Alert received for missing permissions in ManagedOpenShift-Support-Role in AWS account
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4.x
Issue
- Getting Alert/Error/Notification of missing support role of
EC2:StartInstances,EC2:StopInstancesandEC2:ModifyInstanceAttributepermission alerts are shown
Resolution
- Check the missing permissions of support-role for the ManagedOpenShift-Support-Role in AWS account:
EC2:StartInstances
EC2:StopInstances
EC2:ModifyInstanceAttribute
Root Cause
- The permissions to be added :
EC2:StartInstances,EC2:StopInstancesandEC2:ModifyInstanceAttributeare required for situation such as: Control plane resizing, AWS instance maintenance windows, occasions where an instance is in an unresponsive state due to etcd or machine config.
Diagnostic Steps
-
Check and add missing permission in AWS CLI in
ManagedOpenShift-Support-Role-Policy.jsonfile. -
You can also check, verify, add missing permission through login into AWS account web console:-
-
Go into IAM Policy > Roles > ManagedOpenShift-Support-Role-Policy >
Check & confirm permission roles ofEC2:StartInstances,EC2:StopInstancesandEC2:ModifyInstanceAttribute
"Version": "20XX-XX-XX",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:ModifyInstanceAttribute",
],
"Resource": "*"
}
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments