Loading...

XML

Word

Printable

Type: Bug
Resolution: Done
Priority: Critical
Fix Version/s: None
Affects Version/s: 4.13, 4.12.z, 4.11.z, 4.10.z, 4.14
Component/s: Cloud Credential Operator
Labels:

Severity:
Critical
Regression:
No
Release Blocker:
Proposed
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Target Version:

4.10.z

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

This is a clone of issue ~~OCPBUGS-13792~~. The following is the description of the original issue:
—
This is a clone of issue ~~OCPBUGS-13739~~. The following is the description of the original issue:
—
This is a clone of issue ~~OCPBUGS-13692~~. The following is the description of the original issue:
—
This is a clone of issue ~~OCPBUGS-13549~~. The following is the description of the original issue:
—
Description of problem:

Incorrect AWS ARN [1] is used for GovCloud and AWS China regions, which will cause the command `ccoctl aws create-all` to fail:

Failed to create Identity provider: failed to apply public access policy to the bucket ci-op-bb5dgq54-77753-oidc: MalformedPolicy: Policy has invalid resource
	status code: 400, request id: VNBZ3NYDH6YXWFZ3, host id: pHF8v7C3vr9YJdD9HWamFmRbMaOPRbHSNIDaXUuUyrgy0gKCO9DDFU/Xy8ZPmY2LCjfLQnUDmtQ=

Correct AWS ARN prefix:
GovCloud (us-gov-east-1 and us-gov-west-1): arn:aws-us-gov
AWS China (cn-north-1 and cn-northwest-1): arn:aws-cn

[1] https://github.com/openshift/cloud-credential-operator/pull/526/files#diff-1909afc64595b92551779d9be99de733f8b694cfb6e599e49454b380afc58876R211

Version-Release number of selected component (if applicable):

4.12.0-0.nightly-2023-05-11-024616

How reproducible:

Always

Steps to Reproduce:

1. Run command: `aws create-all --name="${infra_name}" --region="${REGION}" --credentials-requests-dir="/tmp/credrequests" --output-dir="/tmp"` on GovCloud regions
2.
3.

Actual results:

Failed to create Identity provider

Expected results:

Create resources successfully.

Additional info:

Related PRs:
4.10: https://github.com/openshift/cloud-credential-operator/pull/531
4.11: https://github.com/openshift/cloud-credential-operator/pull/530
4.12: https://github.com/openshift/cloud-credential-operator/pull/529
4.13: https://github.com/openshift/cloud-credential-operator/pull/528
4.14: https://github.com/openshift/cloud-credential-operator/pull/526

clones

OCPBUGS-13792 Failed to create STS resources on AWS GovCloud regions using ccoctl

Closed

is blocked by

OCPBUGS-13792 Failed to create STS resources on AWS GovCloud regions using ccoctl

Closed

links to

openshift/cloud-credential-operator#541: [release-4.10] OCPBUGS-13847: Determine AWS partition based on region for readOnlyAnonUserPolicyTemplate bucket ARN.

Assignee:: Andrew Butcher

Reporter:: OpenShift Prow Bot

QA Contact:: Jianping Shu

Votes:: 0 Vote for this issue

Watchers:: 6 Start watching this issue

Created:: 2023/05/19 12:47 PM

Updated:: 2024/04/29 5:14 PM

Resolved:: 2023/06/07 9:12 AM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates