Document URL: https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account Section Number and Name: Required AWS permissions -> Required permissions to delete base cluster resources Describe the issue: Received the following error attempting to delete an IPI AWS cluster with the documented list of explicit permissions: WARNING listing attached IAM role policies: AccessDenied: User: arn:aws:iam::641875867446:user/install_user is not authorized to perform: iam:ListAttachedRolePolicies on resource: role iam-x2w59-worker-role arn=arn:aws:iam::641875867446:role/iam-x2w59-worker-role Suggestions for improvement: We need to include this permission in the "Required permissions to delete base cluster resources" section
There may need to be another install bug to go along with this. Even though this is a WARNING in the stdout from the installer, it holds up the "destroy cluster" operation until the permission is granted or the process is killed. If killed, it will orphan the master/worker IAM roles.
@Yunfei can you review this requested AWS permission requirement?: https://github.com/openshift/openshift-docs/pull/30220 This isn't present in the AWS permissions.go file [1], which is why it isn't in the docs. If this permission addition is valid, please let me know the OCP versions this applies to (4.5-4.8?). Thanks! [1] https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go
Will need updated in at least 4.7 and 4.8 docs (might be applicable in 4.6 as well).
Thanks, Stephen! I reached out to the Installer dev team and they confirmed this additional permission requirement would be applicable for OCP 4.6+. As background, this requirement was introduced via https://github.com/openshift/installer/pull/4126. As per the docs publication requirements, I'll wait for QE to confirm this information, and then proceed with publishing the update for the applicable versions.
tested based on an IAM user without iam:ListAttachedRolePolicies permission: install: succeed, cluster works well. destroy will go into an infinite loop, since it can not list policy attached role: level=warning msg="listing attached IAM role policies: AccessDenied: User: arn:aws:iam::301721915996:user/yunjiang-test-ListAttachedRole is not authorized to perform: iam:ListAttachedRolePolicies on resource: role yunjiang-role46-gprsb-worker-role with an explicit deny\n\tstatus code: 403, request id: 665a9c72-ab46-4b45-bbd5-b772705f147a" arn="arn:aws:iam::301721915996:role/yunjiang-role46-gprsb-worker-role" error occurred on 4.6, 4.7, 4.8 if grant iam:ListAttachedRolePolicies permission to IAM user, no above issue. mark this bug as verified.
Cody, The PR https://github.com/openshift/openshift-docs/pull/30220 is to fix 4.8, could please cherry-pick to 4.6 and 4.7? Changing status back to ON_QA, once PRs for 4.6 4.7 and 4.8 merged, I will set to VERIFIED Thanks.
fyi, bug for installer side https://bugzilla.redhat.com/show_bug.cgi?id=1938131
Thanks for filing that eng BZ, Yunfei! This has been merged for OCP versions 4.6+. I will close once the updates are live.
This is now live: https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account