Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11661

AWS s3 policy changes block all OCP installs on AWS

XMLWordPrintable

    • Critical
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      Amazon Simple Storage Service (Amazon S3) updated their Amazon S3 bucket configuration so a bucket created in an Amazon Web Services (AWS) region has S3 Block Public Access enabled and access control limits (ACLs) disabled by default. This configuration limits S3 bucket resources to private use. The {product-title} {product-version} updates the CCO utility (`ccoctl`) and the installation program to account for the default S3 bucket configuration so that S3 bucket resources are publicly available.(link:https://issues.redhat.com/browse/OCPBUGS-11661[*OCPBUGS-11661*])
      Show
      Amazon Simple Storage Service (Amazon S3) updated their Amazon S3 bucket configuration so a bucket created in an Amazon Web Services (AWS) region has S3 Block Public Access enabled and access control limits (ACLs) disabled by default. This configuration limits S3 bucket resources to private use. The {product-title} {product-version} updates the CCO utility (`ccoctl`) and the installation program to account for the default S3 bucket configuration so that S3 bucket resources are publicly available.(link: https://issues.redhat.com/browse/OCPBUGS-11661 [* OCPBUGS-11661 *])
    • Bug Fix
    • Done

      This is a clone of issue OCPBUGS-11636. The following is the description of the original issue:

      Description of problem:

      The ACLs are disabled for all newly created s3 buckets, this causes all OCP installs to fail: the bootstrap ignition can not be uploaded:
      
      level=info msg=Creating infrastructure resources...
      level=error
      level=error msg=Error: error creating S3 bucket ACL for yunjiang-acl413-4dnhx-bootstrap: AccessControlListNotSupported: The bucket does not allow ACLs
      level=error msg=	status code: 400, request id: HTB2HSH6XDG0Q3ZA, host id: V6CrEgbc6eyfJkUbLXLxuK4/0IC5hWCVKEc1RVonSbGpKAP1RWB8gcl5dfyKjbrLctVlY5MG2E4=
      level=error
      level=error msg=  with aws_s3_bucket_acl.ignition,
      level=error msg=  on main.tf line 62, in resource "aws_s3_bucket_acl" "ignition":
      level=error msg=  62: resource "aws_s3_bucket_acl" ignition {
      level=error
      level=error msg=failed to fetch Cluster: failed to generate asset "Cluster": failure applying terraform for "bootstrap" stage: failed to create cluster: failed to apply Terraform: exit status 1
      level=error
      level=error msg=Error: error creating S3 bucket ACL for yunjiang-acl413-4dnhx-bootstrap: AccessControlListNotSupported: The bucket does not allow ACLs
      level=error msg=	status code: 400, request id: HTB2HSH6XDG0Q3ZA, host id: V6CrEgbc6eyfJkUbLXLxuK4/0IC5hWCVKEc1RVonSbGpKAP1RWB8gcl5dfyKjbrLctVlY5MG2E4=
      level=error
      level=error msg=  with aws_s3_bucket_acl.ignition,
      level=error msg=  on main.tf line 62, in resource "aws_s3_bucket_acl" "ignition":
      level=error msg=  62: resource "aws_s3_bucket_acl" ignition {
      
      
      

      Version-Release number of selected component (if applicable):

      4.11+
       

      How reproducible:

      Always
       

      Steps to Reproduce:

      1.Create a cluster via IPI
      
      

      Actual results:

      install fail
       

      Expected results:

      install succeed
       

      Additional info:

      Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 - https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
      
      https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-error-responses.html - After you apply the bucket owner enforced setting for Object Ownership, ACLs are disabled.
      
       

              Unassigned Unassigned
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              16 Start watching this issue

                Created:
                Updated:
                Resolved: