Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11671

ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes

XMLWordPrintable

    • No
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      * Previously, security changes to Amazon s3 buckets caused the Cloud Credential Operator utility (`ccoctl`) command that is used to create AWS resources during installation (`ccoctl aws create-all`) to fail. With this release, the `ccoctl` utility is updated to reflect the Amazon s3 security changes. (link:https://issues.redhat.com/browse/OCPBUGS-11671[*OCPBUGS-11671*])
      Show
      * Previously, security changes to Amazon s3 buckets caused the Cloud Credential Operator utility (`ccoctl`) command that is used to create AWS resources during installation (`ccoctl aws create-all`) to fail. With this release, the `ccoctl` utility is updated to reflect the Amazon s3 security changes. (link: https://issues.redhat.com/browse/OCPBUGS-11671 [* OCPBUGS-11671 *])
    • Bug Fix
    • Done

      Description of problem:

      Similar to OCPBUGS-11636 ccoctl needs to be updated to account for the s3 bucket changes described in https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

these changes have rolled out to us-east-2 and China regions as of today and will roll out to additional regions in the near future

See OCPBUGS-11636 for additional information

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Reproducible in affected regions.

      Steps to Reproduce:

      1. Use "ccoctl aws create-all" flow to create STS infrastructure in an affected region like us-east-2. Notice that document upload fails because the s3 bucket is created in a state that does not allow usage of ACLs with the s3 bucket.

      Actual results:

      ./ccoctl aws create-all --name abutchertestue2 --region us-east-2 --credentials-requests-dir ./credrequests --output-dir _output
2023/04/11 13:01:06 Using existing RSA keypair found at _output/serviceaccount-signer.private
2023/04/11 13:01:06 Copying signing key for use by installer
2023/04/11 13:01:07 Bucket abutchertestue2-oidc created
2023/04/11 13:01:07 Failed to create Identity provider: failed to upload discovery document in the S3 bucket abutchertestue2-oidc: AccessControlListNotSupported: The bucket does not allow ACLs
        status code: 400, request id: 2TJKZC6C909WVRK7, host id: zQckCPmozx+1yEhAj+lnJwvDY9rG14FwGXDnzKIs8nQd4fO4xLWJW3p9ejhFpDw3c0FE2Ggy1Yc=

      Expected results:

      "ccoctl aws create-all" successfully creates IAM and S3 infrastructure. OIDC discovery and JWKS documents are successfully uploaded to the S3 bucket and are publicly accessible.

      Additional info:

       

              abutcher@redhat.com Andrew Butcher
              rhn-support-sdodson Scott Dodson
              Jianping Shu Jianping Shu
              Jeana Routh Jeana Routh
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: