Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1936485

Summary: Missing AWS IAM installation permission: ec2:DescribeInstanceTypeOfferings
Product: OpenShift Container Platform Reporter: Stephen Cuppett <scuppett>
Component: DocumentationAssignee: Eric Ponvelle <eponvell>
Status: CLOSED CURRENTRELEASE QA Contact: Yunfei Jiang <yunjiang>
Severity: medium Docs Contact: Vikram Goyal <vigoyal>
Priority: high    
Version: 4.7CC: aos-bugs, eponvell, jokerman, yunjiang
Target Milestone: ---   
Target Release: 4.7.z   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-03-15 17:04:57 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Stephen Cuppett 2021-03-08 15:00:05 UTC 
Document URL: https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account

Describe the issue: 

Running standard IPI installation using only the permissions from the documentation, I encountered the following warnings:

WARNING failed to find default instance type: UnauthorizedOperation: You are not authorized to perform this operation. 
WARNING Missing permissions to fetch Quotas and therefore will skip checking them: failed to load limits for servicequotas: failed to list default serviceqquotas for ec2: AccessDeniedException: User: arn:aws:iam::641875867446:user/install_user is not authorized to perform: servicequotas:ListAWSDefaultServiceQuotas, make sure you have `servicequotas:ListAWSDefaultServiceQuotas` permission available to the user.

Suggestions for improvement: 

We need to add ec2:DescribeInstanceTypeOfferings & servicequotas:ListAWSDefaultServiceQuotas to the list in some way. They are not required, but we should indicate them as optional/helpful to perform a clean installation with the best experience and no warnings.

Additional information:
Comment 1 Stephen Cuppett 2021-03-08 20:18:35 UTC 
Will need updated in at least 4.7 and 4.8 docs (might be applicable in 4.6 as well).
Comment 2 Eric Ponvelle 2021-03-10 18:27:01 UTC 
Thanks for this, Stephen. I've made the changes - https://github.com/openshift/openshift-docs/pull/30316

Waiting for Yunfei to confirm.
Comment 3 Eric Ponvelle 2021-03-10 20:25:30 UTC 
I also created the 4.6 ticket changes - https://github.com/openshift/openshift-docs/pull/30320
Comment 4 Yunfei Jiang 2021-03-15 07:10:25 UTC 
Eric, is PR https://github.com/openshift/openshift-docs/pull/30316 for both 4.7 and 4.8?

reviewed above two PRs, I will change status to VERIFIED once the doc PRs merged
Comment 5 Eric Ponvelle 2021-03-15 13:14:51 UTC 
Hi Yunfei,

Here's the PR for 4.6 - https://github.com/openshift/openshift-docs/pull/30320
Here's the PR for 4.7 - https://github.com/openshift/openshift-docs/pull/30316

I split them up after tagging you I believe. I'll get them to the review team and merged in.

Thanks a lot!
Comment 6 Eric Ponvelle 2021-03-15 15:52:23 UTC 
Apologies Yunfei; I misread. Yes, the 30316 ticket is for 4.7+ while the 30320 ticket is just for 4.6. They tickets were merged, and the changes are available on this page:

4.6: https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
4.7+: https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
Comment 7 Yunfei Jiang 2021-03-16 01:06:17 UTC 
Eric, thanks for your update.