This bug was initially created as a copy of Bug #1888464 I am copying this bug because: Version: 4.5.8 Platform: AWS IPI (IBM Cloudpak for Security) Background Installing into an account that has an SCP enabled that gives false hits in the permission simulator, so they are disabling permission simulation by setting 'credentialMode: mint' in the install-config. *They are installing into an existing VPC.* What happened? FATAL failed to fetch Cluster: failed to generate asset “Cluster”: AccessDeniedException: User: REDACTED is not authorized to perform: tag:TagResources status code: 400 and DEBUG Search for and remove tags in us-east-1 matching kubernetes.io/cluster/cp4s1-prod-fj8nw: shared INFO untag shared resources: AccessDeniedException: User: REDACTED is not authorized to perform: tag:UntagResources status code: 400 These permissions appear to be required when installing to an existing VPC, but they are not documented. I opened Bug 1888462 about that. But also, they aren't defined as required in https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go#L30 That's what this bug is about. We're bypassing the simulator here, so I can't tell if the installer would have failed in the simulation phase. But surely those permissions should be listed in this map. (We use this map as the canonical source of truth for what permissions AWS accounts require!) What did you expect to happen? I expected the code and documentation to list tag:TagResources and tag:UntagResources as required (at least when installing into an existing VPC) How to reproduce it (as minimally and precisely as possible)? Install into an existing VPC with an account that doesn't have those permissions
verified. PASS. version: 4.6.0-0.nightly-2020-12-16-201440 >> Test 1: 1. create IAM user with following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "tag:UntagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } 2. Using above new IAM user by default, create cluster: INFO Credentials loaded from the "denyuntag" profile in file "/home/cloud-user/.aws/credentials" INFO Consuming Install Config from target directory WARNING Action not allowed with tested creds action="tag:UnTagResources" WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation >> Test 2: 1. create IAM user with following policy: { "Version": "2012-10-17", "Statement": [ { "Sid": "VisualEditor0", "Effect": "Deny", "Action": [ "tag:TagResources" ], "Resource": "*" }, { "Effect": "Allow", "Action": "*", "Resource": "*" } ] } 2. Using above new IAM user by default, create cluster: INFO Credentials loaded from the "denytag" profile in file "/home/cloud-user/.aws/credentials" INFO Consuming Install Config from target directory WARNING Action not allowed with tested creds action="tag:TagResources" WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.6.9 security and bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2020:5614