Document URL: https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account Section Number and Name: Required AWS permissions Describe the issue: When a private cluster is deployed over AWS using existing resources such as VPC, subnets, etc, then the tag OpenShift tag such as "kubernetes.io/cluster/aygarg-lkcdg: shared" gets added to the existing subnets. At the time of cluster destroy, this tag remains added to the subnets instead of getting removed. Suggestions for improvement: Add the following permission in the documentation so the installer can remove the tag. --> "ec2:DeleteTags"
https://github.com/openshift/openshift-docs/pull/31323 Added the following permission to the table of AWS permissions: --> "ec2:DeleteTags" Find preview at https://deploy-preview-31323--osdocs.netlify.app/openshift-enterprise/latest/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
Matthew (Staebler): My change to the table at the URL is to add "ec2:DeleteTags". No other change made to this title. Wanted to ask you please, to verify that the permission is correct (correct name and form) and that the table looks good. The original BZ asked for the addition of this permission to the table - that's the only change I have made. This issue was hit by a customer, Blue Cross and Blue Shield of NC, so it's also a priority supportability issue. Thank you! James Brigman
Yunfei Jiang - your QA review is desired, please sir: My change to the table at the URL is to add "ec2:DeleteTags". No other change made to this title. Wanted to ask you please, to verify that the permission is correct (correct name and form) and that the table looks good. The original BZ asked for the addition of this permission to the table - that's the only change I have made. This issue was hit by a customer, Blue Cross and Blue Shield of NC, so it's also a priority supportability issue. Thank you! James Brigman
Thank you Matthew and Yunfei for your review! Posting changes for merge.
Find the preview at: https://deploy-preview-31323--osdocs.netlify.app/openshift-enterprise/latest/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account On the chart "Required AWS permissions", see that "ec2:DeleteTags" has been added between "ec2:DeleteSnapshot" and "ec2:DeregisterImage".
Thanks James, the changes LGTM, but I got some questions, please see my comment in https://github.com/openshift/openshift-docs/pull/31323#issuecomment-81551572 I will set this bug to VERIFIED when: 1. PR 31323 get merged. 2. related bug get verified (for 4.8, it's bug 1926547)
Hello Yunfei; Your questions are excellent, sir. the answers are: PR 31323 is merged, and This fix is applied to the documentation for 4.5, 4.6, 4.7 and 4.8, and Matthew Staebler is looking at BZ1926547. THANK YOU for your help on this Yunfei! Please mark as VERIFIED if you are confident. James
Thanks James, but per Matthew's note [1], looks like 4.5 is not in the list, please confirm, thanks. [1] https://github.com/openshift/openshift-docs/pull/31323#issuecomment-815849445
Hello Yunfei - I've reached out to Matthew (via direct email) to confirm: James Brigman <jbrigman> 5:25 PM (14 minutes ago) to Matthew Hello Matthew; I need to touch base with you directly about PR 31323, please. I've not closed my doc bug on this issue yet ( BZ1926543 ) because QE (Yunfei Jiang) believes the edit to the docs (adding "ec2:DeleteTags") must NOT be applied to the OpenShift 4.5 documentation. Well, I've already added "ec2:DeleteTags" to the 4.5 documentation. My question is, that's an ec2 permission that OpenShift needs to express to AWS. Why wouldn't it be needed in 4.5 as well as all versions afterward? I'd love to close this case yesterday, but I can't in good conscience without getting it right. Your kind input requested; James Brigman Tech Writer - OpenShift
(In reply to Yunfei Jiang from comment #9) > Thanks James, but per Matthew's note [1], looks like 4.5 is not in the list, > please confirm, thanks. > > [1] > https://github.com/openshift/openshift-docs/pull/31323#issuecomment-815849445 Yunfei, I think we are conflated things here. There are two issues at play. The first is that the installer does not verify that the user has the "ec2:DeleteTags" permission. The second is that the documentation does not indicate that the user needs the "ec2:DeleteTags" permission. Regardless of whether there are any changes to address the first issue, the second issue should be addressed. This BZ is concerned solely with the second issue. In my opinion, the docs changes should be made as far back as they can be, independently of whether the installer changes are made.
Thanks Matthew, it's clear to me now. James, since PR31323 get merged, set status to VERIFIED now, thanks.
Closing this BZ. PR31323 is closed. Example document link: https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account "ec2:DeleteTags" has been added to the table "Required AWS permissions" in 4.5, 4.6, 4.7 and 4.8.