Loading...

XML

Word

Printable

Type: Bug
Resolution: Done-Errata
Priority: Normal
Fix Version/s: 4.16.z
Affects Version/s: 4.16, 4.17
Component/s: Installer / openshift-installer
Labels:
- aws
- triaged

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
Low
Regression:
No

Target Backport Versions:

4.16.z
Target Version:

4.16.z
Release Blocker:
None
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Release Note Status:
Done
Release Note Type:
Bug Fix
Release Note Text:

Hide
* Previously, the installation program incorrectly required {aws-first} permissions for creating Identity and Access Management (IAM) roles for an {product-title} cluster that already had these roles. With this release, the installation program only requests permissions for roles not yet created. (link:https://issues.redhat.com/browse/OCPBUGS-37494[*~~OCPBUGS-37494~~*])

Show
* Previously, the installation program incorrectly required {aws-first} permissions for creating Identity and Access Management (IAM) roles for an {product-title} cluster that already had these roles. With this release, the installation program only requests permissions for roles not yet created. (link: https://issues.redhat.com/browse/OCPBUGS-37494 [* OCPBUGS-37494 *])

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue ~~OCPBUGS-36390~~. The following is the description of the original issue:
—
Description of problem:

    The Installer still requires permissions to create and delete IAM roles even when the users brings existing roles.

Version-Release number of selected component (if applicable):

    4.16+

How reproducible:

    always

Steps to Reproduce:

    1. Specify existing IAM role in the install-config
    2.
    3.

Actual results:

    The following permissions are required even though they are not used:
        "iam:CreateRole",
        "iam:DeleteRole",
        "iam:DeleteRolePolicy",
        "iam:PutRolePolicy",
        "iam:TagInstanceProfile"

Expected results:

    Only actually needed permissions are required.

Additional info:

    I think this is tech debt from when roles were not tagged. The fix will kind of revert https://github.com/openshift/installer/pull/5286

clones

OCPBUGS-36390 [aws] "create" iam role permissions required even when BYO role

Closed

is blocked by

OCPBUGS-36390 [aws] "create" iam role permissions required even when BYO role

Closed

links to

openshift/installer#8768: [release-4.16] OCPBUGS-37494: aws: do not require create permissions when BYO IAM role

RHSA-2024:5107 OpenShift Container Platform 4.16.z security update

Assignee:: Rafael Fonseca dos Santos

Reporter:: OpenShift Prow Bot

Need Info From:: None

Contributors:: None

QA Contact:: Yunfei Jiang

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Created:: 2024/07/24 7:59 AM

Updated:: 2025/07/22 5:34 AM

Resolved:: 2024/08/13 9:55 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates