Uploaded image for project: 'OpenShift Logging'
  1. OpenShift Logging
  2. LOG-2772

arn validation failed when role_arn=arn:aws-us-gov:xxx

    XMLWordPrintable

Details

    • False
    • None
    • False
    • NEW
    • OBSDA-59 - CloudWatch log forwarding add-on needs to support STS installations
    • VERIFIED
    • Log Collection - Sprint 221

    Description

      when the partition is not aws, the role_arn validation failed

      https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html

      role_arn: arn:aws-us-gov:iam::225746144451:role/anli-sts-25690-openshift-logging-cloudwatch-credentials

      "status": {
      "conditions": [

      { "lastTransitionTime": "2022-06-27T14:49:21Z", "message": "all pipelines invalid: [to-cloudwatch]", "reason": "Invalid", "status": "False", "type": "Ready" }

      ],
      "outputs": {
      "cloudwatch": [

      { "lastTransitionTime": "2022-06-27T14:49:21Z", "message": "auth keys: a 'role_arn' key is required containing a valid arn value", "reason": "MissingResource", "status": "False", "type": "Ready" }

      ]
      }

      $// ParseRoleArn search for matching valid arn within the 'role_arn' key
      func ParseRoleArn(secret *corev1.Secret) string {
      roleArnString := security.GetFromSecret(secret, constants.AWSWebIdentityRoleKey)
      if roleArnString != "" {
      reg := regexp.MustCompile(`(arn:aws:(iam|sts)::\d

      {12}

      :role\/\S+)\s?`)
      roleArn := reg.FindStringSubmatch(roleArnString)
      if roleArn != nil

      { return roleArn[1] // the capturing group is index 1 }

      }
      return ""
      }

      Attachments

        Activity

          People

            jcantril@redhat.com Jeffrey Cantrill
            anli@redhat.com Anping Li
            Anping Li Anping Li
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: