1710044 – OCP 4.1.0: openshift-install destroy cluster fails due to lack of AWS tag:GetResources permissions

Bug 1710044 - OCP 4.1.0: openshift-install destroy cluster fails due to lack of AWS tag:GetResources permissions

Summary: OCP 4.1.0: openshift-install destroy cluster fails due to lack of AWS tag:Get...

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cloud Credential Operator
Sub Component:
Version:	4.1.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.1.z
Assignee:	Devan Goodwin
QA Contact:	Oleg Nesterov
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2019-05-14 19:42 UTC by Kyle Brown
Modified:	2019-11-05 17:17 UTC (History)
CC List:	3 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed:	2019-06-10 14:33:55 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Comment 3 Joel Diaz 2019-05-29 15:25:45 UTC

I'm not clear on this idea of restricting a specific call at the account level. Can you share some details/docs on how an AWS account would be configured this way?

Also, for my clarification, are you saying that running something like this (changed to query against your user of course):

aws iam simulate-principal-policy --action-names "tag:GetResources" --policy-source-arn "arn:aws:iam:::user/jdiaz-adminpolicy" 

shows that the action is allowed, but when you actually attempt to run a tag:GetResources you get a permission denial?

aws resourcegroupstaggingapi get-resources --region us-east-1

Comment 4 Devan Goodwin 2019-06-10 14:33:55 UTC

Closing for now, let us know if more information is available, thanks!

Note You need to log in before you can comment on or make changes to this bug.