Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11706

ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes

XMLWordPrintable

    • No
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      Amazon Simple Storage Service (Amazon S3) updated their Amazon S3 bucket configuration so a bucket created in an Amazon Web Services (AWS) region has S3 Block Public Access enabled and access control limits (ACLs) disabled by default. This configuration limits S3 bucket resources to private use. The {product-title} {product-version} updates the CCO utility (`ccoctl`) and the installation program to account for the default S3 bucket configuration so that S3 bucket resources are publicly available. (link:https://issues.redhat.com/browse/OCPBUGS-11706[*OCPBUGS-11706*])
      Show
      Amazon Simple Storage Service (Amazon S3) updated their Amazon S3 bucket configuration so a bucket created in an Amazon Web Services (AWS) region has S3 Block Public Access enabled and access control limits (ACLs) disabled by default. This configuration limits S3 bucket resources to private use. The {product-title} {product-version} updates the CCO utility (`ccoctl`) and the installation program to account for the default S3 bucket configuration so that S3 bucket resources are publicly available. (link: https://issues.redhat.com/browse/OCPBUGS-11706 [* OCPBUGS-11706 *])
    • Bug Fix
    • Done

      Description of problem:

      Similar to OCPBUGS-11636 ccoctl needs to be updated to account for the s3 bucket changes described in https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/
      
      these changes have rolled out to us-east-2 and China regions as of today and will roll out to additional regions in the near future
      
      See OCPBUGS-11636 for additional information

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Reproducible in affected regions.

      Steps to Reproduce:

      1. Use "ccoctl aws create-all" flow to create STS infrastructure in an affected region like us-east-2. Notice that document upload fails because the s3 bucket is created in a state that does not allow usage of ACLs with the s3 bucket.

      Actual results:

      ./ccoctl aws create-all --name abutchertestue2 --region us-east-2 --credentials-requests-dir ./credrequests --output-dir _output
      2023/04/11 13:01:06 Using existing RSA keypair found at _output/serviceaccount-signer.private
      2023/04/11 13:01:06 Copying signing key for use by installer
      2023/04/11 13:01:07 Bucket abutchertestue2-oidc created
      2023/04/11 13:01:07 Failed to create Identity provider: failed to upload discovery document in the S3 bucket abutchertestue2-oidc: AccessControlListNotSupported: The bucket does not allow ACLs
              status code: 400, request id: 2TJKZC6C909WVRK7, host id: zQckCPmozx+1yEhAj+lnJwvDY9rG14FwGXDnzKIs8nQd4fO4xLWJW3p9ejhFpDw3c0FE2Ggy1Yc=

      Expected results:

      "ccoctl aws create-all" successfully creates IAM and S3 infrastructure. OIDC discovery and JWKS documents are successfully uploaded to the S3 bucket and are publicly accessible.

      Additional info:

       

              abutcher@redhat.com Andrew Butcher
              rhn-support-sdodson Scott Dodson
              Jianping Shu Jianping Shu
              Darragh Fitzmaurice Darragh Fitzmaurice
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: