-
Bug
-
Resolution: Done-Errata
-
Normal
-
4.14.z, 4.15.z, 4.16.0
-
None
-
No
-
False
-
-
-
Bug Fix
-
Done
This is a clone of issue OCPBUGS-31678. The following is the description of the original issue:
—
Description of problem:
The code requires the `s3:HeadObject` permission (https://github.com/openshift/cloud-credential-operator/blob/master/pkg/aws/utils.go#L57) but it doesn't exist. The AWS docs say the permission needed is `s3:ListBucket`: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html
Version-Release number of selected component (if applicable):
4.16
How reproducible:
always
Steps to Reproduce:
1. Try to install cluster with minimal permissions without s3:HeadBucket 2. 3.
Actual results:
level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy level=warning msg=Tested creds not able to perform all requested actions level=warning msg=Action not allowed with tested creds action=s3:HeadBucket level=warning msg=Tested creds not able to perform all requested actions level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is Installer exit with code 1
Expected results:
Only `s3:ListBucket` should be checked.
Additional info:
- clones
-
OCPBUGS-31678 [aws] s3:HeadBucket permission does not exist
- Closed
- is blocked by
-
OCPBUGS-31678 [aws] s3:HeadBucket permission does not exist
- Closed
- links to
-
RHBA-2024:2068 OpenShift Container Platform 4.15.z bug fix update