Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-25440

[AWS] iam:TagInstanceProfile permission is required for ipi install

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the required `iam:TagInstanceProfile` permission would not be validated before an IPI installation, causing an installation to fail if the IAM permission was missing. With this update, a validation check ensures that the permission is included before the installation begins. (link:https://issues.redhat.com/browse/OCPBUGS-25440[*OCPBUGS-25440*])
      Show
      * Previously, the required `iam:TagInstanceProfile` permission would not be validated before an IPI installation, causing an installation to fail if the IAM permission was missing. With this update, a validation check ensures that the permission is included before the installation begins. (link: https://issues.redhat.com/browse/OCPBUGS-25440 [* OCPBUGS-25440 *])
    • Bug Fix
    • Done

      Description of problem:

      iam:TagInstanceProfile is not listed in official document [1], IPI install would fail if iam:TagInstanceProfile permission is missing

level=error msg=Error: creating IAM Instance Profile (ci-op-4hw2rz1v-49c30-zt9vx-worker-profile): AccessDenied: User: arn:aws:iam::301721915996:user/ci-op-4hw2rz1v-49c30-minimal-perm is not authorized to perform: iam:TagInstanceProfile on resource: arn:aws:iam::301721915996:instance-profile/ci-op-4hw2rz1v-49c30-zt9vx-worker-profile because no identity-based policy allows the iam:TagInstanceProfile action
level=error msg=    status code: 403, request id: bb0641f5-d01c-4538-b333-261a804ddb59

[1] https://docs.openshift.com/container-platform/4.14/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account

      Version-Release number of selected component (if applicable):

      4.15.0-0.nightly-2023-12-14-115151

      How reproducible:

      Always

      Steps to Reproduce:

          1. install a common IPI cluster with minimal permission provided in official document
    2.
    3.

      Actual results:

      Install failed.

      Expected results:

      Additional info:

      install does a precheck for iam:TagInstanceProfile

            rdossant Rafael Fonseca dos Santos
            yunjiang-1 Yunfei Jiang
            Yunfei Jiang Yunfei Jiang
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: