1757208 – Missing permissions from credentials check on AWS

Bug 1757208 - Missing permissions from credentials check on AWS

Summary: Missing permissions from credentials check on AWS

Keywords:
Status:	CLOSED NOTABUG
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Cloud Credential Operator
Sub Component:
Version:	4.2.0
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Target Release:	4.3.0
Assignee:	Devan Goodwin
QA Contact:	Oleg Nesterov
Docs Contact:
URL:
Whiteboard:
Depends On:	1729362
Blocks:
TreeView+	depends on / blocked

Reported:	2019-09-30 20:23 UTC by Abhinav Dahiya
Modified:	2019-09-30 20:24 UTC (History)
CC List:	1 user (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1729362
Environment:
Last Closed:	2019-09-30 20:24:21 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Description Abhinav Dahiya 2019-09-30 20:23:11 UTC

The installer vendors the lib from cred-minter and Joel had a solution to fix this.

+++ This bug was initially created as a clone of Bug #1729362 +++

Description of problem:

Using a restricted iam policy for a user and using that to install the cluster:

```
INFO Consuming "Install Config" from target directory 
INFO Creating infrastructure resources...         
ERROR                                              
ERROR Error: Error applying plan:                  
ERROR                                              
ERROR 3 errors occurred:                           
ERROR 	* module.masters.aws_network_interface.master[1]: 1 error occurred: 
ERROR 	* aws_network_interface.master.1: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: 9b772002-65ad-4642-86f3-4d314dcfa2e5 
ERROR                                              
ERROR                                              
ERROR 	* module.masters.aws_network_interface.master[2]: 1 error occurred: 
ERROR 	* aws_network_interface.master.2: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: a7b74671-95a0-42fa-a497-fc4966222ebe 
ERROR                                              
ERROR                                              
ERROR 	* module.masters.aws_network_interface.master[0]: 1 error occurred: 
ERROR 	* aws_network_interface.master.0: Error creating ENI: UnauthorizedOperation: You are not authorized to perform this operation. 
ERROR 	status code: 403, request id: ef03e929-d2c0-489e-ba4b-de28beb31b8f 
ERROR                                              
ERROR                                              
ERROR                                              
ERROR                                              
ERROR                                              
ERROR Terraform does not automatically rollback in the face of errors. 
ERROR Instead, your Terraform state file has been partially updated with 
ERROR any resources that successfully completed. Please address the error 
ERROR above and apply again to incrementally change your infrastructure. 
ERROR                                              
ERROR                                              
FATAL failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed to apply using Terraform
```

The installer should add `"ec2:AttachNetworkInterface" and "ec2:CreateNetworkInterface"` to the permissions that should be checked.

the original report: https://github.com/openshift/openshift-docs/issues/15376#issuecomment-510320028

--- Additional comment from W. Trevor King on 2019-08-13 20:34:45 UTC ---

I think we want something like https://github.com/openshift/installer/pull/1752 to help maintain that list (at least on AWS).

Comment 1 Abhinav Dahiya 2019-09-30 20:24:21 UTC

Oops cloned the wrong bug.

Note You need to log in before you can comment on or make changes to this bug.