IaaS Permissions Guidelines
Page last updated:
Warning: Pivotal Cloud Foundry (PCF) v2.3 is no longer supported because it has reached the End of General Support (EOGS) phase as defined by the Support Lifecycle Policy. To stay up to date with the latest software and security updates, upgrade to a supported version.
This topic describes practices recommended by Pivotal for creating secure IaaS user roles.
Pivotal Cloud Foundry (PCF) is an automated platform that connects to IaaS providers such as AWS and OpenStack. This connectivity typically requires accounts with appropriate permissions to act on behalf of the operator to access IaaS functionality such as creating virtual machines (VMs), managing networks and storage, and other related services.
Ops Manager and Pivotal Application Service (PAS) can be configured with IaaS users in different ways depending on your IaaS. Other product tiles and services might also use their own IaaS credentials. Refer to the documentation for those product tiles or services to configure them securely.
Pivotal recommends following the principle of least privilege by scoping privileges to the most restrictive permissions possible for a given role. In the event that someone gains access to credentials by mistake or through malicious intent, LPUs limit the scope of the breach. Pivotal recommends following best practices for the particular IaaS you are deploying.
See the recommendations detailed in the AWS Permissions Guidelines topic.
See the permissions recommendations in Preparing to Deploy Ops Manager on Azure Manually, and use the minimum permissions necessary when creating your service principal.
For GCP, Pivotal recommends using two different accounts with the least privilege.
Use one account with the minimum permissions required to create desired GCP resources in your GCP project, then create a separate service account with the minimum permissions required to deploy PCF components such as Pivotal Ops Manager and PAS. For more information about creating the service account, see Step 1: Set up IAM Service Accounts in Preparing to Deploy Ops Manager on GCP Manually.
Pivotal recommends following the principle of least privilege by scoping privileges to the most restrictive permissions possible for a given role.
See the vCenter permissions recommendations in the Installing Pivotal Cloud Foundry on vSphere topic.