Bug 1947216

Summary:	[AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Product:	OpenShift Container Platform	Reporter:	OpenShift BugZilla Robot <openshift-bugzilla-robot>
Component:	Installer	Assignee:	Russell Teague <rteague>
Installer sub component:	openshift-installer	QA Contact:	Pedro Amoedo <pamoedom>
Status:	CLOSED ERRATA	Docs Contact:
Severity:	medium
Priority:	medium	CC:	mstaeble, pamoedom
Version:	4.8
Target Milestone:	---
Target Release:	4.7.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2021-06-01 04:50:27 UTC	Type:	---
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:
Bug Depends On:	1938131
Bug Blocks:	1964120

Comment 2 Pedro Amoedo 2021-05-25 16:52:10 UTC

[QA Summary]

[Version]

~~~
$ ./openshift-install version
./openshift-install 4.7.0-0.ci-2021-05-24-185728
built from commit d541105dbce1baba2f0965044c532796b70aaf1f
release image registry.ci.openshift.org/ocp/release@sha256:dbd108bada59294178016eb253d417281180221984baa3142cc18c12e2a2528d

$ git --no-pager log --oneline --first-parent origin/release-4.7 -3
d541105db (HEAD -> release-4.7, origin/release-4.7) Merge pull request #4827 from openshift-cherrypick-robot/cherry-pick-4825-to-release-4.7
fa645ee16 Merge pull request #4842 from openshift-cherrypick-robot/cherry-pick-4809-to-release-4.7
b14ee6836 Merge pull request #4948 from openshift-cherrypick-robot/cherry-pick-4933-to-release-4.7
~~~

[Parameters]

Using a default "install-config.yaml" but with AWS credentials attached to a custom Policy that denies "iam:ListAttachedRolePolicies":

~~~
$ aws iam get-account-authorization-details | grep -A2 "user/bz1947216"
USERDETAILLIST	arn:aws:iam::301721915996:user/bz1947216	2021-05-25T14:33:28Z	/	AIDAUMQAHCJOO2AZNDLKB	bz1947216
ATTACHEDMANAGEDPOLICIES	arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies	yunjiang-test-denyListAttachedRolePolicies
TAGS	bz	1947216

$ aws iam get-policy-version --policy-arn arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies --version-id v1
POLICYVERSION	2021-03-10T09:45:00Z	True	v1
DOCUMENT	2012-10-17
STATEMENT	*	Allow	*	VisualEditor0
STATEMENT	iam:ListAttachedRolePolicies	Deny	*	VisualEditor1
~~~

[Results]

As expected, installation aborts early when doing permissions check procedure:

~~~
$ ./openshift-install create cluster --dir bz1947216/ --log-level debug
DEBUG OpenShift Installer 4.7.0-0.ci-2021-05-24-185728 
DEBUG Built from commit d541105dbce1baba2f0965044c532796b70aaf1f 
DEBUG Fetching Metadata...                         
...                    
INFO Credentials loaded from the "default" profile in file "/home/pamoedo/.aws/credentials" 
...
DEBUG   Generating Platform Permissions Check...   
WARNING Action not allowed with tested creds          action=iam:ListAttachedRolePolicies
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation
~~~

NOTE: Parameter is already present in permission list document[1].

[1] - https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account

Comment 5 errata-xmlrpc 2021-06-01 04:50:27 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.13 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2121