Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 4.16.z
Affects Version/s: 4.14.z, 4.15.z, 4.16.z
Component/s: Installer / openshift-installer
Labels:
None

Regression:
No
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the installation program required a non-existent permission `s3:HeadBucket` when installing a cluster on AWS. With this update, the installation program correctly requires the permission `s3:ListBucket` instead. (link:https://issues.redhat.com/browse/OCPBUGS-31813[*~~OCPBUGS-31813~~*])

Show
* Previously, the installation program required a non-existent permission `s3:HeadBucket` when installing a cluster on AWS. With this update, the installation program correctly requires the permission `s3:ListBucket` instead. (link: https://issues.redhat.com/browse/OCPBUGS-31813 [* OCPBUGS-31813 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.16.0
Target Backport Versions:

4.14.z, 4.15.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

    Installer requires the `s3:HeadBucket` even though such permission does not exist. The correct permission for the `HeadBucket` action is `s3:ListBucket`

https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

    always

Steps to Reproduce:

    1. Install a cluster using a role with limited permissions
    2.
    3.

Actual results:

    level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:HeadBucket
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is
Installer exit with code 1

Expected results:

    Installer should check only for s3:ListBucket

Additional info:

blocks

OCPBUGS-32690 AWS: Installer requires nonexistent s3:HeadBucket permission

Closed

depends on

OCPBUGS-31678 [aws] s3:HeadBucket permission does not exist

Closed

is cloned by

OCPBUGS-32690 AWS: Installer requires nonexistent s3:HeadBucket permission

Closed

is documented by

OCPBUGS-31819 Document an RN known issue that requests a non-existent AWS s3:HeadBucket perm

Closed

relates to

OCPBUGS-26016 [enterprise-4.14] Issue in file installing/installing_aws/installing-aws-user-infra.adoc

Closed

links to

openshift/installer#8233: OCPBUGS-31813: AWS: bump CCO for permission fix

RHEA-2024:0041 OpenShift Container Platform 4.16.z bug fix update

(2 links to)

Assignee:: Rafael Fonseca dos Santos

Reporter:: Rafael Fonseca dos Santos

QA Contact:: Yunfei Jiang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/04/05 1:09 PM

Updated:: 2024/06/27 11:42 AM

Resolved:: 2024/06/27 11:42 AM

Details

Description

Attachments

Issue Links

Activity

People

Dates