[OCPBUGS-44745] [aws] tag:UntagResources when destroying cluster with BYO IAM profile

Type: Bug
Resolution: Done-Errata
Priority: Undefined
Fix Version/s: None
Affects Version/s: 4.17, 4.18
Component/s: Installer / openshift-installer
Labels:
- aws

Regression:
None
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Release Note Text:
N/A
Release Note Type:
Release Note Not Required
Release Note Status:
In Progress
Target Version:

4.18.0
Target Backport Versions:

4.17.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

Description of problem:

    `tag:UntagResources` is required for the AWS SDK call [UntagResourcesWithContext](https://github.com/openshift/installer/blob/master/pkg/destroy/aws/shared.go#L121) when removing the "shared" tag from the IAM profile.

Version-Release number of selected component (if applicable):

    4.17+

How reproducible:

    always

Steps to Reproduce:

    1.
    2.
    3.

Actual results:

    time="2024-11-19T12:22:19Z" level=debug msg="search for IAM instance profiles"
time="2024-11-19T12:22:19Z" level=debug msg="Search for and remove tags in us-east-1 matching kubernetes.io/cluster/ci-op-y8wbktiq-e515e-q6kvb: shared"
time="2024-11-19T12:22:19Z" level=debug msg="Nothing to clean for shared iam resource" arn="arn:aws:iam::460538899914:instance-profile/ci-op-y8wbktiq-e515e-byo-profile-worker"
time="2024-11-19T12:22:19Z" level=debug msg="Nothing to clean for shared iam resource" arn="arn:aws:iam::460538899914:instance-profile/ci-op-y8wbktiq-e515e-byo-profile-master"
time="2024-11-19T12:22:19Z" level=info msg="untag shared resources: AccessDeniedException: User: arn:aws:iam::460538899914:user/ci-op-y8wbktiq-e515e-minimal-perm is not authorized to perform: tag:UntagResources because no identity-based policy allows the tag:UntagResources action\n\tstatus code: 400, request id: 464de6ab-3de5-496d-a163-594dade11619"

See: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/58833/rehearse-58833-pull-ci-openshift-installer-release-4.18-e2e-aws-ovn-custom-iam-profile/1858807924600606720

Expected results:

    The perm is added to the required list when BYO IAM profile and the "shared" tag is removed from the profiles.

Additional info:

blocks

OCPBUGS-44848 [aws] tag:UntagResources when destroying cluster with BYO IAM profile

Closed

is cloned by

OCPBUGS-44848 [aws] tag:UntagResources when destroying cluster with BYO IAM profile

Closed

is triggered by

CORS-3571 Introduce tests for new permissions required as presubmit tests on PRs

Release Pending

links to

openshift/installer#9222: OCPBUGS-44745: aws: user right perm for untagging BYO IAM profiles

RHEA-2024:6122 OpenShift Container Platform 4.18.z bug fix update

Errata Tool added a comment - 2025/02/25 4:50 AM

Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

For information on the advisory (Important: OpenShift Container Platform 4.18.1 bug fix and security update), and where to find the updated files, follow the link below.

If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:6122

Errata Tool added a comment - 2025/02/25 4:50 AM Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Important: OpenShift Container Platform 4.18.1 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:6122

Ben Scott added a comment - 2024/12/12 7:14 PM

yunjiang-1 Thanks, PTAL https://github.com/openshift/openshift-docs/pull/86241

Ben Scott added a comment - 2024/12/12 7:14 PM yunjiang-1 Thanks, PTAL https://github.com/openshift/openshift-docs/pull/86241

Yunfei Jiang added a comment - 2024/12/04 3:01 AM

Verified on 4.18.0-0.nightly-multi-2024-12-02-195414

level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-worker
level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-master

Yunfei Jiang added a comment - 2024/12/04 3:01 AM Verified on 4.18.0-0.nightly-multi-2024-12-02-195414 level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-worker level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-master

OpenShift Jira Bot added a comment - 2024/11/21 5:50 PM

Hi rdossant,

Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

OpenShift Jira Bot added a comment - 2024/11/21 5:50 PM Hi rdossant , Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

Collapse comment: Errata Tool added a comment - 2025/02/25 4:50 AM

Expand comment: Errata Tool added a comment - 2025/02/25 4:50 AM

Collapse comment: Ben Scott added a comment - 2024/12/12 7:14 PM

Expand comment: Ben Scott added a comment - 2024/12/12 7:14 PM

Collapse comment: Yunfei Jiang added a comment - 2024/12/04 3:01 AM

Expand comment: Yunfei Jiang added a comment - 2024/12/04 3:01 AM

Collapse comment: OpenShift Jira Bot added a comment - 2024/11/21 5:50 PM

Expand comment: OpenShift Jira Bot added a comment - 2024/11/21 5:50 PM

People

Dates