From 602b357c79e60bc92894b88086852d5ec75a1dd1 Mon Sep 17 00:00:00 2001 From: Rafael Fonseca Date: Fri, 6 Dec 2024 11:31:20 +0100 Subject: [PATCH] OCPBUGS-45807: aws: fix sts:AssumeRole perm requirement If a custom IAM role is specified, the installer needs the `sts:AssumeRole` to be able to use that role. This fixes the following error: ``` level=fatal msg=failed to fetch Cluster Infrastructure Variables: failed to fetch dependency of "Cluster Infrastructure Variables": failed to generate asset "Platform Provisioning Check": aws.hostedZone: Invalid value: "Z01991651G3UXC4ZFDNDU": unable to retrieve hosted zone: could not get hosted zone: Z01991651G3UXC4ZFDNDU: AccessDenied: User: arn:aws:iam:::user/ci-op-1c2w7jv2-ef4fe-minimal-perm-installer is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam:::role/ci-op-1c2w7jv2-ef4fe-shared-role level=fatal msg= status code: 403, request id: ab7160fa-ade9-4afe-aacd-782495dc9978 Installer exit with code 1 ``` --- pkg/asset/installconfig/aws/permissions.go | 16 ++++++++++++++++ pkg/asset/installconfig/aws/permissions_test.go | 14 ++++++++++++++ 2 files changed, 30 insertions(+) diff --git a/pkg/asset/installconfig/aws/permissions.go b/pkg/asset/installconfig/aws/permissions.go index 94ba5f86e4e..e8006ff65e1 100644 --- a/pkg/asset/installconfig/aws/permissions.go +++ b/pkg/asset/installconfig/aws/permissions.go @@ -68,6 +68,9 @@ const ( // PermissionDefaultZones is a permission set required when zones are not set in the install-config. PermissionDefaultZones PermissionGroup = "permission-default-zones" + // PermissionAssumeRole is a permission set required when an IAM role to be assumed is set in the install-config. + PermissionAssumeRole PermissionGroup = "permission-assume-role" + // PermissionMintCreds is a permission set required when minting credentials. PermissionMintCreds PermissionGroup = "permission-mint-creds" @@ -324,6 +327,10 @@ var permissions = map[PermissionGroup][]string{ // Needed to filter zones by instance type "ec2:DescribeInstanceTypeOfferings", }, + PermissionAssumeRole: { + // Needed so the installer can use the provided custom IAM role + "sts:AssumeRole", + }, // From: https://github.com/openshift/cloud-credential-operator/blob/master/pkg/aws/utils.go // TODO: export these in CCO so we don't have to duplicate them here. PermissionMintCreds: { @@ -511,6 +518,10 @@ func RequiredPermissionGroups(ic *types.InstallConfig) []PermissionGroup { permissionGroups = append(permissionGroups, PermissionDefaultZones) } + if includesAssumeRole(ic) { + permissionGroups = append(permissionGroups, PermissionAssumeRole) + } + return permissionGroups } @@ -682,3 +693,8 @@ func includesZones(installConfig *types.InstallConfig) bool { return len(mpool.Zones) > 0 || len(installConfig.AWS.Subnets) > 0 } + +// includesAssumeRole checks if a custom IAM role is specified in the install-config. +func includesAssumeRole(installConfig *types.InstallConfig) bool { + return len(installConfig.AWS.HostedZoneRole) > 0 +} diff --git a/pkg/asset/installconfig/aws/permissions_test.go b/pkg/asset/installconfig/aws/permissions_test.go index 83697270661..a1c8cd63abd 100644 --- a/pkg/asset/installconfig/aws/permissions_test.go +++ b/pkg/asset/installconfig/aws/permissions_test.go @@ -807,3 +807,17 @@ func TestIncludesZones(t *testing.T) { assert.Contains(t, requiredPerms, PermissionDefaultZones) }) } + +func TestIncludesAssumeRole(t *testing.T) { + t.Run("Should be true when IAM role specified", func(t *testing.T) { + ic := validInstallConfig() + ic.AWS.HostedZoneRole = "custom-role" + requiredPerms := RequiredPermissionGroups(ic) + assert.Contains(t, requiredPerms, PermissionAssumeRole) + }) + t.Run("Should be false when IAM role not specified", func(t *testing.T) { + ic := validInstallConfig() + requiredPerms := RequiredPermissionGroups(ic) + assert.NotContains(t, requiredPerms, PermissionAssumeRole) + }) +}