Bug 1888464 - installer missing permission definitions for TagResources and UntagResources when installing in existing VPC
Summary: installer missing permission definitions for TagResources and UntagResources ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.5
Hardware: Unspecified
OS: Unspecified
high
high
Target Milestone: ---
: 4.7.0
Assignee: Patrick Dillon
QA Contact: Yunfei Jiang
URL:
Whiteboard:
Depends On:
Blocks: 1898172
TreeView+ depends on / blocked
 
Reported: 2020-10-14 22:06 UTC by Greg Sheremeta
Modified: 2021-02-24 15:26 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: installer did not check to ensure AWS accounts had UnTagResources permissions when creating a cluster with shared resources. Consequence: when destroying a cluster the installer may not have permission to delete tags added to the pre-existing network. Fix: add permission check for untag resources when creating cluster with shared network resources. Result: when users create a cluster using shared resources the installer checks to ensure the account has proper permissions.
Clone Of:
Environment:
Last Closed: 2021-02-24 15:26:11 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4371 0 None closed Bug 1888464: add tag:UnTagResource perm for aws shared networks 2021-02-17 16:27:23 UTC
Red Hat Bugzilla 1888462 0 low CLOSED TagResources and UntagResources required permissions are missing from the documentation 2021-02-22 00:41:40 UTC
Red Hat Product Errata RHSA-2020:5633 0 None None None 2021-02-24 15:26:40 UTC

Description Greg Sheremeta 2020-10-14 22:06:58 UTC
Version: 4.5.8

Platform: AWS

IPI (IBM Cloudpak for Security)

Background

Installing into an account that has an SCP enabled that gives false hits in the permission simulator, so they are disabling permission simulation by setting 'credentialMode: mint' in the install-config.

*They are installing into an existing VPC.*

What happened?

FATAL failed to fetch Cluster: failed to generate asset “Cluster”: AccessDeniedException: User: REDACTED  is not authorized to perform: tag:TagResources
status code: 400

and

DEBUG Search for and remove tags in us-east-1 matching kubernetes.io/cluster/cp4s1-prod-fj8nw: shared
INFO untag shared resources: AccessDeniedException: User: REDACTED is not authorized to perform: tag:UntagResources
status code: 400

These permissions appear to be required when installing to an existing VPC, but they are not documented. I opened Bug 1888462 about that.

But also, they aren't defined as required in https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go#L30

That's what this bug is about. We're bypassing the simulator here, so I can't tell if the installer would have failed in the simulation phase. But surely those permissions should be listed in this map. (We use this map as the canonical source of truth for what permissions AWS accounts require!)

What did you expect to happen?

I expected the code and documentation to list tag:TagResources and tag:UntagResources as required (at least when installing into an existing VPC)

How to reproduce it (as minimally and precisely as possible)?

Install into an existing VPC with an account that doesn't have those permissions

Comment 9 Patrick Dillon 2020-11-13 01:28:50 UTC
4.7 PR is up, but may not merge in this sprint. Adding UpcomingSprint.

Need to clone this bug and create a new PR for 4.6 (implementation will be slightly different) and cherry pick to previous branches.

Comment 11 Yunfei Jiang 2020-11-24 01:34:35 UTC
verified. PASS.
version: 4.7.0-0.nightly-2020-11-22-204912


>> Test 1:
1. create IAM user with following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "tag:UntagResources"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

2. Using above new IAM user by default, create cluster:
time="2020-11-23T08:49:44Z" level=warning msg="Action not allowed with tested creds" action="tag:UnTagResources"
time="2020-11-23T08:49:44Z" level=warning msg="Tested creds not able to perform all requested actions"
time="2020-11-23T08:49:44Z" level=fatal msg="failed to fetch Cluster: failed to fetch dependency of \"Cluster\": failed to generate asset \"Platform Permissions Check\": validate AWS credentials: current credentials insufficient for performing cluster installation"

>> Test 2:
1. create IAM user with following policy:
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Deny",
            "Action": [
                "tag:TagResources"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

2. Using above new IAM user by default, a), create cluster successfully, b) tag 'shared' are added to/removed from subnets successfully. c) destroy cluster successfully.

Comment 14 errata-xmlrpc 2021-02-24 15:26:11 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.0 security, bug fix, and enhancement update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2020:5633


Note You need to log in before you can comment on or make changes to this bug.