Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.17.z
Affects Version/s: 4.16, 4.17
Component/s: Installer / openshift-installer
Labels:
- aws

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Low
Regression:
No

Target Backport Versions:

4.16.z
Target Version:

4.17.0
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, the installation program required permission to create and delete IAM roles when installing a cluster on {aws-short} even when an existing IAM role was provided. With this update, the installation program only requires these permissions when it is creating IAM roles. (link:https://issues.redhat.com/browse/OCPBUGS-36390[*~~OCPBUGS-36390~~*])

Show
* Previously, the installation program required permission to create and delete IAM roles when installing a cluster on {aws-short} even when an existing IAM role was provided. With this update, the installation program only requires these permissions when it is creating IAM roles. (link: https://issues.redhat.com/browse/OCPBUGS-36390 [* OCPBUGS-36390 *])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

Description of problem:

    The Installer still requires permissions to create and delete IAM roles even when the users brings existing roles.

Version-Release number of selected component (if applicable):

    4.16+

How reproducible:

    always

Steps to Reproduce:

    1. Specify existing IAM role in the install-config
    2.
    3.

Actual results:

    The following permissions are required even though they are not used:
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:PutRolePolicy",
        "iam:TagInstanceProfile"

Expected results:

    Only actually needed permissions are required.

Additional info:

    I think this is tech debt from when roles were not tagged. The fix will kind of revert https://github.com/openshift/installer/pull/5286

blocks

OCPBUGS-37494 [aws] "create" iam role permissions required even when BYO role

Closed

causes

OCPBUGS-37687 [aws] "create" iam role permissions is optional

Closed

is cloned by

OCPBUGS-37494 [aws] "create" iam role permissions required even when BYO role

Closed

links to

openshift/installer#8688: OCPBUGS-36390: aws: do not require create permissions when BYO IAM role

RHEA-2024:3718 OpenShift Container Platform 4.17.z bug fix update

Assignee:: Rafael Fonseca dos Santos

Reporter:: Rafael Fonseca dos Santos

Need Info From:: None

Contributors:: None

QA Contact:: Yunfei Jiang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/07/01 2:40 PM

Updated:: 2025/07/22 11:30 AM

Resolved:: 2024/10/01 5:39 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates