Bug 1685729 - Installer needs to add iam:GetUserPolicy as tested credential
Summary: Installer needs to add iam:GetUserPolicy as tested credential
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.1.0
Hardware: Unspecified
OS: Unspecified
unspecified
unspecified
Target Milestone: ---
: 4.1.0
Assignee: Joel Diaz
QA Contact: Qin Ping
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2019-03-05 22:30 UTC by Ryan Howe
Modified: 2019-06-04 10:45 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: No Doc Update
Doc Text:
Clone Of:
Environment:
Last Closed: 2019-06-04 10:45:04 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2019:0758 None None None 2019-06-04 10:45:10 UTC
Github openshift installer pull 1374 'None' 'closed' 'update vendoring of cloud-credential-operator' 2019-11-26 18:31:24 UTC

Description Ryan Howe 2019-03-05 22:30:22 UTC
Description of problem:

  Installer needs to add iam:GetUserPolicy as a tested credential, as this is needed by the cloud-credential-operator

Version-Release number of the following components:

openshift-install version
openshift-install v0.13.0

How reproducible:
100%

Steps to Reproduce:
1. Run the installer as a user that does not have the cred iam:GetUserPolicy


Actual results:
Installer fails and does not warn about creds
  
 time="2019-02-28T11:17:56-05:00" level=fatal msg="failed to initialize the cluster: Cluster operator openshift-cloud-credential-operator is reporting a failure: 4 of 4 credentials requests are failing to sync."


cloud-credential-operator logs show the following error:
time="2019-03-04T17:49:56Z" level=warning msg="Action not allowed with tested creds" action="iam:GetUserPolicy" controller=secretannotator


Expected results:

THe installer to warn about this cred. 

Additional info:

https://github.com/openshift/installer/blob/release-4.0/pkg/asset/installconfig/aws/permissions.go#L14

Comment 1 Joel Diaz 2019-03-06 18:45:47 UTC
https://github.com/openshift/installer/pull/1374 adds the check for iam:GetUserPolicy to the installer.

Comment 2 W. Trevor King 2019-03-06 21:02:25 UTC
#1374 landed.

Comment 4 Qin Ping 2019-03-11 09:29:09 UTC
Verified with:
./openshift-install version
./openshift-install unreleased-master-542-g0e12f4527c25e9d1e2ddb31bea0ace0cb6d463ca-dirty

WARNING Action not allowed with tested creds          action="iam:GetUserPolicy"
WARNING Tested creds not able to perform all requested actions 
WARNING Action not allowed with tested creds          action="iam:GetUserPolicy"
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Terraform Variables: failed to fetch dependency of "Terraform Variables": failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is

Comment 7 errata-xmlrpc 2019-06-04 10:45:04 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2019:0758


Note You need to log in before you can comment on or make changes to this bug.