Skip to content

OCPBUGS-94238: Add missing CLI IAM role policy entry#8883

Merged
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ironcladlou:sts-role-fix
Jul 2, 2026
Merged

OCPBUGS-94238: Add missing CLI IAM role policy entry#8883
openshift-merge-bot[bot] merged 1 commit into
openshift:mainfrom
ironcladlou:sts-role-fix

Conversation

@ironcladlou

@ironcladlou ironcladlou commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Before this commit, clusters created via the CLI with --sts-creds couldn't be fully deleted due to a missing iam:ListRolePolicies policy entry, preventing IAM role cleanup.

This commit corrects the policy so all IAM resources created by the CLI flow can be deleted.

There's currently no e2e coverage for the STS flow at all, which should be addressed in a followup.

Fixes OCPBUGS-94238

Summary by CodeRabbit

  • Bug Fixes
    • Expanded AWS CLI role permissions to support additional IAM role policy listing during setup and management.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: LGTM mode

@openshift-ci-robot openshift-ci-robot added jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. labels Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@ironcladlou: This pull request references Jira Issue OCPBUGS-94238, which is invalid:

  • expected the bug to target the "5.0.0" version, but no target version was set

Comment /jira refresh to re-evaluate validity if changes to the Jira bug are made, or edit the title of this pull request to link to a different bug.

The bug has been updated to refer to the pull request using the external bug tracker.

Details

In response to this:

Before this commit, clusters created via the CLI with --sts-creds couldn't be fully deleted due to a missing iam:ListRolePolicies policy entry, preventing IAM role cleanup.

This commit corrects the policy so all IAM resources created by the CLI flow can be deleted.

There's currently no e2e coverage for the STS flow at all, which should be addressed in a followup.

Fixes OCPBUGS-94238

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai

coderabbitai Bot commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 9c403ade-8cd9-4092-8c71-f56b44eb7f7f

📥 Commits

Reviewing files that changed from the base of the PR and between 41dea99 and cb988a3.

📒 Files selected for processing (1)
  • cmd/infra/aws/create_cli_role.go
🚧 Files skipped from review as they are similar to previous changes (1)
  • cmd/infra/aws/create_cli_role.go

📝 Walkthrough

Walkthrough

This change adds the iam:ListRolePolicies action to the Action list within the embedded cliRolePolicy IAM permissions policy JSON in cmd/infra/aws/create_cli_role.go. No other code, declarations, or interfaces are affected. The change is a single-line addition to a static IAM policy statement.

🚥 Pre-merge checks | ✅ 11
✅ Passed checks (11 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly matches the change: it adds a missing CLI IAM role policy entry for the STS cleanup flow.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names ✅ Passed Only cmd/infra/aws/create_cli_role.go changed, and it contains no Ginkgo test titles or test files.
Test Structure And Quality ✅ Passed PR only changes cmd/infra/aws/create_cli_role.go policy text; no Ginkgo tests or cluster waits were added or modified.
Topology-Aware Scheduling Compatibility ✅ Passed The PR only adds iam:ListRolePolicies to an IAM policy in cmd/infra/aws/create_cli_role.go; no manifests, replicas, affinities, node selectors, or controller scheduling logic changed.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only cmd/infra/aws/create_cli_role.go changed; it updates IAM policy text and adds no Ginkgo e2e tests or network-facing code.
No-Weak-Crypto ✅ Passed The change only adds iam:ListRolePolicies to an IAM policy string; no weak crypto, custom crypto, or secret-comparison APIs are present.
Container-Privileges ✅ Passed The change only adds iam:ListRolePolicies in cmd/infra/aws/create_cli_role.go; no container/K8s manifest privilege settings were introduced.
No-Sensitive-Data-In-Logs ✅ Passed The PR only adds iam:ListRolePolicies to an IAM policy; no new logging or sensitive-data exposure was introduced.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@openshift-ci openshift-ci Bot added area/cli Indicates the PR includes changes for CLI area/platform/aws PR/issue for AWS (AWSPlatform) platform and removed do-not-merge/needs-area labels Jun 30, 2026
@openshift-ci openshift-ci Bot requested review from enxebre and sdminonne June 30, 2026 20:44
@openshift-ci-robot openshift-ci-robot added the jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. label Jun 30, 2026
@openshift-ci-robot

Copy link
Copy Markdown

@ironcladlou: This pull request references Jira Issue OCPBUGS-94238, which is valid. The bug has been moved to the POST state.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state New, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Before this commit, clusters created via the CLI with --sts-creds couldn't be fully deleted due to a missing iam:ListRolePolicies policy entry, preventing IAM role cleanup.

This commit corrects the policy so all IAM resources created by the CLI flow can be deleted.

There's currently no e2e coverage for the STS flow at all, which should be addressed in a followup.

Fixes OCPBUGS-94238

Summary by CodeRabbit

  • Bug Fixes
  • Expanded AWS role permissions to support additional IAM role policy listing during setup and management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot removed the jira/invalid-bug Indicates that a referenced Jira bug is invalid for the branch this PR is targeting. label Jun 30, 2026
Before this commit, clusters created via the CLI with `--sts-creds` couldn't be
fully deleted due to a missing `iam:ListRolePolicies` policy entry, preventing
IAM role cleanup.

This commit corrects the policy so all IAM resources created by the CLI flow
can be deleted.

Fixes OCPBUGS-94238
@openshift-ci-robot

Copy link
Copy Markdown

@ironcladlou: This pull request references Jira Issue OCPBUGS-94238, which is valid.

3 validation(s) were run on this bug
  • bug is open, matching expected state (open)
  • bug target version (5.0.0) matches configured target version for branch (5.0.0)
  • bug is in the state POST, which is one of the valid states (NEW, ASSIGNED, POST)
Details

In response to this:

Before this commit, clusters created via the CLI with --sts-creds couldn't be fully deleted due to a missing iam:ListRolePolicies policy entry, preventing IAM role cleanup.

This commit corrects the policy so all IAM resources created by the CLI flow can be deleted.

There's currently no e2e coverage for the STS flow at all, which should be addressed in a followup.

Fixes OCPBUGS-94238

Summary by CodeRabbit

  • Bug Fixes
  • Expanded AWS CLI role permissions to support additional IAM role policy listing during setup and management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@codecov

codecov Bot commented Jun 30, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 43.19%. Comparing base (2d2b2d0) to head (cb988a3).
⚠️ Report is 50 commits behind head on main.

Additional details and impacted files
@@            Coverage Diff             @@
##             main    #8883      +/-   ##
==========================================
+ Coverage   43.11%   43.19%   +0.07%     
==========================================
  Files         766      767       +1     
  Lines       94870    94910      +40     
==========================================
+ Hits        40907    40997      +90     
+ Misses      51115    51050      -65     
- Partials     2848     2863      +15     
Files with missing lines Coverage Δ
cmd/infra/aws/create_cli_role.go 0.00% <ø> (ø)

... and 9 files with indirect coverage changes

Flag Coverage Δ
cmd-support 36.43% <ø> (+0.01%) ⬆️
cpo-hostedcontrolplane 45.31% <ø> (+0.04%) ⬆️
cpo-other 45.10% <ø> (ø)
hypershift-operator 53.53% <ø> (+0.24%) ⬆️
other 31.69% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

🚀 New features to boost your workflow:
  • ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

@csrwng

csrwng commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

/approve

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 30, 2026

@devguyio devguyio left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

/lgtm

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 1, 2026
@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Scheduling tests matching the pipeline_run_if_changed or not excluded by pipeline_skip_if_only_changed parameters:
/test e2e-aks
/test e2e-aws
/test e2e-aws-upgrade-hypershift-operator
/test e2e-azure-v2-self-managed
/test e2e-kubevirt-aws-ovn-reduced
/test e2e-v2-aws
/test e2e-v2-gke

@openshift-ci

openshift-ci Bot commented Jul 1, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: csrwng, devguyio, ironcladlou

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/refresh

@hypershift-jira-solve-ci

Copy link
Copy Markdown

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aks | Build: 2072342552131932160 | Cost: $4.79076885 | Failed step: hypershift-azure-run-e2e

View full analysis report


Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6

@cwbotbot

cwbotbot commented Jul 1, 2026

Copy link
Copy Markdown

Test Results

e2e-aws

e2e-aks

@hypershift-jira-solve-ci

Copy link
Copy Markdown

AI Test Failure Analysis

Job: pull-ci-openshift-hypershift-main-e2e-aws | Build: 2072342552178069504 | Cost: $2.69378125 | Failed step: hypershift-aws-run-e2e-nested

View full analysis report


Generated by hypershift-analyze-e2e-failure post-step using Claude claude-opus-4-6

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/retest

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/retest

@hypershift-jira-solve-ci

Copy link
Copy Markdown

I now have all the evidence I need. Let me produce the final report.

Test Failure Analysis Complete

Job Information

  • Prow Job: pull-ci-openshift-hypershift-main-e2e-aws
  • Build ID: 2072404193179602944
  • Target: e2e-aws
  • PR: #8883 — OCPBUGS-94238: Add missing CLI IAM role policy entry
  • Result: 645 tests run, 30 skipped, 2 failures (both in TestCreateClusterPrivateWithRouteKAS)

Test Failure Analysis

Error

fixture.go:333: Failed to wait for infra resources in guest cluster to be deleted: context deadline exceeded
fixture.go:340: Failed to clean up 3 remaining resources for guest cluster
  - arn:aws:elasticloadbalancing:…/a0c89d06dca8f4ec3aa300c7e614fa5f (openshift-ingress/router-default NLB)
  - arn:aws:ec2:…:volume/vol-0104d565a1426385a (CAPI worker node volume)
  - arn:aws:ec2:…:volume/vol-0f532f44cb7eee114 (CAPI worker node volume)
--- FAIL: TestCreateClusterPrivateWithRouteKAS/Teardown (1360.93s)

Summary

The TestCreateClusterPrivateWithRouteKAS test passed all functional subtests (ValidateHostedCluster, Main/SwitchFromPrivateToPublic, Main/SwitchFromPublicToPrivate, EnsureHostedCluster) and only failed during Teardown. After the hosted cluster private-s9fnr was destroyed, the post-deletion validation function (validateAWSGuestResourcesDeletedFunc in fixture.go) polls AWS for up to 15 minutes waiting for tagged infrastructure resources to be fully removed. Three AWS resources — the ingress router's NLB and two CAPI worker node root volumes — were not deleted within that 15-minute window, causing a context deadline exceeded error. This is an infrastructure cleanup timing flake unrelated to the PR's code change.

Root Cause

The root cause is an AWS infrastructure cleanup timeout during test teardown, not a product bug or a regression from PR #8883.

What happened step by step:

  1. The test created a private hosted cluster e2e-clusters-mfg2f/private-s9fnr with Route-based KAS endpoint.
  2. All functional test assertions passed successfully (cluster creation in 38s, switching between private/public, validation checks).
  3. During Teardown, the test framework called destroyCluster() which completed successfully — hypershift_framework.go:591: Destroyed cluster.
  4. After cluster destruction, validateAWSGuestResourcesDeletedFunc (fixture.go) polls the AWS Resource Groups Tagging API every 20 seconds for up to 15 minutes to verify all tagged resources are gone.
  5. Three resources remained after the 15-minute timeout:
    • 1 NLB (net/a0c89d06dca8f4ec3aa300c7e614fa5f) — the openshift-ingress/router-default Service LoadBalancer. NLB deletion in AWS can be delayed when dependent security groups or ENIs are still being cleaned up.
    • 2 EC2 volumes (vol-0104d565a1426385a, vol-0f532f44cb7eee114) — root volumes of CAPI-managed worker nodes (private-s9fnr-us-east-1a-j588p-2hnjd and j588p-6mg8g). These volumes persist until the underlying EC2 instances are fully terminated and AWS completes its internal cleanup.

Why this is unrelated to PR #8883:

  • PR OCPBUGS-94238: Add missing CLI IAM role policy entry #8883 adds a single IAM permission (iam:ListRolePolicies) to the CLI role policy in cmd/infra/aws/create_cli_role.go. This affects IAM role cleanup in STS flows.
  • The teardown failure involves ELB and EC2 volume resources — a completely independent code path from IAM role management.
  • The TestCreateClusterPrivateWithRouteKAS test does not exercise the STS flow. The PR itself notes: "There's currently no e2e coverage for the STS flow at all."
  • This type of AWS resource cleanup timeout is a known source of flakiness in HyperShift e2e tests.
Recommendations
  1. Retry the job — This is a teardown-only flake. The /retest command should produce a clean pass since all functional test assertions succeeded.
  2. No code changes needed for this PR — The failure is completely unrelated to the iam:ListRolePolicies policy addition.
  3. For the HyperShift team (longer-term): The 15-minute timeout in validateAWSGuestResourcesDeletedFunc may be insufficient for clusters that create NLBs, as AWS NLB deletion can take 15+ minutes when dependent resources (security groups, ENIs) are queued for deletion. Consider increasing the timeout or adding exponential backoff with longer tail waits.
Evidence
Evidence Detail
Test result 645 tests run, 30 skipped, 2 failures — both TestCreateClusterPrivateWithRouteKAS and its Teardown subtest
All subtests passed ValidateHostedCluster ✅, Main/SwitchFromPrivateToPublic ✅, Main/SwitchFromPublicToPrivate ✅, EnsureHostedCluster (14 subtests) ✅
Teardown duration 1360.93s (22.7 minutes)
Failure location fixture.go:333validateAWSGuestResourcesDeletedFunc post-deletion resource polling
Remaining resources 1 NLB (openshift-ingress/router-default), 2 EC2 volumes (CAPI worker node root disks)
Cluster destroyed hypershift_framework.go:591: Destroyed cluster. Namespace: e2e-clusters-mfg2f, name: private-s9fnr
PR #8883 change Single line addition: "iam:ListRolePolicies" in cmd/infra/aws/create_cli_role.go — IAM permissions, not infrastructure cleanup
PR scope STS CLI IAM role policy — no e2e coverage for STS flow exists; unrelated to teardown resource cleanup
Failed step hypershift-aws-run-e2e-nested (test phase)
Analyze step hypershift-analyze-e2e-failure timed out waiting for artifacts (600s) — no additional analysis available

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/retest

@ironcladlou

Copy link
Copy Markdown
Contributor Author

/verified by "manual testing"

@openshift-ci-robot

Copy link
Copy Markdown

@ironcladlou: This PR has been marked as verified by "manual testing".

Details

In response to this:

/verified by "manual testing"

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci-robot openshift-ci-robot added the verified Signifies that the PR passed pre-merge verification criteria label Jul 2, 2026
@openshift-ci

openshift-ci Bot commented Jul 2, 2026

Copy link
Copy Markdown
Contributor

@ironcladlou: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

@openshift-merge-bot openshift-merge-bot Bot merged commit 9aeb1f3 into openshift:main Jul 2, 2026
39 checks passed
@openshift-ci-robot

Copy link
Copy Markdown

@ironcladlou: Jira Issue Verification Checks: Jira Issue OCPBUGS-94238
✔️ This pull request was pre-merge verified.
✔️ All associated pull requests have merged.
✔️ All associated, merged pull requests were pre-merge verified.

Jira Issue OCPBUGS-94238 has been moved to the MODIFIED state and will move to the VERIFIED state when the change is available in an accepted nightly payload. 🕓

Details

In response to this:

Before this commit, clusters created via the CLI with --sts-creds couldn't be fully deleted due to a missing iam:ListRolePolicies policy entry, preventing IAM role cleanup.

This commit corrects the policy so all IAM resources created by the CLI flow can be deleted.

There's currently no e2e coverage for the STS flow at all, which should be addressed in a followup.

Fixes OCPBUGS-94238

Summary by CodeRabbit

  • Bug Fixes
  • Expanded AWS CLI role permissions to support additional IAM role policy listing during setup and management.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. area/cli Indicates the PR includes changes for CLI area/platform/aws PR/issue for AWS (AWSPlatform) platform jira/valid-bug Indicates that a referenced Jira bug is valid for the branch this PR is targeting. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lgtm Indicates that a PR is ready to be merged. verified Signifies that the PR passed pre-merge verification criteria

Projects

None yet

Development

Successfully merging this pull request may close these issues.

5 participants