-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.15
-
None
-
No
-
False
-
-
-
Bug Fix
-
In Progress
This is a clone of issue OCPBUGS-25440. The following is the description of the original issue:
—
Description of problem:
iam:TagInstanceProfile is not listed in official document [1], IPI install would fail if iam:TagInstanceProfile permission is missing level=error msg=Error: creating IAM Instance Profile (ci-op-4hw2rz1v-49c30-zt9vx-worker-profile): AccessDenied: User: arn:aws:iam::301721915996:user/ci-op-4hw2rz1v-49c30-minimal-perm is not authorized to perform: iam:TagInstanceProfile on resource: arn:aws:iam::301721915996:instance-profile/ci-op-4hw2rz1v-49c30-zt9vx-worker-profile because no identity-based policy allows the iam:TagInstanceProfile action level=error msg= status code: 403, request id: bb0641f5-d01c-4538-b333-261a804ddb59 [1] https://docs.openshift.com/container-platform/4.14/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
Version-Release number of selected component (if applicable):
4.15.0-0.nightly-2023-12-14-115151
How reproducible:
Always
Steps to Reproduce:
1. install a common IPI cluster with minimal permission provided in official document 2. 3.
Actual results:
Install failed.
Expected results:
Additional info:
install does a precheck for iam:TagInstanceProfile
- clones
-
OCPBUGS-25440 [AWS] iam:TagInstanceProfile permission is required for ipi install
- Closed
- is blocked by
-
OCPBUGS-25440 [AWS] iam:TagInstanceProfile permission is required for ipi install
- Closed
- links to
-
RHSA-2023:7198 OpenShift Container Platform 4.15 security update