Skip to content

OCPBUGS-63305: Make SimulatePrincipalPolicy optional #10081

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

OCPBUGS-63305: Make SimulatePrincipalPolicy optional #10081

wants to merge 1 commit into from
+11 −3

Conversation

@barbacbd
Copy link
Contributor

@barbacbd barbacbd commented Nov 13, 2025

Removing SimulatePrincipalPolicy as a required permission for Mint and Passthrough modes. Instead it will be required when a credential mode is not set.

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 13, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 13, 2025

@barbacbd: This pull request references Jira Issue OCPBUGS-63305, which is invalid:

  • expected the bug to target the "4.21.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

In response to this:

Removing SimulatePrincipalPolicy as a required permission for Mint and Passthrough modes. Instead it will be required when a credential mode is not set.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@barbacbd
Copy link
Contributor Author

barbacbd commented Nov 13, 2025

/cc @tthvo
/cc @patrickdillon

@barbacbd
Copy link
Contributor Author

barbacbd commented Nov 13, 2025

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Nov 13, 2025
@openshift-ci-robot
Copy link
Contributor

openshift-ci-robot commented Nov 13, 2025

@barbacbd: This pull request references Jira Issue OCPBUGS-63305, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (4.21.0) matches configured target version for branch (4.21.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)

Requesting review from QA contact:
/cc @gpei

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

tthvo
tthvo reviewed Nov 13, 2025
View reviewed changes
pkg/asset/permissions/permissions.go Outdated
Comment on lines 57 to 61
case "":
reqGroups = append(reqGroups, awsconfig.PermissionEmptyCreds)
default:
// Include permissions needed by CCO/cluster for mint creds mode
reqGroups = append(reqGroups, awsconfig.PermissionMintCreds)
Copy link
Member

@tthvo tthvo Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
case "":
reqGroups = append(reqGroups, awsconfig.PermissionEmptyCreds)
default:
// Include permissions needed by CCO/cluster for mint creds mode
reqGroups = append(reqGroups, awsconfig.PermissionMintCreds)
default:
// Include permissions needed by installer and CCO to perform permission checks.
if ic.Config.CredentialsMode == "" {
reqGroups = append(reqGroups, awsconfig.PermissionEmptyCreds)
}
// Include permissions needed by CCO/cluster for mint creds mode
reqGroups = append(reqGroups, awsconfig.PermissionMintCreds)

The empty credentialsMode is basically Mint + SimulatePrincipalPolicy for permission check right?

Copy link
Member

@tthvo tthvo Nov 13, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Otherwise, if when the default credential mode is used, the installer says that only SimulatePrincipalPolicy is required, which is not right?

@tthvo
Copy link
Member

tthvo commented Nov 14, 2025

Looks like have a tiny problem 🤔 related to #10081 (comment). Jobs are failing with:

level=warning msg=Action not allowed with tested creds action=iam:CreateAccessKey
level=warning msg=Action not allowed with tested creds action=iam:CreateUser
level=warning msg=Action not allowed with tested creds action=iam:DeleteUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:GetUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:ListAccessKeys
level=warning msg=Action not allowed with tested creds action=iam:PutUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:TagUser
level=warning msg=Tested creds not able to perform all requested actions
level=warning msg=Action not allowed with tested creds action=s3:PutLifecycleConfiguration
level=warning msg=Action not allowed with tested creds action=s3:ListBucketMultipartUploads
level=warning msg=Action not allowed with tested creds action=s3:AbortMultipartUpload
level=warning msg=Action not allowed with tested creds action=iam:GetUserPolicy
level=warning msg=Action not allowed with tested creds action=iam:ListAccessKeys
level=warning msg=Tested creds not able to perform all requested actions
level=fatal msg=failed to fetch Cluster: failed to fetch dependency of "Cluster": failed to generate asset
"Platform Permissions Check": validate AWS credentials: AWS credentials cannot be used to either create
new creds or use as-is
Installer exit with code 1

@barbacbd
OCPBUGS-63305: Make SimulatePrincipalPolicy optional
991c8a0 
Removing SimulatePrincipalPolicy as a required permission for Mint and Passthrough modes.
Instead it will be required when a credential mode is not set.
@barbacbd
Copy link
Contributor Author

barbacbd commented Nov 14, 2025

/retest-required

@patrickdillon
Copy link
Contributor

patrickdillon commented Nov 14, 2025

/approve

@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 14, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: patrickdillon

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Nov 14, 2025
@patrickdillon
Copy link
Contributor

patrickdillon commented Nov 14, 2025

/hold

It seems CCO does require this: https://redhat-internal.slack.com/archives/C68TNFWA2/p1763145109506449?thread_ts=1760641140.491929&cid=C68TNFWA2

@openshift-ci openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label Nov 14, 2025
@openshift-ci
Copy link
Contributor

openshift-ci bot commented Nov 14, 2025

@barbacbd: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/okd-scos-e2e-aws-ovn 991c8a0 link false /test okd-scos-e2e-aws-ovn
ci/prow/e2e-aws-ovn-imdsv2 991c8a0 link false /test e2e-aws-ovn-imdsv2
ci/prow/e2e-aws-byo-subnet-role-security-groups 991c8a0 link false /test e2e-aws-byo-subnet-role-security-groups
ci/prow/e2e-aws-ovn-heterogeneous 991c8a0 link false /test e2e-aws-ovn-heterogeneous

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@patrickdillon patrickdillon Awaiting requested review from patrickdillon

@gpei gpei Awaiting requested review from gpei

@mtulio mtulio Awaiting requested review from mtulio

@pawanpinjarkar pawanpinjarkar Awaiting requested review from pawanpinjarkar

1 more reviewer

@tthvo tthvo tthvo left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@barbacbd @openshift-ci-robot @tthvo @patrickdillon