Bug 1936541
| Summary: | Missing AWS IAM installation permission: iam:ListAttachedRolePolicies | ||
|---|---|---|---|
| Product: | OpenShift Container Platform | Reporter: | Stephen Cuppett <scuppett> |
| Component: | Documentation | Assignee: | Cody Hoag <choag> |
| Status: | CLOSED CURRENTRELEASE | QA Contact: | Yunfei Jiang <yunjiang> |
| Severity: | medium | Docs Contact: | Vikram Goyal <vigoyal> |
| Priority: | high | ||
| Version: | 4.7 | CC: | aos-bugs, jokerman, rteague, yunjiang |
| Target Milestone: | --- | ||
| Target Release: | 4.7.z | ||
| Hardware: | Unspecified | ||
| OS: | Unspecified | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | If docs needed, set a value | |
| Doc Text: | Story Points: | --- | |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-03-16 16:52:32 UTC | Type: | Bug |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
Stephen Cuppett
2021-03-08 17:39:28 UTC
There may need to be another install bug to go along with this. Even though this is a WARNING in the stdout from the installer, it holds up the "destroy cluster" operation until the permission is granted or the process is killed. If killed, it will orphan the master/worker IAM roles. @Yunfei can you review this requested AWS permission requirement?: https://github.com/openshift/openshift-docs/pull/30220 This isn't present in the AWS permissions.go file [1], which is why it isn't in the docs. If this permission addition is valid, please let me know the OCP versions this applies to (4.5-4.8?). Thanks! [1] https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go Will need updated in at least 4.7 and 4.8 docs (might be applicable in 4.6 as well). Thanks, Stephen! I reached out to the Installer dev team and they confirmed this additional permission requirement would be applicable for OCP 4.6+. As background, this requirement was introduced via https://github.com/openshift/installer/pull/4126. As per the docs publication requirements, I'll wait for QE to confirm this information, and then proceed with publishing the update for the applicable versions. tested based on an IAM user without iam:ListAttachedRolePolicies permission: install: succeed, cluster works well. destroy will go into an infinite loop, since it can not list policy attached role: level=warning msg="listing attached IAM role policies: AccessDenied: User: arn:aws:iam::301721915996:user/yunjiang-test-ListAttachedRole is not authorized to perform: iam:ListAttachedRolePolicies on resource: role yunjiang-role46-gprsb-worker-role with an explicit deny\n\tstatus code: 403, request id: 665a9c72-ab46-4b45-bbd5-b772705f147a" arn="arn:aws:iam::301721915996:role/yunjiang-role46-gprsb-worker-role" error occurred on 4.6, 4.7, 4.8 if grant iam:ListAttachedRolePolicies permission to IAM user, no above issue. mark this bug as verified. Cody, The PR https://github.com/openshift/openshift-docs/pull/30220 is to fix 4.8, could please cherry-pick to 4.6 and 4.7? Changing status back to ON_QA, once PRs for 4.6 4.7 and 4.8 merged, I will set to VERIFIED Thanks. fyi, bug for installer side https://bugzilla.redhat.com/show_bug.cgi?id=1938131 Thanks for filing that eng BZ, Yunfei! This has been merged for OCP versions 4.6+. I will close once the updates are live. This is now live: https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account |