Skip to content

OCPBUGS-92831: Add missing IAM permissions to HCP AWS STS role policy#115006

Open
asadawar wants to merge 1 commit into
openshift:mainfrom
asadawar:fix/ocpbugs-92831-hcp-aws-iam-policy
Open

OCPBUGS-92831: Add missing IAM permissions to HCP AWS STS role policy#115006
asadawar wants to merge 1 commit into
openshift:mainfrom
asadawar:fix/ocpbugs-92831-hcp-aws-iam-policy

Conversation

@asadawar

@asadawar asadawar commented Jul 9, 2026

Copy link
Copy Markdown

Summary

  • Add 5 missing IAM permissions to the documented HCP AWS STS CLI role policy in hcp-aws-create-role-sts-creds.adoc
  • Aligns the documented policy with the hypershift source of truth (cmd/infra/aws/create_cli_role.go)

Why this change

The documented IAM policy for creating an AWS STS role for HCP is missing permissions that the hcp CLI expects. A customer following the documented procedure was able to create a cluster, but hcp destroy cluster aws failed with AccessDenied errors during IAM cleanup:

failed to list attached policies for role: iam:ListAttachedRolePolicies ... AccessDenied
failed to list inline policies for role: iam:ListRolePolicies ... AccessDenied

Comparing the documented policy against the hypershift source (cmd/infra/aws/create_cli_role.go), the following 5 permissions are in the source but missing from the docs:

Permission Purpose
iam:ListAttachedRolePolicies Destroy: list managed policies before role deletion
iam:ListRolePolicies Destroy: list inline policies before role deletion
iam:DetachRolePolicy Destroy: detach managed policies before role deletion
iam:TagInstanceProfile Create: tag instance profiles
iam:TagOpenIDConnectProvider Create: tag OIDC providers

The new permissions are inserted in the same position as they appear in the hypershift source to keep the policy consistent.

OCPBUGS-92831: https://redhat.atlassian.net/browse/OCPBUGS-92831

The documented IAM policy for the HCP AWS STS CLI role is missing five
permissions that are present in the hypershift source
(cmd/infra/aws/create_cli_role.go). Without these, hcp destroy cluster
aws fails during IAM cleanup with AccessDenied errors.

Assisted-by: Claude Code
@openshift-ci-robot openshift-ci-robot added jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. labels Jul 9, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: This pull request references Jira Issue OCPBUGS-92831, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Summary

  • Add 5 missing IAM permissions to the documented HCP AWS STS CLI role policy in hcp-aws-create-role-sts-creds.adoc
  • Aligns the documented policy with the hypershift source of truth (cmd/infra/aws/create_cli_role.go)

Why this change

The documented IAM policy for creating an AWS STS role for HCP is missing permissions that the hcp CLI expects. A customer following the documented procedure was able to create a cluster, but hcp destroy cluster aws failed with AccessDenied errors during IAM cleanup:

failed to list attached policies for role: iam:ListAttachedRolePolicies ... AccessDenied
failed to list inline policies for role: iam:ListRolePolicies ... AccessDenied

Comparing the documented policy against the hypershift source (cmd/infra/aws/create_cli_role.go), the following 5 permissions are in the source but missing from the docs:

Permission Purpose
iam:ListAttachedRolePolicies Destroy: list managed policies before role deletion
iam:ListRolePolicies Destroy: list inline policies before role deletion
iam:DetachRolePolicy Destroy: detach managed policies before role deletion
iam:TagInstanceProfile Create: tag instance profiles
iam:TagOpenIDConnectProvider Create: tag OIDC providers

The new permissions are inserted in the same position as they appear in the hypershift source to keep the policy consistent.

OCPBUGS-92831: https://redhat.atlassian.net/browse/OCPBUGS-92831

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jul 9, 2026
@asadawar

asadawar commented Jul 9, 2026

Copy link
Copy Markdown
Author

/label merge-review-needed

@openshift-ci openshift-ci Bot added merge-review-needed Signifies that the merge review team needs to review this PR size/XS Denotes a PR that changes 0-9 lines, ignoring generated files. labels Jul 9, 2026
@asadawar

asadawar commented Jul 9, 2026

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: This pull request references Jira Issue OCPBUGS-92831, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@asadawar

asadawar commented Jul 9, 2026

Copy link
Copy Markdown
Author

/jira refresh

@openshift-ci-robot openshift-ci-robot added jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. and removed jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jul 9, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@asadawar: This pull request references Jira Issue OCPBUGS-92831, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

/jira refresh

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@ocpdocs-previewbot

Copy link
Copy Markdown

@openshift-ci

openshift-ci Bot commented Jul 9, 2026

Copy link
Copy Markdown

@asadawar: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

jira/severity-moderate Referenced Jira bug's severity is moderate for the branch this PR is targeting. jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. merge-review-needed Signifies that the merge review team needs to review this PR size/XS Denotes a PR that changes 0-9 lines, ignoring generated files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants