Cluster installation failed with error code OCM3031: ErrorDeletingIAMRole

Solution Verified - Updated -

Environment

  • Red Hat Openshift Container Platform (OCP 4)
  • Red Hat OpenShift Service on AWS (ROSA 4)
  • Red Hat Openshift Dedicated 4 (OSD 4)

Issue

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

  • Cluster installation failed with error code OCM3031: ErrorDeletingIAMRole.
  • Following error log is observed in the install logs:
Error deleting IAM Role (role-name): DeleteConflict: Cannot delete entity, must detach all policies first.\nlevel=error msg=\tstatus code: 409

Resolution

The cluster's installation was blocked as the cluster installer was not able to delete the roles it used during the installation. To unblock, please ensure that no policies are added to new roles by default.

To list all managed policies that are attached to the specified role, execute the following command:

aws iam list-attached-role-policies --role-name <role-name>

This command returns the names and ARNs of the managed policies attached to the IAM role in the AWS account:

Example Output:

{
  "AttachedPolicies": [
    {
      "PolicyName": "SecurityAudit",
      "PolicyArn": "arn:aws:iam::aws:policy/SecurityAudit"
    }
  ],
  "IsTruncated": false
}

If there are no policies attached to the specified role (or none that match the specified path prefix), the operation returns an empty list.

For more information about list-attached-role-policies command, please refer to the official documentation from AWS.

If you need help from Red Hat, please open a support case with us by clicking here.

Root Cause

The installer was not able to delete the temporary roles it created during the installation. This is most likely to happen if there are background processes automatically adding policies to new roles by default.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments