Bug 1757208

Summary: Missing permissions from credentials check on AWS
Product: OpenShift Container Platform Reporter: Abhinav Dahiya <adahiya>
Component: Cloud Credential OperatorAssignee: Devan Goodwin <dgoodwin>
Status: CLOSED NOTABUG QA Contact: Oleg Nesterov <olnester>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.2.0CC: jialiu
Target Milestone: ---   
Target Release: 4.3.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: 1729362 Environment:
Last Closed: 2019-09-30 20:24:21 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 1729362    
Bug Blocks:    

Description Abhinav Dahiya 2019-09-30 20:23:11 UTC 
The installer vendors the lib from cred-minter and Joel had a solution to fix this.

+++ This bug was initially created as a clone of Bug #1729362 +++

Description of problem:

Using a restricted iam policy for a user and using that to install the cluster:

```
INFO Consuming "Install Config" from target directory 
INFO Creating infrastructure resources...         
ERROR                                              
ERROR Error: Error applying plan:                  
ERROR                                              
ERROR 3 errors occurred:                           
ERROR 	* module.masters.aws_network_interface.master[1]: 1 error occurred: 
ERROR 	* aws_network_interface.master.1: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: 9b772002-65ad-4642-86f3-4d314dcfa2e5 
ERROR                                              
ERROR                                              
ERROR 	* module.masters.aws_network_interface.master[2]: 1 error occurred: 
ERROR 	* aws_network_interface.master.2: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: a7b74671-95a0-42fa-a497-fc4966222ebe 
ERROR                                              
ERROR                                              
ERROR 	* module.masters.aws_network_interface.master[0]: 1 error occurred: 
ERROR 	* aws_network_interface.master.0: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: ef03e929-d2c0-489e-ba4b-de28beb31b8f 
ERROR                                              
ERROR                                              
ERROR                                              
ERROR                                              
ERROR                                              
ERROR Terraform does not automatically rollback in the face of errors. 
ERROR Instead, your Terraform state file has been partially updated with 
ERROR any resources that successfully completed. Please address the error 
ERROR above and apply again to incrementally change your infrastructure. 
ERROR                                              
ERROR                                              
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply using Terraform
```

The installer should add `"ec2:AttachNetworkInterface" and "ec2:CreateNetworkInterface"` to the permissions that should be checked.

the original report: https://github.com/openshift/openshift-docs/issues/15376#issuecomment-510320028

--- Additional comment from W. Trevor King on 2019-08-13 20:34:45 UTC ---

I think we want something like https://github.com/openshift/installer/pull/1752 to help maintain that list (at least on AWS).
Comment 1 Abhinav Dahiya 2019-09-30 20:24:21 UTC 
Oops cloned the wrong bug.