Bug 1947216 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Summary: [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.7.z
Assignee: Russell Teague
QA Contact: Pedro Amoedo
URL:
Whiteboard:
Depends On: 1938131
Blocks: 1964120
TreeView+ depends on / blocked
 
Reported: 2021-04-07 23:40 UTC by OpenShift BugZilla Robot
Modified: 2021-06-01 04:51 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-01 04:50:27 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4827 0 None open [release-4.7] Bug 1947216: pkg/asset/installconfig/aws: Add iam permission for destorying clusters 2021-04-09 14:20:21 UTC
Red Hat Product Errata RHSA-2021:2121 0 None None None 2021-06-01 04:51:39 UTC

Comment 2 Pedro Amoedo 2021-05-25 16:52:10 UTC
[QA Summary]

[Version]

~~~
$ ./openshift-install version
./openshift-install 4.7.0-0.ci-2021-05-24-185728
built from commit d541105dbce1baba2f0965044c532796b70aaf1f
release image registry.ci.openshift.org/ocp/release@sha256:dbd108bada59294178016eb253d417281180221984baa3142cc18c12e2a2528d

$ git --no-pager log --oneline --first-parent origin/release-4.7 -3
d541105db (HEAD -> release-4.7, origin/release-4.7) Merge pull request #4827 from openshift-cherrypick-robot/cherry-pick-4825-to-release-4.7
fa645ee16 Merge pull request #4842 from openshift-cherrypick-robot/cherry-pick-4809-to-release-4.7
b14ee6836 Merge pull request #4948 from openshift-cherrypick-robot/cherry-pick-4933-to-release-4.7
~~~

[Parameters]

Using a default "install-config.yaml" but with AWS credentials attached to a custom Policy that denies "iam:ListAttachedRolePolicies":

~~~
$ aws iam get-account-authorization-details | grep -A2 "user/bz1947216"
USERDETAILLIST	arn:aws:iam::301721915996:user/bz1947216	2021-05-25T14:33:28Z	/	AIDAUMQAHCJOO2AZNDLKB	bz1947216
ATTACHEDMANAGEDPOLICIES	arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies	yunjiang-test-denyListAttachedRolePolicies
TAGS	bz	1947216

$ aws iam get-policy-version --policy-arn arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies --version-id v1
POLICYVERSION	2021-03-10T09:45:00Z	True	v1
DOCUMENT	2012-10-17
STATEMENT	*	Allow	*	VisualEditor0
STATEMENT	iam:ListAttachedRolePolicies	Deny	*	VisualEditor1
~~~

[Results]

As expected, installation aborts early when doing permissions check procedure:

~~~
$ ./openshift-install create cluster --dir bz1947216/ --log-level debug
DEBUG OpenShift Installer 4.7.0-0.ci-2021-05-24-185728 
DEBUG Built from commit d541105dbce1baba2f0965044c532796b70aaf1f 
DEBUG Fetching Metadata...                         
...                    
INFO Credentials loaded from the "default" profile in file "/home/pamoedo/.aws/credentials" 
...
DEBUG   Generating Platform Permissions Check...   
WARNING Action not allowed with tested creds          action=iam:ListAttachedRolePolicies
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation
~~~

NOTE: Parameter is already present in permission list document[1].

[1] - https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account

Comment 5 errata-xmlrpc 2021-06-01 04:50:27 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.7.13 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2121


Note You need to log in before you can comment on or make changes to this bug.