Why does OpenShift 4.x IPI installation fails on AWS with IMDSv2 SCP enforcement: "UnauthorizedOperation: ec2:RunInstances"?

Solution Verified - Updated -

Issue

  • When attempting to install an OpenShift 4.x cluster on AWS using the IPI method, the installation fails with the following error:

    failed to create AWSMachine instance: failed to run instance: UnauthorizedOperation: You are not authorized to perform this operation. is not authorized to perform: ec2:RunInstances on resource: arn:aws:ec2:*:*:instance   /* with an explicit deny in a service control policy.
  • How to enforce IMDSv2 in AWS while installing an OpenShift 4.x cluster on AWS using the installer-provisioned infrastructure (IPI) method?
  • When deploying an OpenShift 4.x cluster on AWS using the IPI method, the installation fails due to a Service Control Policy (SCP) that enforces IMDSv2 (Instance Metadata Service v2); how to fix this?
  • How can we configure the installation or the manifests YAML file so that the installer creates EC2 control plane, bootstrap, and workers nodes with the parameter IMDSv2 = required?
  • Why does openshift-install create cluster fail with "UnauthorizedOperation" and ec2:RunInstances when IMDSv2 is enforced via SCP?

Environment

  • Red Hat® OpenShift Container Platform 4.x
  • Installer-provisioned infrastructure (IPI)
  • AWS Cloud Platform

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content