Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-33926

[capi aws] failed to create IAM roles in ROSA


    • Critical
    • No
    • 1
    • OCM-QE-Sprint255
    • 1
    • Approved
    • False
    • Hide


    • N/A
    • Release Note Not Required
    • In Progress

      Description of problem:

      During the creation of a 4.16 cluster using the nightly build (--channel-group nightly --version 4.16.0-0.nightly-2024-05-19-235324) with the following command: 

      osa create cluster --cluster-name $CLUSTER_NAME --sts --mode auto --machine-cidr --compute-machine-type m6a.xlarge --region $REGION --oidc-config-id $OIDC_ID --channel-group nightly --version 4.16.0-0.nightly-2024-05-19-235324 --ec2-metadata-http-tokens optional --replicas 2 --service-cidr --pod-cidr --host-prefix 23 -y    

      How reproducible:

      1. Run the command provided above to create a cluster.Observe the error during the IAM role creation step.
      2. Observe the error during the IAM role creation step.

      Actual results:

      time="2024-05-20T03:21:03Z" level=error msg="failed to fetch Cluster: failed to generate asset \"Cluster\": failed to create cluster: failed during pre-provisioning: failed to create IAM roles: failed to create inline policy for role master: AccessDenied: User: arn:aws:sts::890193308254:assumed-role/ManagedOpenShift-Installer-Role/1716175231092827911 is not authorized to perform: iam:PutRolePolicy on resource: role ManagedOpenShift-ControlPlane-Role because no identity-based policy allows the iam:PutRolePolicy action\n\tstatus code: 403, request id: 27f0f631-abdd-47e9-ba02-a2e71a7487dc"
      time="2024-05-20T03:21:04Z" level=error msg="error after waiting for command completion" error="exit status 4" installID=wx9l766h
      time="2024-05-20T03:21:04Z" level=error msg="error provisioning cluster" error="exit status 4" installID=wx9l766h
      time="2024-05-20T03:21:04Z" level=error msg="error running openshift-install, running deprovision to clean up" error="exit status 4" installID=wx9l766h
      time="2024-05-20T03:21:04Z" level=debug msg="OpenShift Installer v4.16.0

      Expected results:

      The cluster should be created successfully without IAM permission errors.

      Additional info:

      - The IAM role ManagedOpenShift-Installer-Role does not have the necessary permissions to perform iam:PutRolePolicy on the ManagedOpenShift-ControlPlane-Role.
      - This issue was observed with the nightly build 4.16.0-0.nightly-2024-05-19-235324.


      More context: https://redhat-internal.slack.com/archives/C070BJ1NS1E/p1716182046041269

            rdossant Rafael Fonseca dos Santos
            sbai@redhat.com Shawn Bai
            Akash Kanni Akash Kanni
            0 Vote for this issue
            13 Start watching this issue