Bug 1938131 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Summary: [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.8.0
Assignee: Russell Teague
QA Contact: Yunfei Jiang
Depends On:
Blocks: 1947216
TreeView+ depends on / blocked
Reported: 2021-03-12 09:02 UTC by Yunfei Jiang
Modified: 2021-07-27 22:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Cause: iam:ListAttachedRolePolicies missing from openshift-install permissions Consequence: Cluster destroy fails when deleting IAM role Fix: Add iam:ListAttachedRolePolicies to openshift-install permissions Result: Cluster destroy completes successfully
Clone Of:
Last Closed: 2021-07-27 22:53:17 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4825 0 None open Bug 1938131: pkg/asset/installconfig/aws: Add iam permission for destorying clusters 2021-04-07 18:33:32 UTC
Red Hat Product Errata RHSA-2021:2438 0 None None None 2021-07-27 22:53:36 UTC

Description Yunfei Jiang 2021-03-12 09:02:56 UTC
The iam:ListAttachedRolePolicies permission is required for destroying cluster [1], but it's missing in AWS permissions.go file [4].

The official 4.6 and 4.7 documents [2][3] also doesn’t mention the permission requirement .if user configures an AWS account by following the documents, when running `destroy` command, an error will occur and the the IAM role can’t be deleted:

level=warning msg=listing attached IAM role policies: AccessDenied: User: arn:aws:iam::301721915996:user/yunjiang-test-ListAttachedRole is not authorized to perform: iam:ListAttachedRolePolicies on resource: role yunjiang-role48-ffjmv-master-role with an explicit deny arn=arn:aws:iam::301721915996:role/yunjiang-role48-ffjmv-master-role
level=warning msg=    status code: 403, request id: 8d9b8cae-97ed-4c6f-8e8f-4bccfec2fc64 arn=arn:aws:iam::301721915996:role/yunjiang-role48-ffjmv-master-role

this bug is for tracking issue for installer component, the related document issue was tracked in https://bugzilla.redhat.com/show_bug.cgi?id=1936541

[1] https://github.com/openshift/installer/pull/4126
[2] https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
[3] https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html
[4] https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go

Version: 4.8.0-0.nightly-2021-03-10-053945

Additional info:
Same issue is also occurred on 4.6.20 GA and 4.7.0 GA

Comment 3 Yunfei Jiang 2021-04-08 08:54:07 UTC
Russell, installer will not do permission check when running `destroy cluster`, right?

Comment 4 Matthew Staebler 2021-04-08 13:33:14 UTC
(In reply to Yunfei Jiang from comment #3)
> Russell, installer will not do permission check when running `destroy
> cluster`, right?

That is correct.

Comment 5 Yunfei Jiang 2021-04-09 08:28:37 UTC
verified. PASS.
OCP version: 4.8.0-0.nightly-2021-04-08-043959

Remove iam:ListAttachedRolePolicies permission from IAM user, and then try to create cluster:

time="2021-04-08T04:45:40-04:00" level=info msg="Credentials loaded from the \"denylistattachedrole\" profile in file \"/home/cloud-user/.aws/credentials\""
time="2021-04-08T04:45:45-04:00" level=fatal msg="failed to fetch Cluster: failed to fetch dependency of \"Cluster\": failed to generate asset \"Platform Permissions Check\": validate AWS credentials:     current credentials insufficient for performing cluster installation"

Comment 8 errata-xmlrpc 2021-07-27 22:53:17 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.


Note You need to log in before you can comment on or make changes to this bug.