Bug 1749409
| Summary: | not getting full list of necessary permissions before installation is attempted | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Joel Diaz <jdiaz> |
| Component: | Installer | Assignee: | Abhinav Dahiya <adahiya> |
| Installer sub component: | openshift-installer | QA Contact: | sheng.lao <shlao> |
| Status: | CLOSED ERRATA | Docs Contact: | |
| Severity: | unspecified | ||
| Priority: | unspecified | ||
| Version: | 4.2.0 | ||
| Target Milestone: | --- | ||
| Target Release: | 4.2.0 | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2019-10-16 06:40:33 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Joel Diaz
2019-09-05 14:42:22 UTC
With a build from the master branch of the installer, and using a user that has insufficient credentials, I now see a much longer list of missing credentials: WARNING Action not allowed with tested creds action="ec2:AllocateAddress" WARNING Action not allowed with tested creds action="ec2:AssociateAddress" WARNING Action not allowed with tested creds action="ec2:AssociateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:AssociateRouteTable" WARNING Action not allowed with tested creds action="ec2:AttachInternetGateway" WARNING Action not allowed with tested creds action="ec2:AuthorizeSecurityGroupEgress" WARNING Action not allowed with tested creds action="ec2:AuthorizeSecurityGroupIngress" WARNING Action not allowed with tested creds action="ec2:CopyImage" WARNING Action not allowed with tested creds action="ec2:CreateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:CreateInternetGateway" WARNING Action not allowed with tested creds action="ec2:CreateNatGateway" WARNING Action not allowed with tested creds action="ec2:CreateNetworkInterface" WARNING Action not allowed with tested creds action="ec2:CreateRoute" WARNING Action not allowed with tested creds action="ec2:CreateRouteTable" WARNING Action not allowed with tested creds action="ec2:CreateSecurityGroup" WARNING Action not allowed with tested creds action="ec2:CreateSubnet" WARNING Action not allowed with tested creds action="ec2:CreateTags" WARNING Action not allowed with tested creds action="ec2:CreateVpc" WARNING Action not allowed with tested creds action="ec2:CreateVpcEndpoint" WARNING Action not allowed with tested creds action="ec2:CreateVolume" WARNING Action not allowed with tested creds action="ec2:DeleteSnapshot" WARNING Action not allowed with tested creds action="ec2:DeregisterImage" WARNING Action not allowed with tested creds action="ec2:DescribeAccountAttributes" WARNING Action not allowed with tested creds action="ec2:DescribeAddresses" WARNING Action not allowed with tested creds action="ec2:DescribeAvailabilityZones" WARNING Action not allowed with tested creds action="ec2:DescribeDhcpOptions" WARNING Action not allowed with tested creds action="ec2:DescribeImages" WARNING Action not allowed with tested creds action="ec2:DescribeInstanceAttribute" WARNING Action not allowed with tested creds action="ec2:DescribeInstanceCreditSpecifications" WARNING Action not allowed with tested creds action="ec2:DescribeInstances" WARNING Action not allowed with tested creds action="ec2:DescribeInternetGateways" WARNING Action not allowed with tested creds action="ec2:DescribeKeyPairs" WARNING Action not allowed with tested creds action="ec2:DescribeNatGateways" WARNING Action not allowed with tested creds action="ec2:DescribeNetworkAcls" WARNING Action not allowed with tested creds action="ec2:DescribePrefixLists" WARNING Action not allowed with tested creds action="ec2:DescribeRegions" WARNING Action not allowed with tested creds action="ec2:DescribeRouteTables" WARNING Action not allowed with tested creds action="ec2:DescribeSecurityGroups" WARNING Action not allowed with tested creds action="ec2:DescribeSubnets" WARNING Action not allowed with tested creds action="ec2:DescribeTags" WARNING Action not allowed with tested creds action="ec2:DescribeVpcEndpoints" WARNING Action not allowed with tested creds action="ec2:DescribeVpcs" WARNING Action not allowed with tested creds action="ec2:DescribeVpcAttribute" WARNING Action not allowed with tested creds action="ec2:DescribeVolumes" WARNING Action not allowed with tested creds action="ec2:DescribeVpcClassicLink" WARNING Action not allowed with tested creds action="ec2:DescribeVpcClassicLinkDnsSupport" WARNING Action not allowed with tested creds action="ec2:ModifyInstanceAttribute" WARNING Action not allowed with tested creds action="ec2:ModifySubnetAttribute" WARNING Action not allowed with tested creds action="ec2:ModifyVpcAttribute" WARNING Action not allowed with tested creds action="ec2:RevokeSecurityGroupEgress" WARNING Action not allowed with tested creds action="ec2:RunInstances" WARNING Action not allowed with tested creds action="ec2:TerminateInstances" WARNING Action not allowed with tested creds action="ec2:DeleteDhcpOptions" WARNING Action not allowed with tested creds action="ec2:DeleteRoute" WARNING Action not allowed with tested creds action="ec2:RevokeSecurityGroupIngress" WARNING Action not allowed with tested creds action="ec2:DisassociateRouteTable" WARNING Action not allowed with tested creds action="ec2:ReplaceRouteTableAssociation" WARNING Action not allowed with tested creds action="ec2:DeleteRouteTable" WARNING Action not allowed with tested creds action="ec2:DeleteSubnet" WARNING Action not allowed with tested creds action="ec2:DescribeNetworkInterfaces" WARNING Action not allowed with tested creds action="ec2:ModifyNetworkInterfaceAttribute" WARNING Action not allowed with tested creds action="ec2:DeleteNatGateway" WARNING Action not allowed with tested creds action="ec2:DeleteSecurityGroup" WARNING Action not allowed with tested creds action="ec2:DetachInternetGateway" WARNING Action not allowed with tested creds action="ec2:DeleteInternetGateway" WARNING Action not allowed with tested creds action="ec2:ReleaseAddress" WARNING Action not allowed with tested creds action="ec2:DeleteVpc" WARNING Action not allowed with tested creds action="elasticloadbalancing:AddTags" WARNING Action not allowed with tested creds action="elasticloadbalancing:ApplySecurityGroupsToLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:AttachLoadBalancerToSubnets" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateListener" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateLoadBalancerListeners" WARNING Action not allowed with tested creds action="elasticloadbalancing:CreateTargetGroup" WARNING Action not allowed with tested creds action="elasticloadbalancing:ConfigureHealthCheck" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeleteLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeregisterInstancesFromLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeregisterTargets" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeInstanceHealth" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeListeners" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeLoadBalancers" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeLoadBalancerAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTags" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetGroupAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetHealth" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyLoadBalancerAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyTargetGroup" WARNING Action not allowed with tested creds action="elasticloadbalancing:ModifyTargetGroupAttributes" WARNING Action not allowed with tested creds action="elasticloadbalancing:RegisterTargets" WARNING Action not allowed with tested creds action="elasticloadbalancing:RegisterInstancesWithLoadBalancer" WARNING Action not allowed with tested creds action="elasticloadbalancing:SetLoadBalancerPoliciesOfListener" WARNING Action not allowed with tested creds action="iam:AddRoleToInstanceProfile" WARNING Action not allowed with tested creds action="iam:CreateInstanceProfile" WARNING Action not allowed with tested creds action="iam:CreateRole" WARNING Action not allowed with tested creds action="iam:DeleteInstanceProfile" WARNING Action not allowed with tested creds action="iam:DeleteRole" WARNING Action not allowed with tested creds action="iam:DeleteRolePolicy" WARNING Action not allowed with tested creds action="iam:GetInstanceProfile" WARNING Action not allowed with tested creds action="iam:GetRole" WARNING Action not allowed with tested creds action="iam:GetRolePolicy" WARNING Action not allowed with tested creds action="iam:ListInstanceProfilesForRole" WARNING Action not allowed with tested creds action="iam:ListRoles" WARNING Action not allowed with tested creds action="iam:ListUsers" WARNING Action not allowed with tested creds action="iam:PassRole" WARNING Action not allowed with tested creds action="iam:PutRolePolicy" WARNING Action not allowed with tested creds action="iam:RemoveRoleFromInstanceProfile" WARNING Action not allowed with tested creds action="iam:TagRole" WARNING Action not allowed with tested creds action="route53:ChangeResourceRecordSets" WARNING Action not allowed with tested creds action="route53:ChangeTagsForResource" WARNING Action not allowed with tested creds action="route53:GetChange" WARNING Action not allowed with tested creds action="route53:GetHostedZone" WARNING Action not allowed with tested creds action="route53:CreateHostedZone" WARNING Action not allowed with tested creds action="route53:DeleteHostedZone" WARNING Action not allowed with tested creds action="route53:ListHostedZones" WARNING Action not allowed with tested creds action="route53:ListHostedZonesByName" WARNING Action not allowed with tested creds action="route53:ListResourceRecordSets" WARNING Action not allowed with tested creds action="route53:ListTagsForResource" WARNING Action not allowed with tested creds action="route53:UpdateHostedZoneComment" WARNING Action not allowed with tested creds action="s3:CreateBucket" WARNING Action not allowed with tested creds action="s3:DeleteBucket" WARNING Action not allowed with tested creds action="s3:GetAccelerateConfiguration" WARNING Action not allowed with tested creds action="s3:GetBucketCors" WARNING Action not allowed with tested creds action="s3:GetBucketLocation" WARNING Action not allowed with tested creds action="s3:GetBucketLogging" WARNING Action not allowed with tested creds action="s3:GetBucketObjectLockConfiguration" WARNING Action not allowed with tested creds action="s3:GetBucketReplication" WARNING Action not allowed with tested creds action="s3:GetBucketRequestPayment" WARNING Action not allowed with tested creds action="s3:GetBucketTagging" WARNING Action not allowed with tested creds action="s3:GetBucketVersioning" WARNING Action not allowed with tested creds action="s3:GetBucketWebsite" WARNING Action not allowed with tested creds action="s3:GetEncryptionConfiguration" WARNING Action not allowed with tested creds action="s3:GetLifecycleConfiguration" WARNING Action not allowed with tested creds action="s3:GetReplicationConfiguration" WARNING Action not allowed with tested creds action="s3:ListBucket" WARNING Action not allowed with tested creds action="s3:PutBucketAcl" WARNING Action not allowed with tested creds action="s3:PutBucketTagging" WARNING Action not allowed with tested creds action="s3:PutEncryptionConfiguration" WARNING Action not allowed with tested creds action="s3:PutObject" WARNING Action not allowed with tested creds action="s3:PutObjectAcl" WARNING Action not allowed with tested creds action="s3:PutObjectTagging" WARNING Action not allowed with tested creds action="s3:GetObject" WARNING Action not allowed with tested creds action="s3:GetObjectAcl" WARNING Action not allowed with tested creds action="s3:GetObjectTagging" WARNING Action not allowed with tested creds action="s3:GetObjectVersion" WARNING Action not allowed with tested creds action="s3:DeleteObject" WARNING Action not allowed with tested creds action="autoscaling:DescribeAutoScalingGroups" WARNING Action not allowed with tested creds action="ec2:DeleteNetworkInterface" WARNING Action not allowed with tested creds action="ec2:DeleteVolume" WARNING Action not allowed with tested creds action="ec2:DeleteVpcEndpoints" WARNING Action not allowed with tested creds action="elasticloadbalancing:DescribeTargetGroups" WARNING Action not allowed with tested creds action="elasticloadbalancing:DeleteTargetGroup" WARNING Action not allowed with tested creds action="iam:ListInstanceProfiles" WARNING Action not allowed with tested creds action="iam:ListRolePolicies" WARNING Action not allowed with tested creds action="iam:ListUserPolicies" WARNING Action not allowed with tested creds action="tag:GetResources" Verified with 4.2.0-0.nightly-2019-09-11-012246 I review the whole pr which checks `SimulatePrincipalPolicy` from AWS. Thanks jdiaz's help. I do some basic test to make sure that this pr doesn't introduce any regression. Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2019:2922 |