-
Bug
-
Resolution: Done-Errata
-
Critical
-
4.16.0, 4.17.0
This is a clone of issue OCPBUGS-35293. The following is the description of the original issue:
—
Description of problem:
4.16 installs fail for ROSA STS installations time="2024-06-11T14:05:48Z" level=debug msg="\t[failed to apply security groups to load balancer \"jamesh-sts-52g29-int\": AccessDenied: User: arn:aws:sts::476950216884:assumed-role/ManagedOpenShift-Installer-Role/1718114695748673685 is not authorized to perform: elasticloadbalancing:SetSecurityGroups on resource: arn:aws:elasticloadbalancing:us-east-1:476950216884:loadbalancer/net/jamesh-sts-52g29-int/bf7ef748daa739ce because no identity-based policy allows the elasticloadbalancing:SetSecurityGroups action"
Version-Release number of selected component (if applicable):
4.16+
How reproducible:
Every time
Steps to Reproduce:
1. Create an installer policy with the permissions listed in the installer [here|https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go] 2. Run a install in AWS IPI
Actual results:
The installer fails to install a cluster in AWS The installer log should show AccessDenied messages for the IAM action elasticloadbalancing:SetSecurityGroups The installer should show the error message "failed to apply security groups to load balancer"
Expected results:
Install completes successfully
Additional info:
Managed OpenShift (ROSA) installs STS clusters with [this|https://github.com/openshift/managed-cluster-config/blob/master/resources/sts/4.16/sts_installer_permission_policy.json] permission policy for the installer which should be what is required from the installer [policy|https://github.com/openshift/installer/blob/master/pkg/asset/installconfig/aws/permissions.go] plus permissions needed for OCM to do pre install validation.
- clones
-
-
- Verified
-
- is blocked by
-
-
- Verified
-
- links to
-
RHEA-2024:0041
OpenShift Container Platform 4.16.z bug fix update
