Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1710044

Summary: OCP 4.1.0: openshift-install destroy cluster fails due to lack of AWS tag:GetResources permissions
Product: OpenShift Container Platform Reporter: Kyle Brown <kybrown>
Component: Cloud Credential OperatorAssignee: Devan Goodwin <dgoodwin>
Status: CLOSED NOTABUG QA Contact: Oleg Nesterov <olnester>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 4.1.0CC: bleanhar, jdiaz, wking
Target Milestone: ---   
Target Release: 4.1.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-06-10 14:33:55 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Comment 3 Joel Diaz 2019-05-29 15:25:45 UTC
I'm not clear on this idea of restricting a specific call at the account level. Can you share some details/docs on how an AWS account would be configured this way?

Also, for my clarification, are you saying that running something like this (changed to query against your user of course):

aws iam simulate-principal-policy --action-names "tag:GetResources" --policy-source-arn "arn:aws:iam:::user/jdiaz-adminpolicy" 

shows that the action is allowed, but when you actually attempt to run a tag:GetResources you get a permission denial?

aws resourcegroupstaggingapi get-resources --region us-east-1

Comment 4 Devan Goodwin 2019-06-10 14:33:55 UTC
Closing for now, let us know if more information is available, thanks!