-
Bug
-
Resolution: Unresolved
-
Normal
-
4.16
Document URL:
[1] https://docs.openshift.com/container-platform/4.15/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
Section Number and Name:
* Required EC2 permissions for installation
Description of problem:
The permission ec2:DisassociateAddress is required for OCP 4.16+ install, but it's missing the official doc [1] - we would like to understand why/if this permission is necessary.
level=info msg=Destroying the bootstrap resources...
...
level=error msg=Error: disassociating EC2 EIP (eipassoc-01e8cc3f06f2c2499): UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::301721915996:user/ci-op-0xjvtwb0-4e979-minimal-perm is not authorized to perform: ec2:DisassociateAddress on resource: arn:aws:ec2:us-east-1:301721915996:elastic-ip/eipalloc-0274201623d8569af because no identity-based policy allows the ec2:DisassociateAddress action.
Version-Release number of selected component (if applicable):
4.16.0-0.nightly-2024-03-13-061822
How reproducible:
Always
Steps to Reproduce:
1. Create OCP cluster with permissions listed in the official doc.
2.
3.
Actual results:
See description.
Expected results:
Cluster is created successfully.
Suggestions for improvement:
Add ec2:DisassociateAddress to `Required EC2 permissions for installation` in [1]
Additional info:
This impacts the permission list in ROSA Installer-Role as well.
- is related to
-
CORS-2830 Provision AWS Infrastructure with SDK
-
- Closed
-
- links to
-
RHEA-2024:0041
OpenShift Container Platform 4.16.z bug fix update