Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-23464

There is no clear error log when create sts cluster with KMS key without install role in it

XMLWordPrintable

    • No
    • Sprint 244
    • 1
    • Rejected
    • False
    • Hide

      None

      Show
      None
    • Hide
      *Cause*: using KMS key without proper role permissions
      *Consequence*: install fails with no clear message to indicate the problem
      *Fix*: Validate permission roles when KMS key is provided
      *Result*: Install succeeds when KMS key is provided with proper permissions or fails with a message indicating which permissions are missing.
      Show
      *Cause*: using KMS key without proper role permissions *Consequence*: install fails with no clear message to indicate the problem *Fix*: Validate permission roles when KMS key is provided *Result*: Install succeeds when KMS key is provided with proper permissions or fails with a message indicating which permissions are missing.
    • Bug Fix

      This is a clone of issue OCPBUGS-22774. The following is the description of the original issue:

      This is a clone of issue OCPBUGS-13664. The following is the description of the original issue:

      Description of problem:

      There is no clear error log when create sts cluster with KMS key without install role in it

      Version-Release number of selected component (if applicable):

       

      How reproducible:

      always

      Steps to Reproduce:

      1.Prepare KMS with aws command
   aws kms create-key --tags TagKey=Purpose,TagValue=Test --description "kms Key" 2.Create sts cluster with KMS key 

rosa create cluster --cluster-name ying-k1 --sts --role-arn arn:aws:iam::301721915996:role/ying16-Installer-Role --support-role-arn arn:aws:iam::301721915996:role/ying16-Support-Role --controlplane-iam-role arn:aws:iam::301721915996:role/ying16-ControlPlane-Role --worker-iam-role arn:aws:iam::301721915996:role/ying16-Worker-Role --operator-roles-prefix ying-k1-e2g3 --oidc-config-id 23ggvdh2jouranue87r5ujskp8hctisn --region us-west-2 --version 4.12.15 --replicas 2 --compute-machine-type m5.xlarge --machine-cidr 10.0.0.0/16 --service-cidr 172.30.0.0/16 --pod-cidr 10.128.0.0/14 --host-prefix 23 --kms-key-arn arn:aws:kms:us-west-2:301721915996:key/c60b5a31-1a5c-4d73-93ee-67586d0eb90d

      Actual results:

      It is failed. Here is the install log 
http://pastebin.test.redhat.com/1100008

      Expected results:

      There should be a detailed error message for the KMS that has no installer role

      Additional info:

      It can be successful if set install role arn to KMS key 
  {
    "Version": "2012-10-17",
    "Id": "key-default-1",
    "Statement": [
        {
            "Sid": "Enable IAM User Permissions",
            "Effect": "Allow",
            "Principal": {
                "AWS": [
                   "arn:aws:iam::301721915996:role/ying16-Installer-Role",
                    "arn:aws:iam::301721915996:root"
                ]
            },
            "Action": "kms:*",
            "Resource": "*"
        }
    ]
}

              ppinjark@redhat.com pawan pinjarkar
              openshift-crt-jira-prow OpenShift Prow Bot
              Yunfei Jiang Yunfei Jiang
              Votes:
              0 Vote for this issue
              Watchers:
              6 Start watching this issue

                Created:
                Updated:
                Resolved: