Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-44848

[aws] tag:UntagResources when destroying cluster with BYO IAM profile

XMLWordPrintable

    • None
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously, a missing permission caused cluster deprovision to fail when using a custom identity and access management (IAM) profile. With this release, the list of required permissions includes tag:UntagResource and the cluster deprovision completes.
      ====
      What: missing permission would cause cluster deprovision to fail when using a custom IAM profile
      Fix: added `tag:UntagResource` to the list of required permissions.
      Show
      Previously, a missing permission caused cluster deprovision to fail when using a custom identity and access management (IAM) profile. With this release, the list of required permissions includes tag:UntagResource and the cluster deprovision completes. ==== What: missing permission would cause cluster deprovision to fail when using a custom IAM profile Fix: added `tag:UntagResource` to the list of required permissions.
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-44745. The following is the description of the original issue:

      Description of problem:

          `tag:UntagResources` is required for the AWS SDK call [UntagResourcesWithContext](https://github.com/openshift/installer/blob/master/pkg/destroy/aws/shared.go#L121) when removing the "shared" tag from the IAM profile.

      Version-Release number of selected component (if applicable):

          4.17+

      How reproducible:

          always

      Steps to Reproduce:

          1.
          2.
          3.
          

      Actual results:

          time="2024-11-19T12:22:19Z" level=debug msg="search for IAM instance profiles"
      time="2024-11-19T12:22:19Z" level=debug msg="Search for and remove tags in us-east-1 matching kubernetes.io/cluster/ci-op-y8wbktiq-e515e-q6kvb: shared"
      time="2024-11-19T12:22:19Z" level=debug msg="Nothing to clean for shared iam resource" arn="arn:aws:iam::460538899914:instance-profile/ci-op-y8wbktiq-e515e-byo-profile-worker"
      time="2024-11-19T12:22:19Z" level=debug msg="Nothing to clean for shared iam resource" arn="arn:aws:iam::460538899914:instance-profile/ci-op-y8wbktiq-e515e-byo-profile-master"
      time="2024-11-19T12:22:19Z" level=info msg="untag shared resources: AccessDeniedException: User: arn:aws:iam::460538899914:user/ci-op-y8wbktiq-e515e-minimal-perm is not authorized to perform: tag:UntagResources because no identity-based policy allows the tag:UntagResources action\n\tstatus code: 400, request id: 464de6ab-3de5-496d-a163-594dade11619"
      
      See: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_release/58833/rehearse-58833-pull-ci-openshift-installer-release-4.18-e2e-aws-ovn-custom-iam-profile/1858807924600606720

      Expected results:

          The perm is added to the required list when BYO IAM profile and the "shared" tag is removed from the profiles.

      Additional info:

          

              rdossant Rafael Fonseca dos Santos
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: