IPI documentation for IBM Cloud Account setup, provides a table of required IAM Policies the Account requires in order to run IPI (more specifically ccoctl).

However, it appears changes are required as a critical Policy is missing, perhaps after an IBM Cloud IAM Policy change.

The documentation should be updated to note that the ResourceGroup IAM Admin Policy is now also needed, which is configured as part of the "Identity and Access Management" configuration, which the table does footnote is needed for ResourceGroup creation, but this ResourceGroup Admin Policy must be added now instead.

4.12 (and likely 4.13 and beyond documentation pages)

100%

1. Setup a new IBM Cloud Account, or a new Service Id
2. Follow the required steps for configurating the IAM Policies for the user or Service Id, per https://docs.openshift.com/container-platform/4.12/installing/installing_ibm_cloud_public/installing-ibm-cloud-account.html#installation-ibm-cloud-iam-policies-api-key_installing-ibm-cloud-account
3. Follow the Configuring IAM steps: https://docs.openshift.com/container-platform/4.12/installing/installing_ibm_cloud_public/configuring-iam-ibm-cloud.html
4. Attempt to create the cluster, performing the ccoctl steps: https://docs.openshift.com/container-platform/4.12/installing/installing_ibm_cloud_public/installing-ibm-cloud-customizations.html#manually-create-iam-ibm-cloud_installing-ibm-cloud-customizations
5. ccoctl ibmcloud create-service-id will fail attempting to setup IAM Policies for one/more of the Service Ids, as the user/Service Id IC_API_KEY Account does not have permission to ResourceGroups

Failed to process the serviceID: Failed to create access policy with: {Attributes:[{Name:resourceType Value:resource-group Operator:}] Roles:[crn:v1:bluemix:public:iam::::role:Viewer]}: Failed to create policy: You are not allowed to create the requested policy.

Successfully create the Service Id and Secrets from the CredentialsRequests using ccoctl, via a user/Service Id with the documented IAM Policies

While I'm unsure what is different, existing accounts do not appear to be affected, but when new users, or new Service Ids, attempt to follow the documentation, it appears the required ResourceGroup Policy needs to be added explicitly. I'll attach a screen shot of the "Identity and Access Management" configuration, as mentioned in the docs, which needs to select the ResourceGroup Admin permissions as well.