Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1687568 - [DOCS] Document AWS permissions for IAM user used by openshift-install
Summary: [DOCS] Document AWS permissions for IAM user used by openshift-install
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Documentation
Version: 4.1
Hardware: Unspecified
OS: Unspecified
Target Milestone: ---
: 4.1.0
Assignee: Kathryn Alexander
QA Contact: Johnny Liu
Vikram Goyal
Depends On:
TreeView+ depends on / blocked
Reported: 2019-03-11 18:35 UTC by Andrew Sullivan
Modified: 2019-03-12 14:27 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-03-12 01:47:41 UTC
Target Upstream Version:

Attachments (Terms of Use)

Description Andrew Sullivan 2019-03-11 18:35:56 UTC
Document URL: 

Section Number and Name: 

Describe the issue: 
AWS permissions needed by openshift-install are undocumented, leading to issues for customers which implement stringent control for IAM roles.

Suggestions for improvement: 
Please document the specific permissions and provide a guide for how to create an IAM account with the correct permissions/roles for openshift-install to succeed without having "full administrator" access to the AWS account.

Existing beta customers are sent to this page (, which creates an administrator user.

Additional information:

Comment 1 W. Trevor King 2019-03-11 19:57:54 UTC
> Existing beta customers are sent to this page (, which creates an administrator user.

Which documents a path that works ;).  Since [1], the installer has hard-coded a set of credentials that it checks for in user-supplied credentials.  We could document that set, but it's brittle, because several of the pass-through permissions are used by operators and other in-cluster components and not directly by the installer.  To be more robust in the face of operator changes, we'd ideally scrape operator permission requirement out of credential-request custom resources in the release image.  So we'll probably have an 'openshift-install info aws permissions' or some-such that can write policy JSON to stdout, so users can see what's needed by the particular release image they're considering installing.  This is all very early-stage planning, so feedback welcome :).


Comment 2 Vikram Goyal 2019-03-12 01:47:41 UTC
This is documented in the WIP product docs here:

I am closing this bug. Feel free to file a new one if there are issues in the provided documentation.

Note You need to log in before you can comment on or make changes to this bug.