Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-11706

ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes

    XMLWordPrintable

Details

    • No
    • 1
    • Proposed
    • False
    • Hide

      None

      Show
      None
    • Hide
      Amazon Simple Storage Service (Amazon S3) updated their Amazon S3 bucket configuration so a bucket created in an Amazon Web Services (AWS) region has S3 Block Public Access enabled and access control limits (ACLs) disabled by default. This configuration limits S3 bucket resources to private use. The {product-title} {product-version} updates the CCO utility (`ccoctl`) and the installation program to account for the default S3 bucket configuration so that S3 bucket resources are publicly available. (link:https://issues.redhat.com/browse/OCPBUGS-11706[*OCPBUGS-11706*])
      Show
      Amazon Simple Storage Service (Amazon S3) updated their Amazon S3 bucket configuration so a bucket created in an Amazon Web Services (AWS) region has S3 Block Public Access enabled and access control limits (ACLs) disabled by default. This configuration limits S3 bucket resources to private use. The {product-title} {product-version} updates the CCO utility (`ccoctl`) and the installation program to account for the default S3 bucket configuration so that S3 bucket resources are publicly available. (link: https://issues.redhat.com/browse/OCPBUGS-11706 [* OCPBUGS-11706 *])
    • Bug Fix
    • Done

    Description

      Description of problem:

      Similar to OCPBUGS-11636 ccoctl needs to be updated to account for the s3 bucket changes described in https://aws.amazon.com/blogs/aws/heads-up-amazon-s3-security-changes-are-coming-in-april-of-2023/

these changes have rolled out to us-east-2 and China regions as of today and will roll out to additional regions in the near future

See OCPBUGS-11636 for additional information

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      Reproducible in affected regions.

      Steps to Reproduce:

      1. Use "ccoctl aws create-all" flow to create STS infrastructure in an affected region like us-east-2. Notice that document upload fails because the s3 bucket is created in a state that does not allow usage of ACLs with the s3 bucket.

      Actual results:

      ./ccoctl aws create-all --name abutchertestue2 --region us-east-2 --credentials-requests-dir ./credrequests --output-dir _output
2023/04/11 13:01:06 Using existing RSA keypair found at _output/serviceaccount-signer.private
2023/04/11 13:01:06 Copying signing key for use by installer
2023/04/11 13:01:07 Bucket abutchertestue2-oidc created
2023/04/11 13:01:07 Failed to create Identity provider: failed to upload discovery document in the S3 bucket abutchertestue2-oidc: AccessControlListNotSupported: The bucket does not allow ACLs
        status code: 400, request id: 2TJKZC6C909WVRK7, host id: zQckCPmozx+1yEhAj+lnJwvDY9rG14FwGXDnzKIs8nQd4fO4xLWJW3p9ejhFpDw3c0FE2Ggy1Yc=

      Expected results:

      "ccoctl aws create-all" successfully creates IAM and S3 infrastructure. OIDC discovery and JWKS documents are successfully uploaded to the S3 bucket and are publicly accessible.

      Additional info:

       

      Attachments

        Issue Links

          clones

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-11671 ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          depends on

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-11671 ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is cloned by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-11707 ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          is depended on by

          Bug - A problem that impairs or prevents the functions of the product. OCPBUGS-11707 ccoctl cannot create STS documents in 4.10-4.13 due to s3 policy changes

          • Critical - To be worked on immediately following BLOCKER issues.
          • Closed
          links to

          GitHub openshift/cloud-credential-operator#528: [release-4.13] OCPBUGS-11706: ccoctl: Enable public anon read access to default OIDC S3 bucket

          Activity

            People

              abutcher@redhat.com Andrew Butcher
              rhn-support-sdodson Scott Dodson
              Jianping Shu Jianping Shu
              Darragh Fitzmaurice Darragh Fitzmaurice
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved: