-
Bug
-
Resolution: Unresolved
-
Undefined
-
None
-
4.16, 4.17, 4.18
Description of problem:
If an instance type is specified in the install-config.yaml, the installer will try to validate its availability in the given region and that it meets the minimum requirements for OCP nodes. When that happens, the `ec2:DescribeInstanceTypes` permission is used but it's not validated by the installer as a required permissions for installs.
Version-Release number of selected component (if applicable):
4.16+
How reproducible:
Always by setting an instanceType in the install-config.yaml
Steps to Reproduce:
1.
2.
3.
Actual results:
If you install with an user with minimal permissions, you'll get the error:
level=error msg=failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: [controlPlane.platform.aws: Internal error: error listing instance types: fetching instance types: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-8phprrsm-ccf9a-minimal-perm is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action
level=error msg= status code: 403, request id: 559344f4-0fc3-4a6c-a6ee-738d4e1c0099, compute[0].platform.aws: Internal error: error listing instance types: fetching instance types: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-8phprrsm-ccf9a-minimal-perm is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action
level=error msg= status code: 403, request id: 584cc325-9057-4c31-bb7d-2f4458336605]
Expected results:
The installer fails with an explicit message saying that `ec2:DescribeInstanceTypes` is required.
Additional info:
- is triggered by
-
CORS-3571 Introduce tests for new permissions required as presubmit tests on PRs
-
- In Progress
-
- links to