Uploaded image for project: 'OCMUI - OpenShift Cluster Manager UI'
  1. OCMUI - OpenShift Cluster Manager UI
  2. OCMUI-1123

[ROSA wizard] NoTrustedRelationshipOnClusterRole error shown as "No role detected"

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Unresolved
    • Icon: Normal Normal
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False

      Control Plane wizard step may get 400 error explaining ocm-role IAM has issues.
      This error text is not communicated to user, we just show "No role detected" as if there were zero roles.

      {
    "kind": "Error",
    "id": "400",
    "href": "/api/clusters_mgmt/v1/errors/400",
    "code": "CLUSTERS-MGMT-400",
    "reason": "Please make sure IAM role 'arn:aws:iam::269733383066:role/ManagedOpenShift-OCM-Role-15212158' exists, and add 'arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer' to the trust policy on IAM role 'arn:aws:iam::269733383066:role/ManagedOpenShift-OCM-Role-15212158'",
    "details": [
        {
            "Error_Key": "NoTrustedRelationshipOnClusterRole"
        }
    ],
    "operation_id": "0b58b88d-54a2-4a3e-bf57-a187dea8bca2"
}

      Steps to reproduce

      1. don't know how to reproduce problematic role . Seen in production.
      2. Create clusters > ROSA > With web interface
      3. can happen both with Hosted and Classic control planes

      Actual behavior

      We show "No role detected" and link to standard sidebar. The sidebar suggests checking if a role exists rosa list ocm-role — which is already confusing because it does list a linked role — and if it exists suggests linking it should be enough.
      says "If there is an existing role and it's already linked to your Red Hat account, no further action is needed."

      All that is not helpful. Presumably fixing the IAM config would have helped (didn't try)? What really allowed me to proceed is creating a new role anyway; The CLI further discourages that by reporting:

      E: Only one ocm-role can be created per AWS account '269733383066' per organization '1wuANBLgbvRSXRXN10OuSFE2gzB'.
In order to create a new ocm-role, you have to unlink the ocm-role 'arn:aws:iam::269733383066:role/ManagedOpenShift-OCM-Role-15212158'.

      which in combination with UI saying that if role exists that should be enough makes one doubt whether I should be creating a role...

      Expected behavior

      • Show error message from backend, it's informative.
      • Amend sidebar text to admit the possibility that role exists but is not good, and try creating new one anyway?
      • Sidebar should explain the consequences of deleting or unlinking an existing ocm-role.

        1. classic-400-no-role.png
          classic-400-no-role.png
          268 kB
        2. hosted-400-no-role.png
          hosted-400-no-role.png
          266 kB

            Unassigned Unassigned
            bpaskinc@redhat.com Beni Paskin-Cherniavsky
            Votes:
            0 Vote for this issue
            Watchers:
            1 Start watching this issue

              Created:
              Updated: