Bug 1729362

Summary: Missing permissions from credentials check on AWS
Product: OpenShift Container Platform Reporter: Abhinav Dahiya <adahiya>
Component: InstallerAssignee: Abhinav Dahiya <adahiya>
Installer sub component: openshift-installer QA Contact: Johnny Liu <jialiu>
Status: CLOSED ERRATA Docs Contact:
Severity: low    
Priority: unspecified    
Version: 4.2.0   
Target Milestone: ---   
Target Release: 4.4.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1757208 (view as bug list) Environment:
Last Closed: 2020-05-13 21:51:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1757208    

Description Abhinav Dahiya 2019-07-12 05:35:44 UTC 
Description of problem:

Using a restricted iam policy for a user and using that to install the cluster:

```
INFO Consuming "Install Config" from target directory 
INFO Creating infrastructure resources...         
ERROR                                              
ERROR Error: Error applying plan:                  
ERROR                                              
ERROR 3 errors occurred:                           
ERROR 	* module.masters.aws_network_interface.master[1]: 1 error occurred: 
ERROR 	* aws_network_interface.master.1: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: 9b772002-65ad-4642-86f3-4d314dcfa2e5 
ERROR                                              
ERROR                                              
ERROR 	* module.masters.aws_network_interface.master[2]: 1 error occurred: 
ERROR 	* aws_network_interface.master.2: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: a7b74671-95a0-42fa-a497-fc4966222ebe 
ERROR                                              
ERROR                                              
ERROR 	* module.masters.aws_network_interface.master[0]: 1 error occurred: 
ERROR 	* aws_network_interface.master.0: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: ef03e929-d2c0-489e-ba4b-de28beb31b8f 
ERROR                                              
ERROR                                              
ERROR                                              
ERROR                                              
ERROR                                              
ERROR Terraform does not automatically rollback in the face of errors. 
ERROR Instead, your Terraform state file has been partially updated with 
ERROR any resources that successfully completed. Please address the error 
ERROR above and apply again to incrementally change your infrastructure. 
ERROR                                              
ERROR                                              
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply using Terraform
```

The installer should add `"ec2:AttachNetworkInterface" and "ec2:CreateNetworkInterface"` to the permissions that should be checked.

the original report: https://github.com/openshift/openshift-docs/issues/15376#issuecomment-510320028
Comment 1 W. Trevor King 2019-08-13 20:34:45 UTC 
I think we want something like https://github.com/openshift/installer/pull/1752 to help maintain that list (at least on AWS).
Comment 2 Abhinav Dahiya 2019-12-12 17:37:27 UTC 
moving to 4.4, we can fix this in 4.3.z
Comment 3 Johnny Liu 2020-02-10 13:26:02 UTC 
Verified this bug with 4.4.0-0.nightly-2020-02-09-220310, and PASS.

1. Create user policy using the following json.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DeleteDhcpOptions",
                "ec2:DeleteInternetGateway",
                "ec2:DeleteNatGateway",
                "ec2:DeleteNetworkInterface",
                "ec2:DeleteRoute",
                "ec2:DeleteRouteTable",
                "ec2:DeleteSnapshot",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteSubnet",
                "ec2:DeleteVolume",
                "ec2:DeleteVpc",
                "ec2:DeleteVpcEndpoints",
                "ec2:DeregisterImage",
                "ec2:DetachInternetGateway",
                "ec2:DisassociateRouteTable",
                "ec2:ReleaseAddress",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:AssociateDhcpOptions",
                "ec2:AssociateRouteTable",
                "ec2:AttachInternetGateway",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CopyImage",
                "ec2:CreateDhcpOptions",
                "ec2:CreateInternetGateway",
                "ec2:CreateNatGateway",
                "ec2:CreateRoute",
                "ec2:CreateRouteTable",
                "ec2:CreateSecurityGroup",
                "ec2:CreateSubnet",
                "ec2:CreateTags",
                "ec2:CreateVpc",
                "ec2:CreateVpcEndpoint",
                "ec2:CreateVolume",
                "ec2:Describe*",
                "ec2:ModifyInstanceAttribute",
                "ec2:ModifySubnetAttribute",
                "ec2:ModifyVpcAttribute",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:RunInstances",
                "ec2:TerminateInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:ReplaceRouteTableAssociation",
                "ec2:DescribeNetworkInterfaces",
                "ec2:ModifyNetworkInterfaceAttribute"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "iam:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "route53:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:*"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "tag:GetResources"
            ],
            "Resource": "*"
        }
    ]
}


[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo3/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo3
INFO Consuming Install Config from target directory 
INFO Credentials loaded from the "default" profile in file "/root/.aws/credentials" 
WARNING Action not allowed with tested creds          action="ec2:CreateNetworkInterface"
WARNING Action not allowed with tested creds          action="ec2:AttachNetworkInterface"
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Bootstrap Ignition Config: failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: current credentials insufficient for performing cluster installation 

Adding "ec2:CreateNetworkInterface" and "ec2:AttachNetworkInterface" back.


[root@preserve-jialiu-ansible ~]# rm -rf demo3/*
[root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo3/install-config.yaml
[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo3
INFO Consuming Install Config from target directory
Comment 5 errata-xmlrpc 2020-05-13 21:51:55 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0581