Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: 4.15.z
Affects Version/s: 4.14.z, 4.15.z, 4.16
Component/s: Installer / openshift-installer
Labels:
None

Regression:
No
Story Points:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:

Hide
* Previously, the installation program required the `s3:HeadBucket` permission for AWS, even though it does not exist. The correct permission for the `HeadBucket` action is `s3:ListBucket`. With this release, `s3:HeadBucket` is removed from the list of required permissions and only `s3:ListBucket` is required, as expected. (link:https://issues.redhat.com/browse/OCPBUGS-32690[*~~OCPBUGS-32690~~*])

Show
* Previously, the installation program required the `s3:HeadBucket` permission for AWS, even though it does not exist. The correct permission for the `HeadBucket` action is `s3:ListBucket`. With this release, `s3:HeadBucket` is removed from the list of required permissions and only `s3:ListBucket` is required, as expected. (link: https://issues.redhat.com/browse/OCPBUGS-32690 [* OCPBUGS-32690 *])
Release Note Type:
Bug Fix
Release Note Status:
Done
Target Version:

4.15.z
Target Backport Versions:

4.14.z, 4.15.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-31813~~. The following is the description of the original issue:
—
Description of problem:

    Installer requires the `s3:HeadBucket` even though such permission does not exist. The correct permission for the `HeadBucket` action is `s3:ListBucket`

https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html

Version-Release number of selected component (if applicable):

    4.16

How reproducible:

    always

Steps to Reproduce:

    1. Install a cluster using a role with limited permissions
    2.
    3.

Actual results:

    level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:HeadBucket
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is
Installer exit with code 1

Expected results:

    Installer should check only for s3:ListBucket

Additional info:

clones

OCPBUGS-31813 AWS: Installer requires nonexistent s3:HeadBucket permission

Closed

is blocked by

OCPBUGS-31813 AWS: Installer requires nonexistent s3:HeadBucket permission

Closed

links to

openshift/installer#8302: OCPBUGS-32690: AWS: bump CCO for permission fix

RHBA-2024:2664 OpenShift Container Platform 4.15.z bug fix update

Assignee:: Rafael Fonseca dos Santos

Reporter:: OpenShift Prow Bot

QA Contact:: Yunfei Jiang

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2024/04/22 10:40 PM

Updated:: 2024/06/06 8:28 AM

Resolved:: 2024/05/09 1:55 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates