Version: 4.5.8 Platform: AWS IPI (IBM Cloudpak for Security) Background Installing into an account that has an SCP enabled that gives false hits in the permission simulator, so they are disabling permission simulation by setting 'credentialMode: mint' in the install-config. *They are installing into an existing VPC.* What happened? FATAL failed to fetch Cluster: failed to generate asset “Cluster”: AccessDeniedException: User: REDACTED is not authorized to perform: tag:TagResources status code: 400 and DEBUG Search for and remove tags in us-east-1 matching kubernetes.io/cluster/cp4s1-prod-fj8nw: shared INFO untag shared resources: AccessDeniedException: User: REDACTED is not authorized to perform: tag:UntagResources status code: 400 These permissions appear to be required when installing to an existing VPC, but they are not documented. I opened Bug 1888462 about that. But also, they aren't defined as required in https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go#L30 That's what this bug is about. We're bypassing the simulator here, so I can't tell if the installer would have failed in the simulation phase. But surely those permissions should be listed in this map. (We use this map as the canonical source of truth for what permissions AWS accounts require!) What did you expect to happen? I expected the code and documentation to list tag:TagResources and tag:UntagResources as required (at least when installing into an existing VPC) How to reproduce it (as minimally and precisely as possible)? Install into an existing VPC with an account that doesn't have those permissions
4.7 PR is up, but may not merge in this sprint. Adding UpcomingSprint. Need to clone this bug and create a new PR for 4.6 (implementation will be slightly different) and cherry pick to previous branches.
verified. PASS. version: 4.7.0-0.nightly-2020-11-22-204912 >> Test 1: 1. create IAM user with following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "tag:UntagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } 2. Using above new IAM user by default, create cluster: time="2020-11-23T08:49:44Z" level=warning msg="Action not allowed with tested creds" action="tag:UnTagResources" time="2020-11-23T08:49:44Z" level=warning msg="Tested creds not able to perform all requested actions" time="2020-11-23T08:49:44Z" level=fatal msg="failed to fetch Cluster: failed to fetch dependency of \"Cluster\": failed to generate asset \"Platform Permissions Check\": validate AWS credentials: current credentials insufficient for performing cluster installation" >> Test 2: 1. create IAM user with following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "tag:TagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } 2. Using above new IAM user by default, a), create cluster successfully, b) tag 'shared' are added to/removed from subnets successfully. c) destroy cluster successfully.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5633