Bug 1964120 - [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Summary: [AWS] Missing iam:ListAttachedRolePolicies permission in permissions.go
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: Unspecified
OS: Unspecified
medium
medium
Target Milestone: ---
: 4.6.z
Assignee: Russell Teague
QA Contact: Pedro Amoedo
URL:
Whiteboard:
Depends On: 1947216
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-05-24 18:43 UTC by OpenShift BugZilla Robot
Modified: 2021-06-08 13:54 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-06-08 13:54:23 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 4956 0 None open [release-4.6] [release-4.7] Bug 1964120: pkg/asset/installconfig/aws: Add iam permission for destorying clusters 2021-05-25 17:43:53 UTC
Red Hat Product Errata RHBA-2021:2157 0 None None None 2021-06-08 13:54:35 UTC

Comment 3 Pedro Amoedo 2021-05-31 08:17:39 UTC
[QA Summary]

[Version]

~~~
$ ./openshift-install version
./openshift-install 4.6.0-0.nightly-2021-05-31-074224
built from commit 68ab13d26311a3e03854a00fd7cf5b1583ae9b69
release image registry.ci.openshift.org/ocp/release@sha256:5c333746d03d2d7f67f314db888e3cabcecbf6512f8b5384aa27d1033c573ce0

$ git --no-pager log --oneline --first-parent origin/release-4.6 -3
68ab13d26 (HEAD -> release-4.6, origin/release-4.6) Merge pull request #4956 from openshift-cherrypick-robot/cherry-pick-4827-to-release-4.6
c47fb1296 Merge pull request #4840 from openshift-cherrypick-robot/cherry-pick-4824-to-release-4.6
9c86c823f Merge pull request #4665 from openshift-cherrypick-robot/cherry-pick-4602-to-release-4.6
~~~

[Parameters]

Using a default "install-config.yaml" but with AWS credentials attached to a custom Policy that denies "iam:ListAttachedRolePolicies":

~~~
$ aws iam get-account-authorization-details | grep -A2 "user/bz1964120"
USERDETAILLIST	arn:aws:iam::301721915996:user/bz1964120	2021-05-31T08:02:53Z	/	AIDAUMQAHCJOGKRGGCGZK	bz1964120
ATTACHEDMANAGEDPOLICIES	arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies	yunjiang-test-denyListAttachedRolePolicies
TAGS	bz	1964120

$ aws iam get-policy-version --policy-arn arn:aws:iam::301721915996:policy/yunjiang-test-denyListAttachedRolePolicies --version-id v1
POLICYVERSION	2021-03-10T09:45:00Z	True	v1
DOCUMENT	2012-10-17
STATEMENT	*	Allow	*	VisualEditor0
STATEMENT	iam:ListAttachedRolePolicies	Deny	*	VisualEditor1
~~~

[Results]

As expected, installation aborts early during permissions check procedure:

~~~
$ ./openshift-install create cluster --dir bz1964120/ --log-level debug
DEBUG OpenShift Installer 4.6.0-0.nightly-2021-05-31-074224 
DEBUG Built from commit 68ab13d26311a3e03854a00fd7cf5b1583ae9b69 
DEBUG Fetching Metadata...
...
INFO Credentials loaded from the "default" profile in file "/home/pamoedo/.aws/credentials"
...
DEBUG   Generating Platform Permissions Check...   
WARNING Action not allowed with tested creds          action="iam:ListAttachedRolePolicies"
WARNING Tested creds not able to perform all requested actions 
FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation 
~~~

NOTE: Parameter is already present in the corresponding permissions document[1].

[1] - https://docs.openshift.com/container-platform/4.6/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account

Comment 7 errata-xmlrpc 2021-06-08 13:54:23 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.6.32 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:2157


Note You need to log in before you can comment on or make changes to this bug.