 26.2 / 2026-07-14). AWS-only, new clusters only; existing clusters and Azure/GCP keep the agent-based
rpk cloud byoc applymodel.Jira: https://redpandadata.atlassian.net/browse/DOC-2297
Changes
security:partial$iam-policies.adocfrom cloudv2apps/redpanda-agent/infra/aws/redpanda/agent/instance_profile.tf(30 statements) into friendly, anchored sections withPermission | Access | Why it is neededtables and collapsible Terraform. The published partial had drifted ~90 actions behind source; this restores full parity. GCP and Azure sections reformatted to match (same structure), and refreshed from source to close drift.byoc-arch.adoc(cross-account vs. agent-based comparison).create-byoc-cluster-aws.adoc) to be cross-account-first, gave it across-account-iam-awspage alias, and cross-linked it with the BYOC architecture page. (No separate page or nav entry was added.)Status: DRAFT — not for merge
Open items are marked inline as
TODO(team)/TODO(eng), pending SME confirmation (team post + Denis's permission-justification sheet):ec2:ModifyVpcEndpointServicePayerResponsibilityMicrosoft.ContainerService/managedClusters/listClusterAdminCredential/actionMicrosoft.Network/publicIPPrefixes/join/actionMicrosoft.Network/virtualNetworks/join/actionPreview pages
Deploy preview is still building; links go live once the Netlify
deploy-previewcheck passes.🤖 Generated with Claude Code