Bug 1801446 - AWS: Remove installer IAM permissions pre-check for UPI deployments
Summary: AWS: Remove installer IAM permissions pre-check for UPI deployments
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.3.0
Hardware: All
OS: All
high
high
Target Milestone: ---
: 4.3.z
Assignee: Patrick Dillon
QA Contact: Johnny Liu
URL:
Whiteboard:
Depends On: 1796347
Blocks:
TreeView+ depends on / blocked
 
Reported: 2020-02-10 21:35 UTC by Patrick Dillon
Modified: 2020-03-24 14:33 UTC (History)
5 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of: 1796347
Environment:
Last Closed: 2020-03-24 14:33:06 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Github openshift installer pull 3096 None closed Bug 1801446: Move permissions check to cluster asset 2020-05-19 10:36:25 UTC
Red Hat Product Errata RHBA-2020:0858 None None None 2020-03-24 14:33:30 UTC

Comment 3 Johnny Liu 2020-03-10 02:34:07 UTC
Verified this bug with 4.3.0-0.nightly-2020-03-09-200240, and PASS.

Create a IAM user, and attach the following policy.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        },
        {
            "Effect": "Deny",
            "Action": [
                "ec2:Create*",
                "ec2:Run*",
                "eks:Create*",
                "rds:Create*",
                "es:Create*",
                "lambda:Create*"
            ],
            "Resource": [
                "*"
            ],
            "Condition": {
                "StringNotEquals": {
                    "aws:RequestedRegion": "us-east-1"
                }
            }
        }
    ]
}

[root@preserve-jialiu-ansible ~]# openshift-install version
openshift-install 4.3.0-0.nightly-2020-03-09-200240
built from commit 3b4f0d436bf5247803395e146d4cd2ff9665fde8
release image registry.svc.ci.openshift.org/ocp/release@sha256:e76667eb92d91d60fdc661bf88d6d15df528d417e5e11bd09244489d0aebf38d

Try to create cluster in us-east-2 region.

[root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo1
INFO Consuming Install Config from target directory 
[root@preserve-jialiu-ansible ~]# openshift-install create cluster --dir demo1
INFO Consuming Worker Ignition Config from target directory 
INFO Consuming Bootstrap Ignition Config from target directory 
INFO Consuming Master Ignition Config from target directory 
WARNING Action not allowed with tested creds          action="ec2:CreateNetworkInterface"
WARNING Action not allowed with tested creds          action="ec2:CreateSecurityGroup"
WARNING Action not allowed with tested creds          action="ec2:CreateTags"
WARNING Action not allowed with tested creds          action="ec2:CreateVolume"
WARNING Action not allowed with tested creds          action="ec2:RunInstances"
WARNING Action not allowed with tested creds          action="ec2:CreateDhcpOptions"
WARNING Action not allowed with tested creds          action="ec2:CreateInternetGateway"
WARNING Action not allowed with tested creds          action="ec2:CreateNatGateway"
WARNING Action not allowed with tested creds          action="ec2:CreateRoute"
WARNING Action not allowed with tested creds          action="ec2:CreateRouteTable"
WARNING Action not allowed with tested creds          action="ec2:CreateSubnet"
WARNING Action not allowed with tested creds          action="ec2:CreateVpc"
WARNING Action not allowed with tested creds          action="ec2:CreateVpcEndpoint"
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation

Comment 5 errata-xmlrpc 2020-03-24 14:33:06 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2020:0858


Note You need to log in before you can comment on or make changes to this bug.