Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44373

AWS installation fails when AssociatePublicIpAddress value is set to false in SCP.

XMLWordPrintable

    • Important
    • None
    • 5
    • OpenShift SPLAT - Sprint 262
    • 1
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      The installation with aws installation fails when the SCP has the value for AssociatePublicIpAddress set to False. The IAM user is not able to create new EC2 instances i.e. the worker nodes are not getting created. 
However the bootstrap and Master nodes gets created.

The below logs can be observed in the machine-api controller logs :

2024/10/31 16:05:28 failed to create instance: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::<account-id>:assumed-role/<role-name> is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:ap-southeast-1:<account-id>:network-interface/* with an explicit deny in a service control policy. Encoded authorization failure message: <encoded-message>

      Version-Release number of selected component (if applicable):

          4.17

      How reproducible:

          Always

      Steps to Reproduce:

          1. Set the value of AssociatePublicIpAddress: False inside SCP.
    2. Perform a normal IPI aws installation with IAM user which has the above SCP applied.
    3. Observe that the workers are not getting created.

      Actual results:

      Expected results:

      Additional info:

              rhn-support-mrbraga Marco Braga
              rhn-support-vdurgam Vedant Durgam
              Gaoyun Pei Gaoyun Pei
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated: