openshift-docs icon indicating copy to clipboard operation
openshift-docs copied to clipboard

Published 20 hours ago verified publisher icon openshift

OCPBUGS-26016: Changed the s3:HeadBucket entry to s3:ListBucket

Open dfitzmau opened this issue 1 year ago • 5 comments

Version(s): 4.14+

Issue: OCPBUGS-26016

Link to docs preview: Required AWS permissions for the IAM user

  • [x] SME has approved this change.
  • [ ] QE has approved this change.

Additional resources:

JULIO TO RUN AN access analyzeR TOOL TO VERIFY PERMISSIONS.

dfitzmau avatar Jan 29 '24 17:01 dfitzmau

@dfitzmau: This pull request references Jira Issue OCPBUGS-26016, which is invalid:

  • expected the bug to target the "4.16.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Version(s):

Issue:

Link to docs preview:

QE review:

  • [ ] QE has approved this change.

Additional information:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Jan 29 '24 17:01 openshift-ci-robot

🤖 Wed Apr 17 15:38:57 - Prow CI generated the docs preview:

https://70926--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/installing-aws-account.html https://70926--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/upi/installing-aws-user-infra.html https://70926--ocpdocs-pr.netlify.app/openshift-enterprise/latest/installing/installing_aws/upi/installing-restricted-networks-aws.html

ocpdocs-previewbot avatar Jan 29 '24 17:01 ocpdocs-previewbot

The .adoc file does not list the following permissions that reside in the permissions.go file: Screenshot from 2024-02-12 12-12-43

dfitzmau avatar Feb 12 '24 12:02 dfitzmau

/label peer-review-needed

dfitzmau avatar Mar 22 '24 11:03 dfitzmau

@dfitzmau: This pull request references Jira Issue OCPBUGS-26016, which is invalid:

  • expected the bug to target the "4.16.0" version, but no target version was set
  • expected the bug to be in one of the following states: NEW, ASSIGNED, POST, but it is ON_QA instead

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

In response to this:

Version(s): 4.14+

Issue: OCPBUGS-26016

Link to docs preview: Required AWS permissions for the IAM user

  • [x] SME has approved this change.
  • [ ] QE has approved this change.

Additional resources:

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot avatar Mar 27 '24 12:03 openshift-ci-robot

@patrickdillon do you know who could help review the required permissions in the docs? I suspect that those not listed in the Installer might be needed by some cluster operators.

@makentenza would have a good idea who might know about this. I'm not sure how the minimal crededential requirements (e.g. for "create manifests") were determined. I suspect by QE, but mak may have a better idea.

+1 with Patrick, depending on the cluster configurations, different permissions may be required, QE can determine the exact permissions once the cluster configuration is determined

yunjiang29 avatar Apr 03 '24 06:04 yunjiang29

@dfitzmau I have some comments below.

And for s3:HeadBucket, it looks like it is still required in 4.16:

...
 INFO[2024-04-02T03:26:10Z] Resolved release latest to registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-04-01-213440 
...
level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:HeadBucket
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is
Installer exit with code 1

@patrickdillon any thoughts on this?

@yunjiang29 in the docs, aws says the permission is s3:ListBucket https://docs.aws.amazon.com/AmazonS3/latest/API/API_HeadBucket.html. The error you're seeing is coming from the CCO which needs to be fixed: https://github.com/openshift/cloud-credential-operator/blob/master/pkg/aws/utils.go#L57

r4f4 avatar Apr 03 '24 07:04 r4f4

https://github.com/openshift/cloud-credential-operator/pull/690

r4f4 avatar Apr 03 '24 07:04 r4f4

@dfitzmau I have some comments below.

And for s3:HeadBucket, it looks like it is still required in 4.16:

...
 INFO[2024-04-02T03:26:10Z] Resolved release latest to registry.ci.openshift.org/ocp/release:4.16.0-0.nightly-2024-04-01-213440 
...
level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:HeadBucket
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset "Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create new creds or use as-is
Installer exit with code 1

@patrickdillon any thoughts on this?

HeadBucket is an action--not a required permission--which the installer is testing to see if the creds have sufficient permissions to perform. According to this s3:ListBucket is the required permission for HeadBucket. s3:ListBucket is in the standard list of permissions, so I would assume you have it? @yunjiang29 can you confirm these creds do have s3:ListBucket? If they do, it sounds like there may be a bug in the installer or CCO code that the installer uses.

patrickdillon avatar Apr 04 '24 21:04 patrickdillon

HeadBucket is an action--not a required permission--which the installer is testing to see if the creds have sufficient permissions to perform. According to this s3:ListBucket is the required permission for HeadBucket. s3:ListBucket is in the standard list of permissions, so I would assume you have it? @yunjiang29 can you confirm these creds do have s3:ListBucket? If they do, it sounds like there may be a bug in the installer or CCO code that the installer uses.

@patrickdillon There was. It was fixed in https://github.com/openshift/cloud-credential-operator/pull/690. And on https://github.com/openshift/installer/pull/8233 I'm bumping CCO in the Installer to bring in the fix.

r4f4 avatar Apr 04 '24 21:04 r4f4

HeadBucket is an action--not a required permission--which the installer is testing to see if the creds have sufficient permissions to perform. According to this s3:ListBucket is the required permission for HeadBucket. s3:ListBucket is in the standard list of permissions, so I would assume you have it? @yunjiang29 can you confirm these creds do have s3:ListBucket? If they do, it sounds like there may be a bug in the installer or CCO code that the installer uses.

Yes, it has s3:ListBucket permission.

yunjiang29 avatar Apr 08 '24 07:04 yunjiang29

@dfitzmau: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here.

openshift-ci[bot] avatar Apr 17 '24 15:04 openshift-ci[bot]