Installing Guardium Data Security Center on Red Hat OpenShift service on Amazon Web Services (ROSA)
Use the guardcenter-cli
utility to install Guardium® Data Security Center on Red Hat OpenShift service on Amazon Web Services (ROSA).
Before you begin
-
Install the following CLI tools before you install Guardium Data Security Center on ROSA.
For more information about CLI tools, see System requirements for the Guardium Data Security Center command-line interface utility.
The following table includes the CLI tools, their supported information, links to download the tools, and the validation commands to use to verify that the tools are installed successfully.Tool Supported version Download information Validation command AWS CLI 2.21.0 or later Installing or updating to the latest version of the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html). aws --version
jq
1.6 or later Download jq (https://jqlang.github.io/jq/download/). jq --version
Wget 1.21.1 or later Choose one of the following options: wget --version
-
Use either IAM user credentials or short-term credentials to log in to the AWS CLI. To authenticate with the AWS CLI, use a session token.
If you are using a federated user or already have a valid session token, you do not need to generate a token. Verify that your environment variables are set:
export AWS_ACCESS_KEY_ID=<Your-Access-Key-ID> export AWS_SECRET_ACCESS_KEY=<Your-Secret-Access-Key> export AWS_SESSION_TOKEN=<Your-Session-Token>
For more information, see Authenticating with short-term credentials for the AWS CLI (https://docs.aws.amazon.com/cli/v1/userguide/cli-authentication-short-term.html).
If you are using IAM user credentials, you must generate a session token.- Configure your AWS credentials and
region:
aws configure
- Obtain a session token.
aws sts get-session-token --duration-seconds 10800
Important: Session tokens are valid for 3 hours. Complete the installation process within 3 hours to ensure a successful installation.The following example shows a successful output:{ "Credentials": { "AccessKeyId": "ASIAIOSFODNN7EXAMPLE", "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY", "SessionToken": "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE", "Expiration": "2020-05-19T18:06:10+00:00" } }
- Set the session token in your
environment:
export AWS_ACCESS_KEY_ID=<Your-Access-Key-ID> export AWS_SECRET_ACCESS_KEY=<Your-Secret-Access-Key> export AWS_SESSION_TOKEN=<Your-Session-Token>
For more information about the
get-session-token
command, see get-session-token AWS CLI reference (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-session-token.html). - Configure your AWS credentials and
region:
-
Ask your AWS administrator to create a policy with the following permissions and attach it to your IAM account so you have the permissions to install ROSA.
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:SimulatePrincipalPolicy", "iam:PassRole", "sts:AssumeRole", "iam:CreateRole", "sts:AssumeRoleWithWebIdentity", "iam:CreatePolicy", "iam:GetPolicy", "sts:GetCallerIdentity", "iam:GetRole", "iam:CreatePolicyVersion", "iam:DeletePolicyVersion", "iam:TagPolicy", "iam:ListRoles", "iam:ListRoleTags", "iam:ListPolicyTags", "iam:GetPolicyVersion", "iam:ListAttachedUserPolicies", "iam:AttachRolePolicy", "iam:DeleteOpenIDConnectProvider", "iam:SetDefaultPolicyVersion", "iam:CreateOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:UntagOpenIDConnectProvider", "iam:UpdateOpenIDConnectProviderThumbprint", "iam:ListOpenIDConnectProviders", "iam:GetOpenIDConnectProvider", "iam:UpdateAssumeRolePolicy", "iam:ListPolicyVersions", "iam:*", "support:*", "kms:*", ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:ListAttachedUserPolicies", "iam:PassRole", "iam:TagPolicy", "iam:CreateRole", "iam:GetRole", "iam:ListPolicyVersions", "iam:UpdateAssumeRolePolicy", "iam:AttachRolePolicy", "iam:ListRoles", "iam:AttachRolePolicy", "iam:DetachRolePolicy", "iam:CreateOpenIDConnectProvider", "iam:DeleteOpenIDConnectProvider", "iam:TagOpenIDConnectProvider", "iam:UntagOpenIDConnectProvider", "iam:UpdateOpenIDConnectProviderThumbprint", "iam:ListOpenIDConnectProviders", "iam:GetOpenIDConnectProvider", "iam:DeletePolicyVersion", "iam:TagRole", "iam:ListRoleTags", "iam:CreatePolicyVersion", "iam:ListPolicyTags", "iam:GetPolicyVersion", "iam:UntagRole", "iam:UpdateAssumeRolePolicy", "iam:SetDefaultPolicyVersion", "sts:AssumeRole", "sts:AssumeRoleWithWebIdentity", "iam:SimulatePrincipalPolicy" ], "Resource": [ "arn:aws:iam::*:role/ManagedOpenShift-Installer-Role", "arn:aws:iam::*:role/ManagedOpenShift-ControlPlane-Role", "arn:aws:iam::*:role/ManagedOpenShift-Worker-Role", "arn:aws:iam::*:role/ManagedOpenShift-Support-Role", "arn:aws:iam::*:role/*openshift-*" ] }, { "Effect": "Allow", "Action": [ "ec2:DescribeInstances", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:CreateSecurityGroup", "ec2:DeleteSecurityGroup", "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:CreateTags", "ec2:DeleteTags", "ec2:DescribeTags", "ec2:CreateVolume", "ec2:DeleteVolume", "ec2:DescribeVolumes", "ec2:DescribeVpcAttribute", "ec2:ModifyVpcAttribute", "ec2:AllocateAddress", "ec2:ReleaseAddress", "ec2:DescribeVpcs", "ec2:CreateVpc", "ec2:DeleteVpc", "ec2:CreateRoute", "ec2:DeleteRoute", "ec2:CreateSubnet", "ec2:DeleteSubnet", "ec2:DescribeRouteTables", "ec2:AssociateRouteTable", "ec2:DisassociateRouteTable", "ec2:CreateNatGateway", "ec2:DeleteNatGateway", "ec2:DescribeNatGateways", "ec2:DescribeNetworkInterfaces", "ec2:DeleteNetworkInterface", "ec2:CreateInternetGateway", "ec2:AttachInternetGateway", "ec2:DetachInternetGateway", "ec2:DeleteInternetGateway", "ec2:DescribeInternetGateways", "ec2:AttachVolume", "ec2:DetachVolume", "ec2:ModifyVolume", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus", "ec2:DescribeVolumeAttribute", "ec2:DescribeAddresses", "ec2:TerminateInstances", "ec2:RunInstances", "ec2:StartInstances", "ec2:StopInstances", "ec2:RebootInstances", "ec2:CreateNetworkAcl", "ec2:DescribeNetworkAcls" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:*", "autoscaling:*", "cloudwatch:*", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteObject", "s3:GetBucketPolicy", "s3:PutBucketPolicy", "s3:TagResource", "s3:UntagResource", "s3:ListAllMyBuckets" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53:ListHostedZones", "route53:ChangeResourceRecordSets", "route53:CreateHostedZone", "route53:DeleteHostedZone", "route53:GetHostedZone", "route53:ListResourceRecordSets", "route53:AssociateVPCWithHostedZone", "route53:DisassociateVPCFromHostedZone", "route53:GetChange" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "secretsmanager:GetSecretValue", "secretsmanager:ListSecrets", "secretsmanager:CreateSecret", "secretsmanager:DeleteSecret", "secretsmanager:TagResource", "secretsmanager:UntagResource", "secretsmanager:UpdateSecret" ], "Resource": "*", "Condition": { "StringEquals": { "aws:ResourceTag/red-hat-managed": "true" } } }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:CreateCluster", "eks:DeleteCluster", "eks:ListClusters", "eks:UpdateClusterConfig", "eks:TagResource", "eks:UntagResource", "eks:DescribeNodegroup", "eks:CreateNodegroup", "eks:DeleteNodegroup", "eks:UpdateNodegroupConfig" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota", "servicequotas:ListAWSDefaultServiceQuotas", "servicequotas:RequestServiceQuotaIncrease" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:GetPolicy", "iam:CreatePolicy", "iam:DeletePolicy", "iam:ListAttachedRolePolicies", "iam:CreateInstanceProfile", "iam:ListInstanceProfiles" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "logs:CreateLogGroup", "logs:CreateLogStream", "logs:PutLogEvents" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "servicequotas:GetServiceQuota", "servicequotas:ListAWSDefaultServiceQuotas", "servicequotas:RequestServiceQuotaIncrease", "servicequotas:ListServiceQuotas", "servicequotas:ListServices", "servicequotas:GetRequestedServiceQuotaChange" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticfilesystem:CreateFileSystem", "elasticfilesystem:DescribeFileSystems", "elasticfilesystem:CreateMountTarget", "elasticfilesystem:DescribeMountTargets", "elasticfilesystem:DeleteMountTarget", "elasticfilesystem:CreateTags", "elasticfilesystem:DescribeTags", "elasticfilesystem:DeleteTags", "elasticfilesystem:TagResource", "elasticfilesystem:*" ], "Resource": "*" }, ] }
For more information, see the following AWS documentation pages:- create-policy AWS CLI reference (https://docs.aws.amazon.com/cli/latest/reference/iam/create-policy.html)
- Creating roles and attaching policies (console) (https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_job-functions_create-policies.html)
-
Obtain your entitlement key for installing Guardium Data Security Center. For more information, see Obtaining your entitlement key (https://myibm.ibm.com/products-services/containerlibrary).
-
Use your ROSA token to log in to Red Hat OpenShift. Obtain the token from the ROSA Token Console (https://console.redhat.com/openshift/token/rosa).