Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11663

AWS s3 policy changes block all OCP installs on AWS

XMLWordPrintable

    • Critical
    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None

      This is a clone of issue OCPBUGS-11636. The following is the description of the original issue:

      Description of problem:

      The ACLs are disabled for all newly created s3 buckets, this causes all OCP installs to fail: the bootstrap ignition can not be uploaded:
      
      level=info msg=Creating infrastructure resources...
      level=error
      level=error msg=Error: error creating S3 bucket ACL for yunjiang-acl413-4dnhx-bootstrap: AccessControlListNotSupported: The bucket does not allow ACLs
      level=error msg=	status code: 400, request id: HTB2HSH6XDG0Q3ZA, host id: V6CrEgbc6eyfJkUbLXLxuK4/0IC5hWCVKEc1RVonSbGpKAP1RWB8gcl5dfyKjbrLctVlY5MG2E4=
      level=error
      level=error msg=  with aws_s3_bucket_acl.ignition,
      level=error msg=  on main.tf line 62, in resource "aws_s3_bucket_acl" "ignition":
      level=error msg=  62: resource "aws_s3_bucket_acl" ignition {
      level=error
      level=error msg=failed to fetch Cluster: failed to generate asset "Cluster": failure applying terraform for "bootstrap" stage: failed to create cluster: failed to apply Terraform: exit status 1
      level=error
      level=error msg=Error: error creating S3 bucket ACL for yunjiang-acl413-4dnhx-bootstrap: AccessControlListNotSupported: The bucket does not allow ACLs
      level=error msg=	status code: 400, request id: HTB2HSH6XDG0Q3ZA, host id: V6CrEgbc6eyfJkUbLXLxuK4/0IC5hWCVKEc1RVonSbGpKAP1RWB8gcl5dfyKjbrLctVlY5MG2E4=
      level=error
      level=error msg=  with aws_s3_bucket_acl.ignition,
      level=error msg=  on main.tf line 62, in resource "aws_s3_bucket_acl" "ignition":
      level=error msg=  62: resource "aws_s3_bucket_acl" ignition {
      
      
      

      Version-Release number of selected component (if applicable):

      4.11+
       

      How reproducible:

      Always
       

      Steps to Reproduce:

      1.Create a cluster via IPI
      
      

      Actual results:

      install fail
       

      Expected results:

      install succeed
       

      Additional info:

      Heads-Up: Amazon S3 Security Changes Are Coming in April of 2023 - https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
      
      https://docs.aws.amazon.com/AmazonS3/latest/userguide/object-ownership-error-responses.html - After you apply the bucket owner enforced setting for Object Ownership, ACLs are disabled.
      
       

              Unassigned Unassigned
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: