Bug 2109388 - [AWS] s3 GetBucketPolicy permission is missing in installer validation
Summary: [AWS] s3 GetBucketPolicy permission is missing in installer validation
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.11
Hardware: Unspecified
OS: Unspecified
unspecified
urgent
Target Milestone: ---
: 4.12.0
Assignee: Brent Barbachem
QA Contact: Yunfei Jiang
Mike Pytlak
URL:
Whiteboard:
Depends On:
Blocks: 2117368
TreeView+ depends on / blocked
 
Reported: 2022-07-21 06:17 UTC by Yunfei Jiang
Modified: 2023-01-17 19:53 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
* Previously, installing a cluster on Amazon Web Services started and then failed when the IAM administrative user was not assigned the `s3:GetBucketPolicy` permission. This update adds this policy to checklist that the installation program uses to ensure that all of the required permissions are assigned. As a result, the installation program now stops the installation with a warning that the IAM administrative user is missing the `s3:GetBucketPolicy` permission. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2109388[*BZ#2109388*])
Clone Of:
Environment:
Last Closed: 2023-01-17 19:53:06 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 6150 0 None open BUG 2109388: Add AWS S3 Bucket Permissions 2022-07-21 14:32:35 UTC
Red Hat Product Errata RHSA-2022:7399 0 None None None 2023-01-17 19:53:30 UTC

Description Yunfei Jiang 2022-07-21 06:17:23 UTC 
s3:GetBucketPolicy is required for installing a cluster, but it’s missing in permissions.go [1]

Without this permission, creating cluster will fail:
```
[2022-07-21T04:39:41.379Z] level=debug msg=  with aws_s3_bucket_object.ignition,
[2022-07-21T04:39:41.379Z] level=debug msg=  on main.tf line 56, in resource "aws_s3_bucket_object" "ignition":
[2022-07-21T04:39:41.379Z] level=debug msg=  56:   bucket = aws_s3_bucket.ignition.id
[2022-07-21T04:39:41.379Z] level=debug
[2022-07-21T04:39:41.379Z] level=debug msg=Use the aws_s3_object resource instead
[2022-07-21T04:39:41.379Z] level=debug
[2022-07-21T04:39:41.379Z] level=debug msg=(and 3 more similar warnings elsewhere)
[2022-07-21T04:39:41.379Z] level=error
[2022-07-21T04:39:41.379Z] level=error msg=Error: error getting S3 bucket (yunjiang-21ipi-hw9gq-bootstrap) policy: AccessDenied: Access Denied
[2022-07-21T04:39:41.379Z] level=error msg=	status code: 403, request id: 37NVV0BFV7QWB3ZE, host id: YuHOinIGUJys/unul/NzxgGWcUJpZnPralrFoO1BQ6vxhhPzY+3s60dyAgWayHedfqnP60c90NM=
[2022-07-21T04:39:41.379Z] level=error
[2022-07-21T04:39:41.379Z] level=error msg=  with aws_s3_bucket.ignition,
[2022-07-21T04:39:41.379Z] level=error msg=  on main.tf line 35, in resource "aws_s3_bucket" "ignition":
[2022-07-21T04:39:41.379Z] level=error msg=  35: resource "aws_s3_bucket" "ignition" {
[2022-07-21T04:39:41.379Z] level=error
[2022-07-21T04:39:41.379Z] level=error msg=failed to fetch Cluster: failed to generate asset "Cluster": failure applying terraform for "bootstrap" stage: failed to create cluster: failed to apply Terraform: exit status 1
[2022-07-21T04:39:41.379Z] level=error
[2022-07-21T04:39:41.379Z] level=error msg=Error: error getting S3 bucket (yunjiang-21ipi-hw9gq-bootstrap) policy: AccessDenied: Access Denied
[2022-07-21T04:39:41.379Z] level=error msg=	status code: 403, request id: 37NVV0BFV7QWB3ZE, host id: YuHOinIGUJys/unul/NzxgGWcUJpZnPralrFoO1BQ6vxhhPzY+3s60dyAgWayHedfqnP60c90NM=
[2022-07-21T04:39:41.379Z] level=error
[2022-07-21T04:39:41.379Z] level=error msg=  with aws_s3_bucket.ignition,
[2022-07-21T04:39:41.379Z] level=error msg=  on main.tf line 35, in resource "aws_s3_bucket" "ignition":
[2022-07-21T04:39:41.380Z] level=error msg=  35: resource "aws_s3_bucket" "ignition" {
[2022-07-21T04:39:41.380Z] level=error
[2022-07-21T04:39:41.380Z] level=error
```
[1] https://github.com/openshift/installer/blob/release-4.11/pkg/asset/installconfig/aws/permissions.go

OCP version:
4.11.0-rc.4-x86_64

Suggestion:
Add s3:GetBucketPolicy to permission checklist, raise an error before the installation actually begins
Comment 2 Yunfei Jiang 2022-07-29 07:22:07 UTC 
verified. PASS.

OCP version: 4.12.0-0.nightly-2022-07-27-133042

INFO Credentials loaded from the "de" profile in file "/home/cloud-user/.aws/credentials"
INFO Consuming Install Config from target directory
WARNING Action not allowed with tested creds          action=s3:GetBucketPolicy
WARNING Tested creds not able to perform all requested actions
FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation
Comment 5 errata-xmlrpc 2023-01-17 19:53:06 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399
Note You need to log in before you can comment on or make changes to this bug.