Bug 1801446
| Summary: | AWS: Remove installer IAM permissions pre-check for UPI deployments | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Patrick Dillon <padillon> |
| Component: | Installer | Assignee: | Patrick Dillon <padillon> |
| Installer sub component: | openshift-installer | QA Contact: | Johnny Liu <jialiu> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | high | ||
| Priority: | high | CC: | adahiya, gferrazs, jialiu, mbarrett, rsandu, saung |
| Version: | 4.3.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.3.z | ||
| Hardware: | All | ||
| OS: | All | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | 1796347 | Environment: | |
| Last Closed: | 2020-03-24 14:33:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1796347 | ||
| Bug Blocks: | |||
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0858 These solutions does not work. https://access.redhat.com/solutions/5211941 |
Verified this bug with 4.3.0-0.nightly-2020-03-09-200240, and PASS. Create a IAM user, and attach the following policy. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:Create*", "ec2:Run*", "eks:Create*", "rds:Create*", "es:Create*", "lambda:Create*" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": "us-east-1" } } } ] } [root@preserve-jialiu-ansible ~]# openshift-install version openshift-install 4.3.0-0.nightly-2020-03-09-200240 built from commit 3b4f0d436bf5247803395e146d4cd2ff9665fde8 release image registry.svc.ci.openshift.org/ocp/release@sha256:e76667eb92d91d60fdc661bf88d6d15df528d417e5e11bd09244489d0aebf38d Try to create cluster in us-east-2 region. [root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo1 INFO Consuming Install Config from target directory [root@preserve-jialiu-ansible ~]# openshift-install create cluster --dir demo1 INFO Consuming Worker Ignition Config from target directory INFO Consuming Bootstrap Ignition Config from target directory INFO Consuming Master Ignition Config from target directory WARNING Action not allowed with tested creds action="ec2:CreateNetworkInterface" WARNING Action not allowed with tested creds action="ec2:CreateSecurityGroup" WARNING Action not allowed with tested creds action="ec2:CreateTags" WARNING Action not allowed with tested creds action="ec2:CreateVolume" WARNING Action not allowed with tested creds action="ec2:RunInstances" WARNING Action not allowed with tested creds action="ec2:CreateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:CreateInternetGateway" WARNING Action not allowed with tested creds action="ec2:CreateNatGateway" WARNING Action not allowed with tested creds action="ec2:CreateRoute" WARNING Action not allowed with tested creds action="ec2:CreateRouteTable" WARNING Action not allowed with tested creds action="ec2:CreateSubnet" WARNING Action not allowed with tested creds action="ec2:CreateVpc" WARNING Action not allowed with tested creds action="ec2:CreateVpcEndpoint" WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation