forked from pivotal-cf/docs-pcf-install
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathiaas-user-roles.html.md.erb
46 lines (28 loc) · 2.33 KB
/
iaas-user-roles.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
---
title: Pivotal Cloud Foundry IaaS User Role Guidelines
owner: Program Management
---
This topic describes practices recommended by Pivotal for creating secure IaaS
user roles.
Pivotal Cloud Foundry (PCF) is an automated platform that connects to IaaS
providers such as AWS and OpenStack.
This connectivity typically requires accounts with appropriate permissions to
act on behalf of the operator to access IaaS functionality such as creating
virtual machines (VMs), managing networks and storage, and other related
services.
Ops Manager and Elastic Runtime can be configured with IaaS users in different ways depending on your IaaS. Other product tiles and services might also use their own IaaS credentials. Refer to the documentation for those product tiles or services to configure them securely.
##<a id="lpus"></a> Least Privileged Users (LPUs)
Pivotal recommends following the principle of least privilege by scoping privileges to the most restrictive permissions possible for a given role.
In the event that someone gains access to credentials by mistake or through malicious intent, LPUs limit the scope of the breach.
Pivotal recommends following best practices for the particular IaaS you are deploying.
##<a id="aws"></a>AWS Guidelines
See the recommendations detailed in the [Guidelines for Creating User Roles for PCF on AWS](./cloudform-iaas-user-roles.html) topic.
##<a id="azure"></a>Azure Guidelines
See the permissions recommendations in [installation instructions](azure-prepare-env.html), and use the minimum permissions necessary when creating your service principal.
##<a id="gcp"></a>GCP Guidelines
For GCP, Pivotal recommends using two different accounts with the least privilege.
Use [one account](gcp.html#gcp) with the minimum permissions required to create desired GCP resources in your GCP project, then create a separate [service account](gcp-prepare-env.html#iam_account) with the minimum permissions required to deploy PCF components such as Pivotal Ops Manager and Elastic Runtime.
##<a id="openstack"></a>OpenStack Guidelines
See the [installation instructions](openstack.html) and follow the least privileged user configuration for tenants and identity.
##<a id="vsphere"></a>vSphere Guidelines
See the vCenter permissions recommendations in the [Installing Pivotal Cloud Foundry on vSphere](vsphere.html#vsphere-reqs) topic.