Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-49735

[aws/byo-public-ipv4] missing permission ec2:ReleaseAddress when destroying the cluster

XMLWordPrintable

    • None
    • OpenShift SPLAT - Sprint 266
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      Previously clusters created with minimum permissions in existing VPC (unmanaged VPC or BYO VPC) and BYO Public IPv4 Pool address (BYO IP) on AWS failed to de-provision cluster without permissions to release EIP address (ec2:ReleaseAddress).

      This release, ensures ec2:ReleaseAddress permission is exported to the install-generated IAM policy when deploying a cluster on AWS with BYO VPC and BYO Public IPv4 Pool.
      Show
      Previously clusters created with minimum permissions in existing VPC (unmanaged VPC or BYO VPC) and BYO Public IPv4 Pool address (BYO IP) on AWS failed to de-provision cluster without permissions to release EIP address (ec2:ReleaseAddress). This release, ensures ec2:ReleaseAddress permission is exported to the install-generated IAM policy when deploying a cluster on AWS with BYO VPC and BYO Public IPv4 Pool.
    • Bug Fix
    • In Progress

      This is a clone of issue OCPBUGS-49594. The following is the description of the original issue:

      Description of problem:

          The deprovision CI step[1] e2e-aws-ovn-shared-vpc-edge-zones-ipi-deprovision-deprovision is missing the permission ec2:ReleaseAddress in the installer user to remove the custom IPv4 Address (EIP) allocated in the cluster creation. The BYO IPv4 is default on CI jobs, and enabled when the pool has IP address.

Error:
level=warning msg=UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-rxxt8srv-bf840-minimal-perm-installer is not authorized to perform: ec2:ReleaseAddress on resource: arn:aws:ec2:us-east-1:[redacted]:elastic-ip/eipalloc-0f4b652b702e73204 because no identity-based policy allows the ec2:ReleaseAddress action.

Job: https://prow.ci.openshift.org/view/gs/test-platform-results/pr-logs/pull/openshift_installer/9413/pull-ci-openshift-installer-main-e2e-aws-ovn-shared-vpc-edge-zones/1884340831955980288

      Version-Release number of selected component (if applicable):

      4.19

      How reproducible:

          always when BYO Public IPv4 pool is activated in the install-config

      Steps to Reproduce:

          1. install a cluster with byo IPv4 pool set on install-config
    2.
    3.

      Actual results:

      level=warning msg=UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::460538899914:user/ci-op-rxxt8srv-bf840-minimal-perm-installer is not authorized to perform: ec2:ReleaseAddress on resource: arn:aws:ec2:us-east-1:[Redacted]:elastic-ip/eipalloc-0f4b652b702e73204 because no identity-based policy allows the ec2:ReleaseAddress action.  

      Expected results:

          Permissions granted, EIP released.

      Additional info:

              rhn-support-mrbraga Marco Braga
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated: