Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-31924

[aws] s3:HeadBucket permission does not exist

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Done-Errata
    • Icon: Normal Normal
    • 4.15.z
    • 4.14.z, 4.15.z, 4.16.0
    • Cloud Credential Operator
    • None
    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, the Cloud Credential Operator (CCO) checked for a non-existent `s3:HeadBucket` permission during the validation checks in mint mode that resulted in a failed cluster installation. With this release, CCO removes the validation check for this non-existing permission so that valdiation checks pass in mint mode and the cluster installation does not fail. (link: https://issues.redhat.com/browse/OCPBUGS-31924[*OCPBUGS-31924*]
      Show
      * Previously, the Cloud Credential Operator (CCO) checked for a non-existent `s3:HeadBucket` permission during the validation checks in mint mode that resulted in a failed cluster installation. With this release, CCO removes the validation check for this non-existing permission so that valdiation checks pass in mint mode and the cluster installation does not fail. (link: https://issues.redhat.com/browse/OCPBUGS-31924 [* OCPBUGS-31924 *]
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-31678. The following is the description of the original issue:

      Description of problem:

          The code requires the `s3:HeadObject` permission (https://github.com/openshift/cloud-credential-operator/blob/master/pkg/aws/utils.go#L57) but it doesn't exist. The AWS docs say the permission needed is `s3:ListBucket`: https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html

      Version-Release number of selected component (if applicable):

          4.16

      How reproducible:

          always

      Steps to Reproduce:

          1. Try to install cluster with minimal permissions without s3:HeadBucket
    2.
    3.

      Actual results:

      level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:HeadBucket
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is
Installer exit with code 1

      Expected results:

          Only `s3:ListBucket` should be checked.

      Additional info:

            jstuever@redhat.com Jeremiah Stuever
            openshift-crt-jira-prow OpenShift Prow Bot
            Jianping Shu Jianping Shu
            Votes:
            0 Vote for this issue
            Watchers:
            5 Start watching this issue

              Created:
              Updated:
              Resolved: