-
Bug
-
Resolution: Done
-
Critical
-
None
-
4.14
-
No
-
0
-
Sprint 237
-
1
-
Proposed
-
False
-
Description of problem:
sts:AssumeRole is missing in ingress CR, this caused ingress operator can not operate hosted zone:
failed to list route53 hosted zones: AccessDenied: User: arn:aws:sts::301721915996:assumed-role/yunjiang-xvpc-openshift-ingress-operator-cloud-credentials/1686061732290010436 is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::641733028092:role/yunjiang-xvpcsts-rol1\n\tstatus code: 403,
The current permission of ingress CredentialsRequest:
yq e '.spec.providerSpec' 0000_50_cluster-ingress-operator_00-ingress-credentials-request.yaml
apiVersion: cloudcredential.openshift.io/v1
kind: AWSProviderSpec
statementEntries:
- action:
- elasticloadbalancing:DescribeLoadBalancers
- route53:ListHostedZones
- route53:ListTagsForResources
- route53:ChangeResourceRecordSets
- tag:GetResources
effect: Allow
resource: '*'
Version-Release number of selected component (if applicable):
4.14
How reproducible:
Always
Steps to Reproduce:
1. Create a Shared VPC STS cluster on AWS. 2. 3.
Actual results:
apps DNS record can not be added.
Expected results:
apps DNS record can be added successfully, cluster is healthy
Additional info:
- is related to
-
NE-1294 Update cluster-ingress-operator to support AWS shared VPC
-
- Closed
-
