* Previously, installing a cluster on Amazon Web Services started and then failed when the IAM administrative user was not assigned the `s3:GetBucketPolicy` permission. This update adds this policy to checklist that the installation program uses to ensure that all of the required permissions are assigned. As a result, the installation program now stops the installation with a warning that the IAM administrative user is missing the `s3:GetBucketPolicy` permission. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2109388[*BZ#2109388*])
verified. PASS.
OCP version: 4.12.0-0.nightly-2022-07-27-133042
INFO Credentials loaded from the "de" profile in file "/home/cloud-user/.aws/credentials"
INFO Consuming Install Config from target directory
WARNING Action not allowed with tested creds action=s3:GetBucketPolicy
WARNING Tested creds not able to perform all requested actions
FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2022:7399
s3:GetBucketPolicy is required for installing a cluster, but it’s missing in permissions.go [1] Without this permission, creating cluster will fail: ``` [2022-07-21T04:39:41.379Z] level=debug msg= with aws_s3_bucket_object.ignition, [2022-07-21T04:39:41.379Z] level=debug msg= on main.tf line 56, in resource "aws_s3_bucket_object" "ignition": [2022-07-21T04:39:41.379Z] level=debug msg= 56: bucket = aws_s3_bucket.ignition.id [2022-07-21T04:39:41.379Z] level=debug [2022-07-21T04:39:41.379Z] level=debug msg=Use the aws_s3_object resource instead [2022-07-21T04:39:41.379Z] level=debug [2022-07-21T04:39:41.379Z] level=debug msg=(and 3 more similar warnings elsewhere) [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg=Error: error getting S3 bucket (yunjiang-21ipi-hw9gq-bootstrap) policy: AccessDenied: Access Denied [2022-07-21T04:39:41.379Z] level=error msg= status code: 403, request id: 37NVV0BFV7QWB3ZE, host id: YuHOinIGUJys/unul/NzxgGWcUJpZnPralrFoO1BQ6vxhhPzY+3s60dyAgWayHedfqnP60c90NM= [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg= with aws_s3_bucket.ignition, [2022-07-21T04:39:41.379Z] level=error msg= on main.tf line 35, in resource "aws_s3_bucket" "ignition": [2022-07-21T04:39:41.379Z] level=error msg= 35: resource "aws_s3_bucket" "ignition" { [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg=failed to fetch Cluster: failed to generate asset "Cluster": failure applying terraform for "bootstrap" stage: failed to create cluster: failed to apply Terraform: exit status 1 [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg=Error: error getting S3 bucket (yunjiang-21ipi-hw9gq-bootstrap) policy: AccessDenied: Access Denied [2022-07-21T04:39:41.379Z] level=error msg= status code: 403, request id: 37NVV0BFV7QWB3ZE, host id: YuHOinIGUJys/unul/NzxgGWcUJpZnPralrFoO1BQ6vxhhPzY+3s60dyAgWayHedfqnP60c90NM= [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg= with aws_s3_bucket.ignition, [2022-07-21T04:39:41.379Z] level=error msg= on main.tf line 35, in resource "aws_s3_bucket" "ignition": [2022-07-21T04:39:41.380Z] level=error msg= 35: resource "aws_s3_bucket" "ignition" { [2022-07-21T04:39:41.380Z] level=error [2022-07-21T04:39:41.380Z] level=error ``` [1] https://github.com/openshift/installer/blob/release-4.11/pkg/asset/installconfig/aws/permissions.go OCP version: 4.11.0-rc.4-x86_64 Suggestion: Add s3:GetBucketPolicy to permission checklist, raise an error before the installation actually begins