Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-32690

AWS: Installer requires nonexistent s3:HeadBucket permission

XMLWordPrintable

    • No
    • False
    • Hide

      None

      Show
      None
    • Hide
      What: Installer erroneously required the `s3:HeadBucket` permission even though it does not exist. The correct permission for the `HeadBucket` action is `s3:ListBucket`
      Fix: removed `s3:HeadBucket` from the list of required permissions.
      Result: only `s3:ListBucket` is required, as expected.

      Docs are being updated via https://issues.redhat.com/browse/OCPBUGS-26016
      Show
      What: Installer erroneously required the `s3:HeadBucket` permission even though it does not exist. The correct permission for the `HeadBucket` action is `s3:ListBucket` Fix: removed `s3:HeadBucket` from the list of required permissions. Result: only `s3:ListBucket` is required, as expected. Docs are being updated via https://issues.redhat.com/browse/OCPBUGS-26016
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-31813. The following is the description of the original issue:

      Description of problem:

          Installer requires the `s3:HeadBucket` even though such permission does not exist. The correct permission for the `HeadBucket` action is `s3:ListBucket`

https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html

      Version-Release number of selected component (if applicable):

          4.16

      How reproducible:

          always

      Steps to Reproduce:

          1. Install a cluster using a role with limited permissions
    2.
    3.

      Actual results:

          level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:HeadBucket
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is
Installer exit with code 1

      Expected results:

          Installer should check only for s3:ListBucket

      Additional info:

            rdossant Rafael Fonseca dos Santos
            openshift-crt-jira-prow OpenShift Prow Bot
            Yunfei Jiang Yunfei Jiang
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: