[QA Summary] [Version] ~~~ $ ./openshift-install version ./openshift-install 4.7.0-0.ci-2021-05-24-185728 built from commit d541105dbce1baba2f0965044c532796b70aaf1f release image registry.ci.openshift.org/ocp/release@sha256:dbd108bada59294178016eb253d417281180221984baa3142cc18c12e2a2528d $ git --no-pager log --oneline --first-parent origin/release-4.7 -3 d541105db (HEAD -> release-4.7, origin/release-4.7) Merge pull request #4827 from openshift-cherrypick-robot/cherry-pick-4825-to-release-4.7 fa645ee16 Merge pull request #4842 from openshift-cherrypick-robot/cherry-pick-4809-to-release-4.7 b14ee6836 Merge pull request #4948 from openshift-cherrypick-robot/cherry-pick-4933-to-release-4.7 ~~~ [Parameters] Using a default "install-config.yaml" but with AWS credentials attached to a custom Policy that denies "iam:ListAttachedRolePolicies": ~~~ $ aws iam get-account-authorization-details | grep -A2 "user/bz1947216" USERDETAILLIST arn:aws:iam::301721915996:user/bz1947216 2021-05-25T14:33:28Z / AIDAUMQAHCJOO2AZNDLKB bz1947216 ATTACHEDMANAGEDPOLICIES arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies yunjiang-test-denyListAttachedRolePolicies TAGS bz 1947216 $ aws iam get-policy-version --policy-arn arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies --version-id v1 POLICYVERSION 2021-03-10T09:45:00Z True v1 DOCUMENT 2012-10-17 STATEMENT * Allow * VisualEditor0 STATEMENT iam:ListAttachedRolePolicies Deny * VisualEditor1 ~~~ [Results] As expected, installation aborts early when doing permissions check procedure: ~~~ $ ./openshift-install create cluster --dir bz1947216/ --log-level debug DEBUG OpenShift Installer 4.7.0-0.ci-2021-05-24-185728 DEBUG Built from commit d541105dbce1baba2f0965044c532796b70aaf1f DEBUG Fetching Metadata... ... INFO Credentials loaded from the "default" profile in file "/home/pamoedo/.aws/credentials" ... DEBUG Generating Platform Permissions Check... WARNING Action not allowed with tested creds action=iam:ListAttachedRolePolicies WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation ~~~ NOTE: Parameter is already present in permission list document[1]. [1] - https://docs.openshift.com/container-platform/4.7/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.7.13 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2121