s3:GetBucketPolicy is required for installing a cluster, but itβs missing in permissions.go [1] Without this permission, creating cluster will fail: ``` [2022-07-21T04:39:41.379Z] level=debug msg= with aws_s3_bucket_object.ignition, [2022-07-21T04:39:41.379Z] level=debug msg= on main.tf line 56, in resource "aws_s3_bucket_object" "ignition": [2022-07-21T04:39:41.379Z] level=debug msg= 56: bucket = aws_s3_bucket.ignition.id [2022-07-21T04:39:41.379Z] level=debug [2022-07-21T04:39:41.379Z] level=debug msg=Use the aws_s3_object resource instead [2022-07-21T04:39:41.379Z] level=debug [2022-07-21T04:39:41.379Z] level=debug msg=(and 3 more similar warnings elsewhere) [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg=Error: error getting S3 bucket (yunjiang-21ipi-hw9gq-bootstrap) policy: AccessDenied: Access Denied [2022-07-21T04:39:41.379Z] level=error msg= status code: 403, request id: 37NVV0BFV7QWB3ZE, host id: YuHOinIGUJys/unul/NzxgGWcUJpZnPralrFoO1BQ6vxhhPzY+3s60dyAgWayHedfqnP60c90NM= [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg= with aws_s3_bucket.ignition, [2022-07-21T04:39:41.379Z] level=error msg= on main.tf line 35, in resource "aws_s3_bucket" "ignition": [2022-07-21T04:39:41.379Z] level=error msg= 35: resource "aws_s3_bucket" "ignition" { [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg=failed to fetch Cluster: failed to generate asset "Cluster": failure applying terraform for "bootstrap" stage: failed to create cluster: failed to apply Terraform: exit status 1 [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg=Error: error getting S3 bucket (yunjiang-21ipi-hw9gq-bootstrap) policy: AccessDenied: Access Denied [2022-07-21T04:39:41.379Z] level=error msg= status code: 403, request id: 37NVV0BFV7QWB3ZE, host id: YuHOinIGUJys/unul/NzxgGWcUJpZnPralrFoO1BQ6vxhhPzY+3s60dyAgWayHedfqnP60c90NM= [2022-07-21T04:39:41.379Z] level=error [2022-07-21T04:39:41.379Z] level=error msg= with aws_s3_bucket.ignition, [2022-07-21T04:39:41.379Z] level=error msg= on main.tf line 35, in resource "aws_s3_bucket" "ignition": [2022-07-21T04:39:41.380Z] level=error msg= 35: resource "aws_s3_bucket" "ignition" { [2022-07-21T04:39:41.380Z] level=error [2022-07-21T04:39:41.380Z] level=error ``` [1] https://github.com/openshift/installer/blob/release-4.11/pkg/asset/installconfig/aws/permissions.go OCP version: 4.11.0-rc.4-x86_64 Suggestion: Add s3:GetBucketPolicy to permission checklist, raise an error before the installation actually begins
verified. PASS. OCP version: 4.12.0-0.nightly-2022-07-27-133042 INFO Credentials loaded from the "de" profile in file "/home/cloud-user/.aws/credentials" INFO Consuming Install Config from target directory WARNING Action not allowed with tested creds action=s3:GetBucketPolicy WARNING Tested creds not able to perform all requested actions FATAL failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: current credentials insufficient for performing cluster installation
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:7399