-
Bug
-
Resolution: Done-Errata
-
Undefined
-
None
-
4.16, 4.17, 4.18
Description of problem:
If an instance type is specified in the install-config.yaml, the installer will try to validate its availability in the given region and that it meets the minimum requirements for OCP nodes. When that happens, the `ec2:DescribeInstanceTypes` permission is used but it's not validated by the installer as a required permissions for installs.
Version-Release number of selected component (if applicable):
4.16+
How reproducible:
Always by setting an instanceType in the install-config.yaml
Steps to Reproduce:
1.
2.
3.
Actual results:
If you install with an user with minimal permissions, you'll get the error:
level=error msg=failed to fetch Master Machines: failed to load asset "Install Config": failed to create install config: [controlPlane.platform.aws: Internal error: error listing instance types: fetching instance types: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-8phprrsm-ccf9a-minimal-perm is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action
level=error msg= status code: 403, request id: 559344f4-0fc3-4a6c-a6ee-738d4e1c0099, compute[0].platform.aws: Internal error: error listing instance types: fetching instance types: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-8phprrsm-ccf9a-minimal-perm is not authorized to perform: ec2:DescribeInstanceTypes because no identity-based policy allows the ec2:DescribeInstanceTypes action
level=error msg= status code: 403, request id: 584cc325-9057-4c31-bb7d-2f4458336605]
Expected results:
The installer fails with an explicit message saying that `ec2:DescribeInstanceTypes` is required.
Additional info:
- is triggered by
-
CORS-3571 Introduce tests for new permissions required as presubmit tests on PRs
-
- Release Pending
-
- links to
-
RHEA-2024:6122
OpenShift Container Platform 4.18.z bug fix update
[OCPBUGS-43439] [aws] ec2:DescribeInstanceTypes permission is required when instance type specified
| Resolution | New: Done-Errata [ 10803 ] | |
| Status | Original: Verified [ 10015 ] | New: Closed [ 6 ] |
| Status | Original: ON_QA [ 15723 ] | New: Verified [ 10015 ] |
| Remote Link | New: This issue links to "RHEA-2024:6122 (Web Link)" [ 1861347 ] |
| Status | Original: MODIFIED [ 14454 ] | New: ON_QA [ 15723 ] |
| Status | Original: POST [ 15726 ] | New: MODIFIED [ 14454 ] |
| QA Contact | Original: Gaoyun Pei [ gpei ] | New: Yunfei Jiang [ yunjiang-1 ] |
| Status | Original: New [ 10016 ] | New: POST [ 15726 ] |
| Release Note Text | New: N/A |
OpenShift Jira Bot
made changes -
| Release Note Status | New: In Progress [ 30960 ] |
| Release Note Type | New: Release Note Not Required [ 31862 ] |
| Target Backport Versions | Original: 4.17.z [ 12428296 ] | New: 4.17.z, 4.16.z [ 12428296, 12428304 ] |
| Target Backport Versions | New: 4.17.z [ 12428296 ] |
| Target Version | New: 4.18.0 [ 12431397 ] |
| Remote Link |
New:
This issue links to "openshift/installer#9106: |
| Assignee | New: Rafael Fonseca dos Santos [ rdossant ] |
| Labels | New: aws |
| QA Contact | New: Gaoyun Pei [ gpei ] |
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Important: OpenShift Container Platform 4.18.1 bug fix and security update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:6122