Description of problem: Using a restricted iam policy for a user and using that to install the cluster: ``` INFO Consuming "Install Config" from target directory INFO Creating infrastructure resources... ERROR ERROR Error: Error applying plan: ERROR ERROR 3 errors occurred: ERROR * module.masters.aws_network_interface.master[1]: 1 error occurred: ERROR * aws_network_interface.master.1: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. ERROR status code: 403, request id: 9b772002-65ad-4642-86f3-4d314dcfa2e5 ERROR ERROR ERROR * module.masters.aws_network_interface.master[2]: 1 error occurred: ERROR * aws_network_interface.master.2: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. ERROR status code: 403, request id: a7b74671-95a0-42fa-a497-fc4966222ebe ERROR ERROR ERROR * module.masters.aws_network_interface.master[0]: 1 error occurred: ERROR * aws_network_interface.master.0: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. ERROR status code: 403, request id: ef03e929-d2c0-489e-ba4b-de28beb31b8f ERROR ERROR ERROR ERROR ERROR ERROR Terraform does not automatically rollback in the face of errors. ERROR Instead, your Terraform state file has been partially updated with ERROR any resources that successfully completed. Please address the error ERROR above and apply again to incrementally change your infrastructure. ERROR ERROR FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply using Terraform ``` The installer should add `"ec2:AttachNetworkInterface" and "ec2:CreateNetworkInterface"` to the permissions that should be checked. the original report: https://github.com/openshift/openshift-docs/issues/15376#issuecomment-510320028
I think we want something like https://github.com/openshift/installer/pull/1752 to help maintain that list (at least on AWS).
moving to 4.4, we can fix this in 4.3.z
Verified this bug with 4.4.0-0.nightly-2020-02-09-220310, and PASS. 1. Create user policy using the following json. { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:DeleteDhcpOptions", "ec2:DeleteInternetGateway", "ec2:DeleteNatGateway", "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSnapshot", "ec2:DeleteSecurityGroup", "ec2:DeleteSubnet", "ec2:DeleteVolume", "ec2:DeleteVpc", "ec2:DeleteVpcEndpoints", "ec2:DeregisterImage", "ec2:DetachInternetGateway", "ec2:DisassociateRouteTable", "ec2:ReleaseAddress", "ec2:AllocateAddress", "ec2:AssociateAddress", "ec2:AssociateDhcpOptions", "ec2:AssociateRouteTable", "ec2:AttachInternetGateway", "ec2:AuthorizeSecurityGroupEgress", "ec2:AuthorizeSecurityGroupIngress", "ec2:CopyImage", "ec2:CreateDhcpOptions", "ec2:CreateInternetGateway", "ec2:CreateNatGateway", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", "ec2:CreateSubnet", "ec2:CreateTags", "ec2:CreateVpc", "ec2:CreateVpcEndpoint", "ec2:CreateVolume", "ec2:Describe*", "ec2:ModifyInstanceAttribute", "ec2:ModifySubnetAttribute", "ec2:ModifyVpcAttribute", "ec2:RevokeSecurityGroupEgress", "ec2:RunInstances", "ec2:TerminateInstances", "ec2:RevokeSecurityGroupIngress", "ec2:ReplaceRouteTableAssociation", "ec2:DescribeNetworkInterfaces", "ec2:ModifyNetworkInterfaceAttribute" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "route53:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:*" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "autoscaling:DescribeAutoScalingGroups", "tag:GetResources" ], "Resource": "*" } ] } [root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo3/install-config.yaml [root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo3 INFO Consuming Install Config from target directory INFO Credentials loaded from the "default" profile in file "/root/.aws/credentials" WARNING Action not allowed with tested creds action="ec2:CreateNetworkInterface" WARNING Action not allowed with tested creds action="ec2:AttachNetworkInterface" WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Bootstrap Ignition Config: failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: current credentials insufficient for performing cluster installation Adding "ec2:CreateNetworkInterface" and "ec2:AttachNetworkInterface" back. [root@preserve-jialiu-ansible ~]# rm -rf demo3/* [root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo3/install-config.yaml [root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo3 INFO Consuming Install Config from target directory
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0581