Document URL: https://docs.openshift.com/container-platform/4.5/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account Section Number and Name: Required AWS permissions Describe the issue: There are required permissions that are missing tag:TagResources tag:UntagResources These permissions are only used when OpenShift is installed into an existing VPC. In that use case, the installer tags shared resources that it did not create. I don't know what other permissions are missing for this use case, but customers reported these two so far. Suggestions for improvement: Additional information: Security-focused customers follow this list *very closely* and it extremely painful when this list is wrong.
Hey Greg! Thanks for filing this. As I understand it, these tags needs to be placed under the "Required EC2 permissions for installation" section, is that right? I've created a pull request to resolve this: https://github.com/openshift/openshift-docs/pull/26714 Gaoyun Pei, please take a look. Thanks!
> these tags needs to be placed under the "Required EC2 permissions for installation" section That should work. I have one additional thought. These two permissions are only required for the (uncommon?) use case of installing into an existing VPC. Normally the installer doesn't need Tag/Untag because it creates resources and includes the tag in the resource definition (no need for Tag after the fact). When using an existing VPC, it must tag things it did not create. It might also make sense to create a new section "Required EC2 permissions for installation - Existing VPC Only" or something like that, and add these there. That way, it's clear that a user can safely exclude these two permissions if using the usual installer-creates-everything use case. What do you think?
Hey Greg! I'll be happy to add a new section! Just to confirm, should it be those two tags + the normal "Required EC2 permissions for installation"?
> Just to confirm, should it be those two tags + the normal "Required EC2 permissions for installation"? Hm, I'm actually not sure. For the "Existing VPC" flow, I suspect a lot of the permissions we normally use aren't actually required. I must defer to an expert on the installer team.
One note: we are working on removing TagResource (replaced with already listed CreateTag) API in https://issues.redhat.com/browse/CORS-1580 in 4.7
I've spoken with Matthew Staebler in engineering and have confirmed that versions 4.3-4.6 will require both tag:TagResources and tag:UntagResources added to the existing "Required EC2 permissions for installation" section, while future releases will have just the tag:UntagResources moving forward. Both pull requests have been created: 4.6 and prior: https://github.com/openshift/openshift-docs/pull/27157 4.7+: https://github.com/openshift/openshift-docs/pull/27163 Gaoyun Pei, would you mind reviewing these again before merging? Thanks!
Pull requests have been merged. I'm setting this to release pending until changes are live.
The requested changes are now live: https://docs.openshift.com/container-platform/4.5/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account I will be closing this bug as current release. Thanks for your input in helping us improve our documentation, Greg!