Bug 1938131

Summary: [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Product: OpenShift Container Platform Reporter: Yunfei Jiang <yunjiang>
Component: InstallerAssignee: Russell Teague <rteague>
Installer sub component: openshift-installer QA Contact: Yunfei Jiang <yunjiang>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: medium CC: mstaeble, rteague
Version: 4.8   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Cause: iam:ListAttachedRolePolicies missing from openshift-install permissions Consequence: Cluster destroy fails when deleting IAM role Fix: Add iam:ListAttachedRolePolicies to openshift-install permissions Result: Cluster destroy completes successfully
 Story Points: ---
Clone Of: Environment:
Last Closed: 2021-07-27 22:53:17 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1947216    

Description Yunfei Jiang 2021-03-12 09:02:56 UTC 
The iam:ListAttachedRolePolicies permission is required for destroying cluster [1], but it's missing in AWS permissions.go file [4].

The official 4.6 and 4.7 documents [2][3] also doesn’t mention the permission requirement .if user configures an AWS account by following the documents, when running `destroy` command, an error will occur and the the IAM role can’t be deleted:

level=warning msg=listing attached IAM role policies: AccessDenied: User: arn:aws:iam::301721915996:user/yunjiang-test-ListAttachedRole is not authorized to perform: iam:ListAttachedRolePolicies on resource: role yunjiang-role48-ffjmv-master-role with an explicit deny arn=arn:aws:iam::301721915996:role/yunjiang-role48-ffjmv-master-role
level=warning msg=    status code: 403, request id: 8d9b8cae-97ed-4c6f-8e8f-4bccfec2fc64 arn=arn:aws:iam::301721915996:role/yunjiang-role48-ffjmv-master-role

this bug is for tracking issue for installer component, the related document issue was tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1936541

[1] https://github.com/openshift/installer/pull/4126
[2] https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
[3] https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html
[4] https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go

Version: 4.8.0-0.nightly-2021-03-10-053945

Additional info:
Same issue is also occurred on 4.6.20 GA and 4.7.0 GA
Comment 3 Yunfei Jiang 2021-04-08 08:54:07 UTC 
Russell, installer will not do permission check when running `destroy cluster`, right?
Comment 4 Matthew Staebler 2021-04-08 13:33:14 UTC 
(In reply to Yunfei Jiang from comment #3)
> Russell, installer will not do permission check when running `destroy
> cluster`, right?

That is correct.
Comment 5 Yunfei Jiang 2021-04-09 08:28:37 UTC 
verified. PASS.
OCP version: 4.8.0-0.nightly-2021-04-08-043959


Remove iam:ListAttachedRolePolicies permission from IAM user, and then try to create cluster:

time="2021-04-08T04:45:40-04:00" level=info msg="Credentials loaded from the \"denylistattachedrole\" profile in file \"/home/cloud-user/.aws/credentials\""
...
time="2021-04-08T04:45:45-04:00" level=fatal msg="failed to fetch Cluster: failed to fetch dependency of \"Cluster\": failed to generate asset \"Platform Permissions Check\": validate AWS credentials:     current credentials insufficient for performing cluster installation"
Comment 8 errata-xmlrpc 2021-07-27 22:53:17 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438