[QA Summary] [Version] ~~~ $ ./openshift-install version ./openshift-install 4.6.0-0.nightly-2021-05-31-074224 built from commit 68ab13d26311a3e03854a00fd7cf5b1583ae9b69 release image registry.ci.openshift.org/ocp/release@sha256:5c333746d03d2d7f67f314db888e3cabcecbf6512f8b5384aa27d1033c573ce0 $ git --no-pager log --oneline --first-parent origin/release-4.6 -3 68ab13d26 (HEAD -> release-4.6, origin/release-4.6) Merge pull request #4956 from openshift-cherrypick-robot/cherry-pick-4827-to-release-4.6 c47fb1296 Merge pull request #4840 from openshift-cherrypick-robot/cherry-pick-4824-to-release-4.6 9c86c823f Merge pull request #4665 from openshift-cherrypick-robot/cherry-pick-4602-to-release-4.6 ~~~ [Parameters] Using a default "install-config.yaml" but with AWS credentials attached to a custom Policy that denies "iam:ListAttachedRolePolicies": ~~~ $ aws iam get-account-authorization-details | grep -A2 "user/bz1964120" USERDETAILLIST arn:aws:iam::301721915996:user/bz1964120 2021-05-31T08:02:53Z / AIDAUMQAHCJOGKRGGCGZK bz1964120 ATTACHEDMANAGEDPOLICIES arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies yunjiang-test-denyListAttachedRolePolicies TAGS bz 1964120 $ aws iam get-policy-version --policy-arn arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies --version-id v1 POLICYVERSION 2021-03-10T09:45:00Z True v1 DOCUMENT 2012-10-17 STATEMENT * Allow * VisualEditor0 STATEMENT iam:ListAttachedRolePolicies Deny * VisualEditor1 ~~~ [Results] As expected, installation aborts early during permissions check procedure: ~~~ $ ./openshift-install create cluster --dir bz1964120/ --log-level debug DEBUG OpenShift Installer 4.6.0-0.nightly-2021-05-31-074224 DEBUG Built from commit 68ab13d26311a3e03854a00fd7cf5b1583ae9b69 DEBUG Fetching Metadata... ... INFO Credentials loaded from the "default" profile in file "/home/pamoedo/.aws/credentials" ... DEBUG Generating Platform Permissions Check... WARNING Action not allowed with tested creds action="iam:ListAttachedRolePolicies" WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation ~~~ NOTE: Parameter is already present in the corresponding permissions document[1]. [1] - https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.6.32 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:2157