Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44745

[aws] tag:UntagResources when destroying cluster with BYO IAM profile

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • N/A
    • Release Note Not Required
    • In Progress

      Description of problem:

          `tag:UntagResources` is required for the AWS SDK call [UntagResourcesWithContext](https://github.com/openshift/installer/blob/master/pkg/destroy/aws/shared.go#L121) when removing the "shared" tag from the IAM profile.

      Version-Release number of selected component (if applicable):

          4.17+

      How reproducible:

          always

      Steps to Reproduce:

          1.
    2.
    3.

      Actual results:

          time="2024-11-19T12:22:19Z" level=debug msg="search for IAM instance profiles"
time="2024-11-19T12:22:19Z" level=debug msg="Search for and remove tags in us-east-1 matching kubernetes.io/cluster/ci-op-y8wbktiq-e515e-q6kvb: shared"
time="2024-11-19T12:22:19Z" level=debug msg="Nothing to clean for shared iam resource" arn="arn:aws:iam::460538899914:instance-profile/ci-op-y8wbktiq-e515e-byo-profile-worker"
time="2024-11-19T12:22:19Z" level=debug msg="Nothing to clean for shared iam resource" arn="arn:aws:iam::460538899914:instance-profile/ci-op-y8wbktiq-e515e-byo-profile-master"
time="2024-11-19T12:22:19Z" level=info msg="untag shared resources: AccessDeniedException: User: arn:aws:iam::460538899914:user/ci-op-y8wbktiq-e515e-minimal-perm is not authorized to perform: tag:UntagResources because no identity-based policy allows the tag:UntagResources action\n\tstatus code: 400, request id: 464de6ab-3de5-496d-a163-594dade11619"

See: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/58833/rehearse-58833-pull-ci-openshift-installer-release-4.18-e2e-aws-ovn-custom-iam-profile/1858807924600606720

      Expected results:

          The perm is added to the required list when BYO IAM profile and the "shared" tag is removed from the profiles.

      Additional info:

            [OCPBUGS-44745] [aws] tag:UntagResources when destroying cluster with BYO IAM profile

            Errata Tool made changes -
            Resolution New: Done-Errata [ 10803 ]
            Status Original: Verified [ 10015 ] New: Closed [ 6 ]

            Errata Tool added a comment -

            Since the problem described in this issue should be resolved in a recent advisory, it has been closed.

            For information on the advisory (Important: OpenShift Container Platform 4.18.1 bug fix and security update), and where to find the updated files, follow the link below.

            If the solution does not work for you, open a new bug report.
            https://access.redhat.com/errata/RHSA-2024:6122

            Errata Tool added a comment - Since the problem described in this issue should be resolved in a recent advisory, it has been closed. For information on the advisory (Important: OpenShift Container Platform 4.18.1 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2024:6122

            Ben Scott added a comment -

            yunjiang-1 Thanks, PTAL https://github.com/openshift/openshift-docs/pull/86241

            Ben Scott added a comment - yunjiang-1 Thanks, PTAL https://github.com/openshift/openshift-docs/pull/86241
            Yunfei Jiang made changes -
            Status Original: ON_QA [ 15723 ] New: Verified [ 10015 ]

            Yunfei Jiang added a comment -

            Verified on 4.18.0-0.nightly-multi-2024-12-02-195414

            level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-worker
level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-master

            Yunfei Jiang added a comment - Verified on 4.18.0-0.nightly-multi-2024-12-02-195414 level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-worker level=info msg=Removed tag kubernetes.io/cluster/ci-op-8nl35rn8-ed042-f8knx: shared arn=arn:aws:iam::301721915996:instance-profile/ci-op-8nl35rn8-ed042-byo-profile-master
            Errata Tool made changes -
            Remote Link New: This issue links to "RHEA-2024:6122 (Web Link)" [ 1868134 ]
            Rafael Fonseca dos Santos made changes -
            Release Note Text New: N/A
            OpenShift Jira Bot made changes -
            Release Note Status New: In Progress [ 30960 ]
            Rafael Fonseca dos Santos made changes -
            Release Note Type New: Release Note Not Required [ 31862 ]

            OpenShift Jira Bot added a comment -

            Hi rdossant,

            Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.

            OpenShift Jira Bot added a comment - Hi rdossant , Bugs should not be moved to Verified without first providing a Release Note Type("Bug Fix" or "No Doc Update") and for type "Bug Fix" the Release Note Text must also be provided. Please populate the necessary fields before moving the Bug to Verified.
            ART Bot made changes -
            Status Original: MODIFIED [ 14454 ] New: ON_QA [ 15723 ]
            OpenShift Prow Bot made changes -
            Link New: This issue blocks OCPBUGS-44848 [ OCPBUGS-44848 ]
            OpenShift Prow Bot made changes -
            Link New: This issue is cloned by OCPBUGS-44848 [ OCPBUGS-44848 ]
            OpenShift Prow Bot made changes -
            Status Original: POST [ 15726 ] New: MODIFIED [ 14454 ]
            Gaoyun Pei made changes -
            QA Contact Original: Gaoyun Pei [ gpei ] New: Yunfei Jiang [ yunjiang-1 ]
            Rafael Fonseca dos Santos made changes -
            Link New: This issue is triggered by CORS-3571 [ CORS-3571 ]
            OpenShift Prow Bot made changes -
            Status Original: New [ 10016 ] New: POST [ 15726 ]
            Rafael Fonseca dos Santos made changes -
            Target Backport Versions New: 4.17.z [ 12428296 ]
            Rafael Fonseca dos Santos made changes -
            Target Version New: 4.18.0 [ 12431397 ]
            Rafael Fonseca dos Santos made changes -
            Assignee New: Rafael Fonseca dos Santos [ rdossant ]
            OpenShift Prow Bot made changes -
            Remote Link New: This issue links to "openshift/installer#9222: OCPBUGS-44745: aws: user right perm for untagging BYO IAM profiles (Web Link)" [ 1857180 ]
            Rafael Fonseca dos Santos made changes -
            Affects Version/s Original: 4.16 [ 12417854 ]
            Rafael Fonseca dos Santos made changes -
            Labels New: aws
            Rafael Fonseca dos Santos made changes -
            QA Contact New: Gaoyun Pei [ gpei ]
            Rafael Fonseca dos Santos created issue -

              rdossant Rafael Fonseca dos Santos
              rdossant Rafael Fonseca dos Santos
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: