Bug 1888462
| Summary: | TagResources and UntagResources required permissions are missing from the documentation | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Greg Sheremeta <gshereme> |
| Component: | Documentation | Assignee: | Andrew Taylor <antaylor> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Gaoyun Pei <gpei> |
| Severity: | low | Docs Contact: | Vikram Goyal <vigoyal> |
| Priority: | low | ||
| Version: | 4.5 | CC: | antaylor, aos-bugs, gpei, jokerman, padillon, yunjiang |
| Target Milestone: | --- | ||
| Target Release: | 4.5.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2020-11-18 17:37:36 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Greg Sheremeta
2020-10-14 21:52:26 UTC
Hey Greg! Thanks for filing this. As I understand it, these tags needs to be placed under the "Required EC2 permissions for installation" section, is that right? I've created a pull request to resolve this: https://github.com/openshift/openshift-docs/pull/26714 Gaoyun Pei, please take a look. Thanks! > these tags needs to be placed under the "Required EC2 permissions for installation" section
That should work. I have one additional thought.
These two permissions are only required for the (uncommon?) use case of installing into an existing VPC. Normally the installer doesn't need Tag/Untag because it creates resources and includes the tag in the resource definition (no need for Tag after the fact). When using an existing VPC, it must tag things it did not create.
It might also make sense to create a new section "Required EC2 permissions for installation - Existing VPC Only" or something like that, and add these there. That way, it's clear that a user can safely exclude these two permissions if using the usual installer-creates-everything use case.
What do you think?
Hey Greg! I'll be happy to add a new section! Just to confirm, should it be those two tags + the normal "Required EC2 permissions for installation"? > Just to confirm, should it be those two tags + the normal "Required EC2 permissions for installation"?
Hm, I'm actually not sure. For the "Existing VPC" flow, I suspect a lot of the permissions we normally use aren't actually required. I must defer to an expert on the installer team.
One note: we are working on removing TagResource (replaced with already listed CreateTag) API in https://issues.redhat.com/browse/CORS-1580 in 4.7 I've spoken with Matthew Staebler in engineering and have confirmed that versions 4.3-4.6 will require both tag:TagResources and tag:UntagResources added to the existing "Required EC2 permissions for installation" section, while future releases will have just the tag:UntagResources moving forward. Both pull requests have been created: 4.6 and prior: https://github.com/openshift/openshift-docs/pull/27157 4.7+: https://github.com/openshift/openshift-docs/pull/27163 Gaoyun Pei, would you mind reviewing these again before merging? Thanks! Pull requests have been merged. I'm setting this to release pending until changes are live. The requested changes are now live: https://docs.openshift.com/container-platform/4.5/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account I will be closing this bug as current release. Thanks for your input in helping us improve our documentation, Greg! |