-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.17
This is a clone of issue OCPBUGS-44373. The following is the description of the original issue:
—
Description of problem:
The installation with aws installation fails when the SCP has the value for AssociatePublicIpAddress set to False. The IAM user is not able to create new EC2 instances i.e. the worker nodes are not getting created. However the bootstrap and Master nodes gets created. The below logs can be observed in the machine-api controller logs : 2024/10/31 16:05:28 failed to create instance: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::<account-id>:assumed-role/<role-name> is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:ap-southeast-1:<account-id>:network-interface/* with an explicit deny in a service control policy. Encoded authorization failure message: <encoded-message>
Version-Release number of selected component (if applicable):
4.17
How reproducible:
Always
Steps to Reproduce:
1. Set the value of AssociatePublicIpAddress: False inside SCP.
2. Perform a normal IPI aws installation with IAM user which has the above SCP applied.
3. Observe that the workers are not getting created.
Actual results:
Expected results:
Additional info:
- blocks
-
-
- POST
-
- clones
-
-
- ON_QA
-
- is blocked by
-
-
- ON_QA
-
- is cloned by
-
-
- POST
-
- links to
-
RHEA-2024:6122
OpenShift Container Platform 4.18.z bug fix update