Bug 1685729

Summary: Installer needs to add iam:GetUserPolicy as tested credential
Product: OpenShift Container Platform Reporter: Ryan Howe <rhowe>
Component: InstallerAssignee: Joel Diaz <jdiaz>
Installer sub component: openshift-installer QA Contact: Qin Ping <piqin>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: aos-bugs, jdiaz, jokerman, mmccomas, wking
Version: 4.1.0   
Target Milestone: ---   
Target Release: 4.1.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-04 10:45:04 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Ryan Howe 2019-03-05 22:30:22 UTC
Description of problem:

  Installer needs to add iam:GetUserPolicy as a tested credential, as this is needed by the cloud-credential-operator

Version-Release number of the following components:

openshift-install version
openshift-install v0.13.0

How reproducible:
100%

Steps to Reproduce:
1. Run the installer as a user that does not have the cred iam:GetUserPolicy


Actual results:
Installer fails and does not warn about creds
  
 time="2019-02-28T11:17:56-05:00" level=fatal msg="failed to initialize the cluster: Cluster operator openshift-cloud-credential-operator is reporting a failure: 4 of 4 credentials requests are failing to sync."


cloud-credential-operator logs show the following error:
time="2019-03-04T17:49:56Z" level=warning msg="Action not allowed with tested creds" action="iam:GetUserPolicy" controller=secretannotator


Expected results:

THe installer to warn about this cred. 

Additional info:

https://github.com/openshift/installer/blob/release-4.0/pkg/asset/installconfig/aws/permissions.go#L14

Comment 1 Joel Diaz 2019-03-06 18:45:47 UTC
https://github.com/openshift/installer/pull/1374 adds the check for iam:GetUserPolicy to the installer.

Comment 2 W. Trevor King 2019-03-06 21:02:25 UTC
#1374 landed.

Comment 4 Qin Ping 2019-03-11 09:29:09 UTC
Verified with:
./openshift-install version
./openshift-install unreleased-master-542-g0e12f4527c25e9d1e2ddb31bea0ace0cb6d463ca-dirty

WARNING Action not allowed with tested creds          action="iam:GetUserPolicy"
WARNING Tested creds not able to perform all requested actions 
WARNING Action not allowed with tested creds          action="iam:GetUserPolicy"
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is

Comment 7 errata-xmlrpc 2019-06-04 10:45:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758