A follow up openshift/installer PR is necessary to fix this, moving back to ASSIGNED.
Verified this bug with 4.2.0-0.nightly-2020-02-20-184122, and passed. Create IAM policy like the following: { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "*", "Resource": "*" }, { "Effect": "Deny", "Action": [ "ec2:Create*", "ec2:Run*", "eks:Create*", "rds:Create*", "es:Create*", "lambda:Create*" ], "Resource": [ "*" ], "Condition": { "StringNotEquals": { "aws:RequestedRegion": "us-east-2" } } } ] } Create a aws ueser attach it to the user, run the following testing using this user. Reproduce it using old version of installer: [root@preserve-jialiu-ansible ~]# openshift-install version openshift-install v4.2.0 built from commit 90ccb37ac1f85ae811c50a29f9bb7e779c5045fb release image quay.io/openshift-release-dev/ocp-release@sha256:c5337afd85b94c93ec513f21c8545e3f9e36a227f55d41bc1dfb8fcc3f2be129 [root@preserve-jialiu-ansible ~]# mkdir demo6 [root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml [root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6 INFO Consuming "Install Config" from target directory WARNING Action not allowed with tested creds action="ec2:CreateDhcpOptions" WARNING Action not allowed with tested creds action="ec2:CreateInternetGateway" WARNING Action not allowed with tested creds action="ec2:CreateNatGateway" WARNING Action not allowed with tested creds action="ec2:CreateNetworkInterface" WARNING Action not allowed with tested creds action="ec2:CreateRoute" WARNING Action not allowed with tested creds action="ec2:CreateRouteTable" WARNING Action not allowed with tested creds action="ec2:CreateSecurityGroup" WARNING Action not allowed with tested creds action="ec2:CreateSubnet" WARNING Action not allowed with tested creds action="ec2:CreateTags" WARNING Action not allowed with tested creds action="ec2:CreateVpc" WARNING Action not allowed with tested creds action="ec2:CreateVpcEndpoint" WARNING Action not allowed with tested creds action="ec2:CreateVolume" WARNING Action not allowed with tested creds action="ec2:RunInstances" WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Bootstrap Ignition Config: failed to fetch dependency of "Bootstrap Ignition Config": failed to fetch dependency of "Master Machines": failed to generate asset "Platform Credentials Check": validate AWS credentials: current credentials insufficient for performing cluster installation Update installer from 4.2.0-0.nightly-2020-02-20-184122, verify it. [root@preserve-jialiu-ansible ~]# openshift-install version openshift-install v4.2.20 built from commit 8465c322cdd805ed5e43c3fc52a485ca63d305c7 release image registry.svc.ci.openshift.org/ocp/release@sha256:3c2170d5407ef21f03cae2e44cdca590151d49f11242a5e1c05595c583fb4bb8 [root@preserve-jialiu-ansible ~]# rm -rf demo6 [root@preserve-jialiu-ansible ~]# mkdir demo6 [root@preserve-jialiu-ansible ~]# cp ipi_template/install-config.yaml.aws demo6/install-config.yaml [root@preserve-jialiu-ansible ~]# openshift-install create ignition-configs --dir demo6 INFO Consuming "Install Config" from target directory [root@preserve-jialiu-ansible ~]# openshift-install create cluster --dir demo6 INFO Consuming "Worker Ignition Config" from target directory INFO Consuming "Bootstrap Ignition Config" from target directory INFO Consuming "Master Ignition Config" from target directory INFO Creating infrastructure resources... INFO Waiting up to 30m0s for the Kubernetes API at https://api.jialiu.qe.devcluster.openshift.com:6443... INFO API v1.14.6+999bb21 up INFO Waiting up to 30m0s for bootstrapping to complete... INFO Destroying the bootstrap resources... INFO Waiting up to 30m0s for the cluster at https://api.jialiu.qe.devcluster.openshift.com:6443 to initialize... INFO Waiting up to 10m0s for the openshift-console route to be created... INFO Install complete! INFO To access the cluster as the system:admin user when using 'oc', run 'export KUBECONFIG=/root/demo6/auth/kubeconfig' INFO Access the OpenShift web-console here: https://console-openshift-console.apps.jialiu.qe.devcluster.openshift.com INFO Login to the console with user: kubeadmin, password: fRRpr-nnYTM-dwJiC-vomBf [root@preserve-jialiu-ansible ~]# export KUBECONFIG=/root/demo6/auth/kubeconfig [root@preserve-jialiu-ansible ~]# oc get node NAME STATUS ROLES AGE VERSION ip-10-0-130-206.us-east-2.compute.internal Ready master 38m v1.14.6+47933cbcc ip-10-0-135-165.us-east-2.compute.internal Ready worker 32m v1.14.6+47933cbcc ip-10-0-144-61.us-east-2.compute.internal Ready master 38m v1.14.6+47933cbcc ip-10-0-154-38.us-east-2.compute.internal Ready worker 32m v1.14.6+47933cbcc ip-10-0-170-189.us-east-2.compute.internal Ready master 38m v1.14.6+47933cbcc ip-10-0-174-182.us-east-2.compute.internal Ready worker 32m v1.14.6+47933cbcc [root@preserve-jialiu-ansible ~]# oc get co NAME VERSION AVAILABLE PROGRESSING DEGRADED SINCE authentication 4.2.0-0.nightly-2020-02-20-184122 True False False 22m cloud-credential 4.2.0-0.nightly-2020-02-20-184122 True False False 36m cluster-autoscaler 4.2.0-0.nightly-2020-02-20-184122 True False False 28m console 4.2.0-0.nightly-2020-02-20-184122 True False False 26m dns 4.2.0-0.nightly-2020-02-20-184122 True False False 36m image-registry 4.2.0-0.nightly-2020-02-20-184122 True False False 28m ingress 4.2.0-0.nightly-2020-02-20-184122 True False False 29m insights 4.2.0-0.nightly-2020-02-20-184122 True False False 36m kube-apiserver 4.2.0-0.nightly-2020-02-20-184122 True False False 34m kube-controller-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 34m kube-scheduler 4.2.0-0.nightly-2020-02-20-184122 True False False 34m machine-api 4.2.0-0.nightly-2020-02-20-184122 True False False 36m machine-config 4.2.0-0.nightly-2020-02-20-184122 True False False 36m marketplace 4.2.0-0.nightly-2020-02-20-184122 True False False 29m monitoring 4.2.0-0.nightly-2020-02-20-184122 True False False 27m network 4.2.0-0.nightly-2020-02-20-184122 True False False 35m node-tuning 4.2.0-0.nightly-2020-02-20-184122 True False False 32m openshift-apiserver 4.2.0-0.nightly-2020-02-20-184122 True False False 31m openshift-controller-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 34m openshift-samples 4.2.0-0.nightly-2020-02-20-184122 True False False 29m operator-lifecycle-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 35m operator-lifecycle-manager-catalog 4.2.0-0.nightly-2020-02-20-184122 True False False 35m operator-lifecycle-manager-packageserver 4.2.0-0.nightly-2020-02-20-184122 True False False 33m service-ca 4.2.0-0.nightly-2020-02-20-184122 True False False 36m service-catalog-apiserver 4.2.0-0.nightly-2020-02-20-184122 True False False 32m service-catalog-controller-manager 4.2.0-0.nightly-2020-02-20-184122 True False False 32m storage 4.2.0-0.nightly-2020-02-20-184122 True False False 29m
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory, and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2020:0614