ROSA Cluster Installation fails with error 403 due to missing iamgetpolicy in ocm-role policy

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • v4

Issue

  • When attempting to install a new ROSA cluster customer can't create a ROSA cluster via GUI or CLI.

Sample Error:

Resolution

  • Customer should have at least the minimum permissions below for ocm-role policy.
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "sts:AssumeRole",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions",
                "iam:ListRoles",
                "sts:AssumeRoleWithWebIdentity",
                "iam:GetOpenIDConnectProvider",
                "ec2:DescribeSubnets",
                "ec2:DescribeRouteTables"
            ],
            "Resource": "*"
        }
    ]
}

Root Cause

  • Missing "iam:GetPolicy" from the ocm-role policy.

Diagnostic Steps

  • Check ocm-role policy and ocm-role admin policy in the AWS console for IAM.
  • Seek the help of your AWS Administrator who gave you the credentials for your IAM user as they may need to do it on your behalf.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments