Hide Forgot
The iam:ListAttachedRolePolicies permission is required for destroying cluster [1], but it's missing in AWS permissions.go file [4]. The official 4.6 and 4.7 documents [2][3] also doesn’t mention the permission requirement .if user configures an AWS account by following the documents, when running `destroy` command, an error will occur and the the IAM role can’t be deleted: level=warning msg=listing attached IAM role policies: AccessDenied: User: arn:aws:iam::301721915996:user/yunjiang-test-ListAttachedRole is not authorized to perform: iam:ListAttachedRolePolicies on resource: role yunjiang-role48-ffjmv-master-role with an explicit deny arn=arn:aws:iam::301721915996:role/yunjiang-role48-ffjmv-master-role level=warning msg= status code: 403, request id: 8d9b8cae-97ed-4c6f-8e8f-4bccfec2fc64 arn=arn:aws:iam::301721915996:role/yunjiang-role48-ffjmv-master-role this bug is for tracking issue for installer component, the related document issue was tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1936541 [1] https://github.com/openshift/installer/pull/4126 [2] https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account [3] https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html [4] https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go Version: 4.8.0-0.nightly-2021-03-10-053945 Additional info: Same issue is also occurred on 4.6.20 GA and 4.7.0 GA
Russell, installer will not do permission check when running `destroy cluster`, right?
(In reply to Yunfei Jiang from comment #3) > Russell, installer will not do permission check when running `destroy > cluster`, right? That is correct.
verified. PASS. OCP version: 4.8.0-0.nightly-2021-04-08-043959 Remove iam:ListAttachedRolePolicies permission from IAM user, and then try to create cluster: time="2021-04-08T04:45:40-04:00" level=info msg="Credentials loaded from the \"denylistattachedrole\" profile in file \"/home/cloud-user/.aws/credentials\"" ... time="2021-04-08T04:45:45-04:00" level=fatal msg="failed to fetch Cluster: failed to fetch dependency of \"Cluster\": failed to generate asset \"Platform Permissions Check\": validate AWS credentials: current credentials insufficient for performing cluster installation"
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438