Cluster installation failed with error code OCM3033: AWSInsufficientPermissions

Solution Verified - Updated -

Environment

  • Red Hat Openshift Container Platform (RHOCP)
    • 4
  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat Openshift Dedicated 4 (OSD 4)
    • 4
  • AWS

Issue

  • Cluster installation failed with error OCM3033: AWSInsufficientPermissions.

  • Following messages are observed on OCM web console and install logs:

    current credentials insufficient for performing cluster installation

    UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message

Resolution

The cluster's installation is blocked due to missing or insufficient privileges on the AWS account used to provision the cluster. Ensure that the prerequisites are met before installing ROSA.

To resolve this, please review and validate the pre-requisites required on the AWS account for the installation to succeed. For more information about ROSA pre-requisites, please refer to the official document on AWS prerequisites for ROSA. It is possible to use the rosa verify permissions command to check the permissions.

If the installation is a ROSA cluster with STS, refer to the official documentation on AWS prerequisites for ROSA with STS. It is possible to review the permissions as explained in How to check the permissions for AWS roles needed for ROSA STS clusters?, and to directly use the following commands to create/update the required account-roles and operator-roles (if using a prefix for the account-roles, add --prefix [prefix_name] to the account-roles command):

$ rosa create account-roles -f
$ rosa create operator-roles -c ${CLUSTER} -f

If additional help from Red Hat is needed, please open a support case.

Root Cause

This issue can arise due to due to missing or insufficient privileges on the AWS account used to provision the cluster. The customers should ensure that the prerequisites are met before installing ROSA.

In some cases, the Service Control Policy (SCP) prevents the required calls to AWS. Service control policy (SCP) management is the responsibility of the customer. These policies are maintained in the AWS Organizations and control what services are available within the attached AWS accounts.

For more information, please refer to the documentation on Minimum required service control policy (SCP)

Note: The minimum SCP requirement does not apply when using AWS security token service (STS).

Diagnostic Steps

Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.

It's possible to check if there are missing permissions for deploying a ROSA STS cluster with the script in Verify Permissions for ROSA STS Deployment.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments