Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31017

ec2:DisassociateAddress is required for 4.16 AWS OCP installation

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      What: `ec2:DisassociateAddress` and `ec2:DescribePublicIpv4Pools` are required permissions when deploying a cluster with publicIPv4Pool feature enabled.
      Fix: added `ec2:DisassociateAddress` and `ec2:DescribePublicIpv4Pools` to the list of required permissions when publicIPv4Pool is enabled.
      Show
      What: `ec2:DisassociateAddress` and `ec2:DescribePublicIpv4Pools` are required permissions when deploying a cluster with publicIPv4Pool feature enabled. Fix: added `ec2:DisassociateAddress` and `ec2:DescribePublicIpv4Pools` to the list of required permissions when publicIPv4Pool is enabled.
    • Release Note Not Required
    • In Progress

      Document URL: 

      [1] https://docs.openshift.com/container-platform/4.15/installing/installing_aws/installing-aws-account.html#installation-aws-permissions_installing-aws-account
      

      Section Number and Name: 

      * Required EC2 permissions for installation
      

      Description of problem:

      The permission ec2:DisassociateAddress is required for OCP 4.16+ install, but it's missing the official doc [1] - we would like to understand why/if this permission is necessary.
      
      level=info msg=Destroying the bootstrap resources...
      ...
      level=error msg=Error: disassociating EC2 EIP (eipassoc-01e8cc3f06f2c2499): UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::301721915996:user/ci-op-0xjvtwb0-4e979-minimal-perm is not authorized to perform: ec2:DisassociateAddress on resource: arn:aws:ec2:us-east-1:301721915996:elastic-ip/eipalloc-0274201623d8569af because no identity-based policy allows the ec2:DisassociateAddress action. 
      
      
          

      Version-Release number of selected component (if applicable):

      4.16.0-0.nightly-2024-03-13-061822
          

      How reproducible:

      Always
          

      Steps to Reproduce:

          1. Create OCP cluster with permissions listed in the official doc.
          2.
          3.
          

      Actual results:

      See description. 
          

      Expected results:

      Cluster is created successfully.
          

      Suggestions for improvement:

      Add ec2:DisassociateAddress to `Required EC2 permissions for installation` in [1]
      

      Additional info:

      This impacts the permission list in ROSA Installer-Role as well.
          

            rdossant Rafael Fonseca dos Santos
            yunjiang-1 Yunfei Jiang
            Yunfei Jiang Yunfei Jiang
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated:
              Resolved: