Description of problem: When attempting an IPI install with insufficiently power credentials, the pre-flight permissions check does not provide the full list of missing permissions. The install then proceeds thinking it has all necessary permissions, and fails. Version-Release number of the following components: How reproducible: 100% Steps to Reproduce: 1. Create a user with only iam:SimulatePrincipalPolicy and iam:GetUser permisisons 2. Attempt an install with those credentials. 3. See the incomplete list of missing permissions. Actual results: The list of missing permissions looks like: WARNING Action not allowed with tested creds action="ec2:AllocateAddress" WARNING Action not allowed with tested creds action="ec2:AssociateAddress" WARNING Action not allowed with tested creds action="ec2:AssociateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:AssociateRouteTable" WARNING Action not allowed with tested creds action="ec2:AttachInternetGateway" WARNING Action not allowed with tested creds action="ec2:AuthorizeSecurityGroupEgress" WARNING Action not allowed with tested creds action="ec2:AuthorizeSecurityGroupIngress" WARNING Action not allowed with tested creds action="ec2:CopyImage" WARNING Action not allowed with tested creds action="ec2:CreateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:CreateInternetGateway" WARNING Action not allowed with tested creds action="ec2:CreateNatGateway" WARNING Action not allowed with tested creds action="ec2:CreateRoute" WARNING Action not allowed with tested creds action="ec2:CreateRouteTable" WARNING Action not allowed with tested creds action="ec2:CreateSecurityGroup" WARNING Action not allowed with tested creds action="ec2:CreateSubnet" WARNING Action not allowed with tested creds action="ec2:CreateTags" WARNING Action not allowed with tested creds action="ec2:CreateVpc" WARNING Action not allowed with tested creds action="ec2:CreateVpcEndpoint" WARNING Action not allowed with tested creds action="ec2:CreateVolume" WARNING Action not allowed with tested creds action="ec2:DeleteSnapshot" WARNING Action not allowed with tested creds action="ec2:DeregisterImage" WARNING Action not allowed with tested creds action="ec2:DescribeAccountAttributes" WARNING Action not allowed with tested creds action="ec2:DescribeAddresses" WARNING Action not allowed with tested creds action="ec2:DescribeAvailabilityZones" WARNING Action not allowed with tested creds action="ec2:DescribeDhcpOptions" WARNING Action not allowed with tested creds action="ec2:DescribeImages" WARNING Action not allowed with tested creds action="ec2:DescribeInstanceAttribute" WARNING Action not allowed with tested creds action="ec2:DescribeInstanceCreditSpecifications" WARNING Action not allowed with tested creds action="ec2:DescribeInstances" WARNING Action not allowed with tested creds action="ec2:DescribeInternetGateways" WARNING Action not allowed with tested creds action="ec2:DescribeKeyPairs" WARNING Action not allowed with tested creds action="ec2:DescribeNatGateways" WARNING Action not allowed with tested creds action="ec2:DescribeNetworkAcls" WARNING Action not allowed with tested creds action="ec2:DescribePrefixLists" WARNING Action not allowed with tested creds action="ec2:DescribeRegions" WARNING Action not allowed with tested creds action="ec2:DescribeRouteTables" WARNING Action not allowed with tested creds action="ec2:DescribeSecurityGroups" WARNING Action not allowed with tested creds action="ec2:DescribeSubnets" WARNING Action not allowed with tested creds action="ec2:DescribeTags" WARNING Action not allowed with tested creds action="ec2:DescribeVpcEndpoints" WARNING Action not allowed with tested creds action="ec2:DescribeVpcs" WARNING Action not allowed with tested creds action="ec2:DescribeVpcAttribute" WARNING Action not allowed with tested creds action="ec2:DescribeVolumes" WARNING Action not allowed with tested creds action="ec2:DescribeVpcClassicLink" WARNING Action not allowed with tested creds action="ec2:DescribeVpcClassicLinkDnsSupport" WARNING Action not allowed with tested creds action="ec2:ModifyInstanceAttribute" WARNING Action not allowed with tested creds action="ec2:ModifySubnetAttribute" WARNING Action not allowed with tested creds action="ec2:ModifyVpcAttribute" WARNING Action not allowed with tested creds action="ec2:RevokeSecurityGroupEgress" WARNING Action not allowed with tested creds action="ec2:RunInstances" WARNING Action not allowed with tested creds action="ec2:TerminateInstances" WARNING Action not allowed with tested creds action="ec2:DeleteDhcpOptions" WARNING Action not allowed with tested creds action="ec2:DeleteRoute" WARNING Action not allowed with tested creds action="ec2:RevokeSecurityGroupIngress" WARNING Action not allowed with tested creds action="ec2:DisassociateRouteTable" WARNING Action not allowed with tested creds action="ec2:ReplaceRouteTableAssociation" WARNING Action not allowed with tested creds action="ec2:DeleteRouteTable" WARNING Action not allowed with tested creds action="ec2:DeleteSubnet" WARNING Action not allowed with tested creds action="ec2:DescribeNetworkInterfaces" WARNING Action not allowed with tested creds action="ec2:ModifyNetworkInterfaceAttribute" WARNING Action not allowed with tested creds action="ec2:DeleteNatGateway" WARNING Action not allowed with tested creds action="ec2:DeleteSecurityGroup" WARNING Action not allowed with tested creds action="ec2:DetachInternetGateway" WARNING Action not allowed with tested creds action="ec2:DeleteInternetGateway" WARNING Action not allowed with tested creds action="ec2:ReleaseAddress" WARNING Action not allowed with tested creds action="ec2:DeleteVpc" WARNING Action not allowed with tested creds action="elasticloadbalancing:AddTags" WARNING Action not allowed with tested creds action="elasticloadbalancing:ApplySecurityGroupsToLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:AttachLoadBalancerToSubnets" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateListener" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateLoadBalancerListeners" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateTargetGroup" WARNING Action not allowed with tested creds action="elasticloadbalancing:ConfigureHealthCheck" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeleteLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeregisterInstancesFromLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeregisterTargets" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeInstanceHealth" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeListeners" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeLoadBalancers" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeLoadBalancerAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTags" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetGroupAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetHealth" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyLoadBalancerAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyTargetGroup" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyTargetGroupAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:RegisterTargets" WARNING Action not allowed with tested creds action="elasticloadbalancing:RegisterInstancesWithLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:SetLoadBalancerPoliciesOfListener" WARNING Action not allowed with tested creds action="iam:AddRoleToInstanceProfile" WARNING Action not allowed with tested creds action="iam:CreateInstanceProfile" WARNING Action not allowed with tested creds action="iam:CreateRole" WARNING Action not allowed with tested creds action="iam:DeleteInstanceProfile" WARNING Action not allowed with tested creds action="iam:DeleteRole" WARNING Action not allowed with tested creds action="iam:DeleteRolePolicy" WARNING Action not allowed with tested creds action="iam:GetInstanceProfile" WARNING Action not allowed with tested creds action="iam:GetRole" WARNING Action not allowed with tested creds action="iam:GetRolePolicy" Expected results: Notice many missing required permissions related to route53 for example. Additional info:
With a build from the master branch of the installer, and using a user that has insufficient credentials, I now see a much longer list of missing credentials: WARNING Action not allowed with tested creds action="ec2:AllocateAddress" WARNING Action not allowed with tested creds action="ec2:AssociateAddress" WARNING Action not allowed with tested creds action="ec2:AssociateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:AssociateRouteTable" WARNING Action not allowed with tested creds action="ec2:AttachInternetGateway" WARNING Action not allowed with tested creds action="ec2:AuthorizeSecurityGroupEgress" WARNING Action not allowed with tested creds action="ec2:AuthorizeSecurityGroupIngress" WARNING Action not allowed with tested creds action="ec2:CopyImage" WARNING Action not allowed with tested creds action="ec2:CreateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:CreateInternetGateway" WARNING Action not allowed with tested creds action="ec2:CreateNatGateway" WARNING Action not allowed with tested creds action="ec2:CreateNetworkInterface" WARNING Action not allowed with tested creds action="ec2:CreateRoute" WARNING Action not allowed with tested creds action="ec2:CreateRouteTable" WARNING Action not allowed with tested creds action="ec2:CreateSecurityGroup" WARNING Action not allowed with tested creds action="ec2:CreateSubnet" WARNING Action not allowed with tested creds action="ec2:CreateTags" WARNING Action not allowed with tested creds action="ec2:CreateVpc" WARNING Action not allowed with tested creds action="ec2:CreateVpcEndpoint" WARNING Action not allowed with tested creds action="ec2:CreateVolume" WARNING Action not allowed with tested creds action="ec2:DeleteSnapshot" WARNING Action not allowed with tested creds action="ec2:DeregisterImage" WARNING Action not allowed with tested creds action="ec2:DescribeAccountAttributes" WARNING Action not allowed with tested creds action="ec2:DescribeAddresses" WARNING Action not allowed with tested creds action="ec2:DescribeAvailabilityZones" WARNING Action not allowed with tested creds action="ec2:DescribeDhcpOptions" WARNING Action not allowed with tested creds action="ec2:DescribeImages" WARNING Action not allowed with tested creds action="ec2:DescribeInstanceAttribute" WARNING Action not allowed with tested creds action="ec2:DescribeInstanceCreditSpecifications" WARNING Action not allowed with tested creds action="ec2:DescribeInstances" WARNING Action not allowed with tested creds action="ec2:DescribeInternetGateways" WARNING Action not allowed with tested creds action="ec2:DescribeKeyPairs" WARNING Action not allowed with tested creds action="ec2:DescribeNatGateways" WARNING Action not allowed with tested creds action="ec2:DescribeNetworkAcls" WARNING Action not allowed with tested creds action="ec2:DescribePrefixLists" WARNING Action not allowed with tested creds action="ec2:DescribeRegions" WARNING Action not allowed with tested creds action="ec2:DescribeRouteTables" WARNING Action not allowed with tested creds action="ec2:DescribeSecurityGroups" WARNING Action not allowed with tested creds action="ec2:DescribeSubnets" WARNING Action not allowed with tested creds action="ec2:DescribeTags" WARNING Action not allowed with tested creds action="ec2:DescribeVpcEndpoints" WARNING Action not allowed with tested creds action="ec2:DescribeVpcs" WARNING Action not allowed with tested creds action="ec2:DescribeVpcAttribute" WARNING Action not allowed with tested creds action="ec2:DescribeVolumes" WARNING Action not allowed with tested creds action="ec2:DescribeVpcClassicLink" WARNING Action not allowed with tested creds action="ec2:DescribeVpcClassicLinkDnsSupport" WARNING Action not allowed with tested creds action="ec2:ModifyInstanceAttribute" WARNING Action not allowed with tested creds action="ec2:ModifySubnetAttribute" WARNING Action not allowed with tested creds action="ec2:ModifyVpcAttribute" WARNING Action not allowed with tested creds action="ec2:RevokeSecurityGroupEgress" WARNING Action not allowed with tested creds action="ec2:RunInstances" WARNING Action not allowed with tested creds action="ec2:TerminateInstances" WARNING Action not allowed with tested creds action="ec2:DeleteDhcpOptions" WARNING Action not allowed with tested creds action="ec2:DeleteRoute" WARNING Action not allowed with tested creds action="ec2:RevokeSecurityGroupIngress" WARNING Action not allowed with tested creds action="ec2:DisassociateRouteTable" WARNING Action not allowed with tested creds action="ec2:ReplaceRouteTableAssociation" WARNING Action not allowed with tested creds action="ec2:DeleteRouteTable" WARNING Action not allowed with tested creds action="ec2:DeleteSubnet" WARNING Action not allowed with tested creds action="ec2:DescribeNetworkInterfaces" WARNING Action not allowed with tested creds action="ec2:ModifyNetworkInterfaceAttribute" WARNING Action not allowed with tested creds action="ec2:DeleteNatGateway" WARNING Action not allowed with tested creds action="ec2:DeleteSecurityGroup" WARNING Action not allowed with tested creds action="ec2:DetachInternetGateway" WARNING Action not allowed with tested creds action="ec2:DeleteInternetGateway" WARNING Action not allowed with tested creds action="ec2:ReleaseAddress" WARNING Action not allowed with tested creds action="ec2:DeleteVpc" WARNING Action not allowed with tested creds action="elasticloadbalancing:AddTags" WARNING Action not allowed with tested creds action="elasticloadbalancing:ApplySecurityGroupsToLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:AttachLoadBalancerToSubnets" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateListener" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateLoadBalancerListeners" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateTargetGroup" WARNING Action not allowed with tested creds action="elasticloadbalancing:ConfigureHealthCheck" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeleteLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeregisterInstancesFromLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeregisterTargets" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeInstanceHealth" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeListeners" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeLoadBalancers" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeLoadBalancerAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTags" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetGroupAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetHealth" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyLoadBalancerAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyTargetGroup" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyTargetGroupAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:RegisterTargets" WARNING Action not allowed with tested creds action="elasticloadbalancing:RegisterInstancesWithLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:SetLoadBalancerPoliciesOfListener" WARNING Action not allowed with tested creds action="iam:AddRoleToInstanceProfile" WARNING Action not allowed with tested creds action="iam:CreateInstanceProfile" WARNING Action not allowed with tested creds action="iam:CreateRole" WARNING Action not allowed with tested creds action="iam:DeleteInstanceProfile" WARNING Action not allowed with tested creds action="iam:DeleteRole" WARNING Action not allowed with tested creds action="iam:DeleteRolePolicy" WARNING Action not allowed with tested creds action="iam:GetInstanceProfile" WARNING Action not allowed with tested creds action="iam:GetRole" WARNING Action not allowed with tested creds action="iam:GetRolePolicy" WARNING Action not allowed with tested creds action="iam:ListInstanceProfilesForRole" WARNING Action not allowed with tested creds action="iam:ListRoles" WARNING Action not allowed with tested creds action="iam:ListUsers" WARNING Action not allowed with tested creds action="iam:PassRole" WARNING Action not allowed with tested creds action="iam:PutRolePolicy" WARNING Action not allowed with tested creds action="iam:RemoveRoleFromInstanceProfile" WARNING Action not allowed with tested creds action="iam:TagRole" WARNING Action not allowed with tested creds action="route53:ChangeResourceRecordSets" WARNING Action not allowed with tested creds action="route53:ChangeTagsForResource" WARNING Action not allowed with tested creds action="route53:GetChange" WARNING Action not allowed with tested creds action="route53:GetHostedZone" WARNING Action not allowed with tested creds action="route53:CreateHostedZone" WARNING Action not allowed with tested creds action="route53:DeleteHostedZone" WARNING Action not allowed with tested creds action="route53:ListHostedZones" WARNING Action not allowed with tested creds action="route53:ListHostedZonesByName" WARNING Action not allowed with tested creds action="route53:ListResourceRecordSets" WARNING Action not allowed with tested creds action="route53:ListTagsForResource" WARNING Action not allowed with tested creds action="route53:UpdateHostedZoneComment" WARNING Action not allowed with tested creds action="s3:CreateBucket" WARNING Action not allowed with tested creds action="s3:DeleteBucket" WARNING Action not allowed with tested creds action="s3:GetAccelerateConfiguration" WARNING Action not allowed with tested creds action="s3:GetBucketCors" WARNING Action not allowed with tested creds action="s3:GetBucketLocation" WARNING Action not allowed with tested creds action="s3:GetBucketLogging" WARNING Action not allowed with tested creds action="s3:GetBucketObjectLockConfiguration" WARNING Action not allowed with tested creds action="s3:GetBucketReplication" WARNING Action not allowed with tested creds action="s3:GetBucketRequestPayment" WARNING Action not allowed with tested creds action="s3:GetBucketTagging" WARNING Action not allowed with tested creds action="s3:GetBucketVersioning" WARNING Action not allowed with tested creds action="s3:GetBucketWebsite" WARNING Action not allowed with tested creds action="s3:GetEncryptionConfiguration" WARNING Action not allowed with tested creds action="s3:GetLifecycleConfiguration" WARNING Action not allowed with tested creds action="s3:GetReplicationConfiguration" WARNING Action not allowed with tested creds action="s3:ListBucket" WARNING Action not allowed with tested creds action="s3:PutBucketAcl" WARNING Action not allowed with tested creds action="s3:PutBucketTagging" WARNING Action not allowed with tested creds action="s3:PutEncryptionConfiguration" WARNING Action not allowed with tested creds action="s3:PutObject" WARNING Action not allowed with tested creds action="s3:PutObjectAcl" WARNING Action not allowed with tested creds action="s3:PutObjectTagging" WARNING Action not allowed with tested creds action="s3:GetObject" WARNING Action not allowed with tested creds action="s3:GetObjectAcl" WARNING Action not allowed with tested creds action="s3:GetObjectTagging" WARNING Action not allowed with tested creds action="s3:GetObjectVersion" WARNING Action not allowed with tested creds action="s3:DeleteObject" WARNING Action not allowed with tested creds action="autoscaling:DescribeAutoScalingGroups" WARNING Action not allowed with tested creds action="ec2:DeleteNetworkInterface" WARNING Action not allowed with tested creds action="ec2:DeleteVolume" WARNING Action not allowed with tested creds action="ec2:DeleteVpcEndpoints" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetGroups" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeleteTargetGroup" WARNING Action not allowed with tested creds action="iam:ListInstanceProfiles" WARNING Action not allowed with tested creds action="iam:ListRolePolicies" WARNING Action not allowed with tested creds action="iam:ListUserPolicies" WARNING Action not allowed with tested creds action="tag:GetResources"
Verified with 4.2.0-0.nightly-2019-09-11-012246 I review the whole pr which checks `SimulatePrincipalPolicy` from AWS. Thanks jdiaz's help. I do some basic test to make sure that this pr doesn't introduce any regression.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922