-
Bug
-
Resolution: Unresolved
-
Major
-
None
-
4.18.z, 4.19.z, 4.20.z, 4.21.z, 4.22
-
None
-
None
-
False
-
-
None
-
Important
-
None
-
None
-
None
-
Installer Sprint 284, Installer Sprint 285
-
2
-
In Progress
-
Release Note Not Required
-
None
-
None
-
None
-
None
-
None
Description of problem:
If only new format WL zones (e.g. us-east-1-foe-wlz-1a) are provided in the config, the installer won't generate WL related permission to the minimum permission [1] list, installer will hit error:
level=warning msg=Condition CarrierGatewayReady has status: "False", reason: "CarrierGatewayFailed", message: "failed to describe carrier gateways in vpc \"vpc-05f8e2f0d070835a8\": operation error EC2: DescribeCarrierGateways, https response error StatusCode: 403, RequestID: 01c89744-9787-48e2-926a-19295b84dcbb, api error UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:iam::892173657978:user/ci-op-lqxjw8sb-40b45-minimal-perm-installer is not authorized to perform: ec2:DescribeCarrierGateways because no identity-based policy allows the ec2:DescribeCarrierGateways action"
[1] https://github.com/openshift/installer/blob/1002fca931a92ef08175064caba8455194cd7a77/pkg/asset/installconfig/aws/permissions.go#L349-L355
Version-Release number of selected component (if applicable):
4.18+
How reproducible:
Always
Steps to Reproduce:
1. Create an install-config as follows:
- architecture: amd64
name: edge
platform:
aws:
zones: [us-east-1-foe-wlz-1a]
2. Run openshift-install create permissions-policy command
3.
Actual results:
WL zone permissions are not generated.
Expected results:
WL zone permissions are generated correctly.
Additional info:
4.18 and above supports `create permissions-policy` command.
- blocks
-
-
- New
-
- is cloned by
-
-
- New
-
- links to