Failed to validate role polices error upgrading ROSA 4.8
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4.8
rosabinary 1.1.4 or previous
Issue
- Unable to apply a patch upgrade to ROSA from 4.8.y to 4.8.z.
-
The following error messages are shown when trying to upgrade a ROSA 4.8 cluster using the
rosa upgrade clustercommand:I: Ensuring account and operator role policies for cluster 'xxxxxxxxxxxxxxxxxxxxxxxx' are compatible with upgrade. - E: Could not validate 'cluster_name' clusters account roles : Failed to validate role polices : InvalidParameter: 1 validation error(s) found. - minimum field size of 20, ListPolicyTagsInput.PolicyArn.
Resolution
ROSA clusters created with rosa binary 1.1.4 or older have inline role policies rather than attached policies, and this causes that the cluster cannot be upgraded within 4.8.
The rosa binary 1.1.11 includes the fix for this. Update the rosa CLI to the latest version.
With the rosa CLI updated, the AWS account owner for the cluster to upgrade must execute the following command to enable the necessary AWS permissions, and include any prefix used (if used) when the account roles were created, with --prefix:
$ rosa create account-roles
After executing the above command, execute again the command to upgrade the cluster:
$ rosa upgrade cluster --cluster=[cluster_name]
Root Cause
ROSA clusters created with rosa binary 1.1.4 or older have inline role policies rather than attached policies.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments