-
Bug
-
Resolution: Done-Errata
-
Critical
-
None
-
4.16.0, 4.17.0
-
Critical
-
No
-
Proposed
-
True
-
Description of problem:
When create hostedcluster with -role-arn, --sts-credsfails failed
Version-Release number of selected component (if applicable):
4.16 4.17
How reproducible:
100%
Steps to Reproduce:
1. hypershift-no-cgo create iam cli-role
2. aws sts get-session-token --output json
3. hcp create cluster aws --role-arn xxx --sts-creds xxx
Actual results:
2024-06-06T04:34:39Z ERROR Failed to create cluster {"error": "failed to create iam: AccessDenied: User: arn:aws:sts::301721915996:assumed-role/6cd90f28a6449141869b/cli-create-iam is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::301721915996:oidc-provider/hypershift-ci-oidc.s3.us-east-1.amazonaws.com/6cd90f28a6449141869b because no identity-based policy allows the iam:TagOpenIDConnectProvider action\n\tstatus code: 403, request id: 20e16ec4-b9a1-4fa4-aa34-1344145d41fd"}
github.com/openshift/hypershift/product-cli/cmd/cluster/aws.NewCreateCommand.func1
/remote-source/app/product-cli/cmd/cluster/aws/create.go:60
github.com/spf13/cobra.(*Command).execute
/remote-source/app/vendor/github.com/spf13/cobra/command.go:983
github.com/spf13/cobra.(*Command).ExecuteC
/remote-source/app/vendor/github.com/spf13/cobra/command.go:1115
github.com/spf13/cobra.(*Command).Execute
/remote-source/app/vendor/github.com/spf13/cobra/command.go:1039
github.com/spf13/cobra.(*Command).ExecuteContext
/remote-source/app/vendor/github.com/spf13/cobra/command.go:1032
main.main
/remote-source/app/product-cli/main.go:60
runtime.main
/usr/lib/golang/src/runtime/proc.go:271
Error: failed to create iam: AccessDenied: User: arn:aws:sts::301721915996:assumed-role/6cd90f28a6449141869b/cli-create-iam is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::301721915996:oidc-provider/hypershift-ci-oidc.s3.us-east-1.amazonaws.com/6cd90f28a6449141869b because no identity-based policy allows the iam:TagOpenIDConnectProvider action
status code: 403, request id: 20e16ec4-b9a1-4fa4-aa34-1344145d41fd
failed to create iam: AccessDenied: User: arn:aws:sts::301721915996:assumed-role/6cd90f28a6449141869b/cli-create-iam is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::301721915996:oidc-provider/hypershift-ci-oidc.s3.us-east-1.amazonaws.com/6cd90f28a6449141869b because no identity-based policy allows the iam:TagOpenIDConnectProvider action
status code: 403, request id: 20e16ec4-b9a1-4fa4-aa34-1344145d41fd
{"component":"entrypoint","error":"wrapped process failed: exit status 1","file":"sigs.k8s.io/prow/pkg/entrypoint/run.go:84","func":"sigs.k8s.io/prow/pkg/entrypoint.Options.internalRun","level":"error","msg":"Error executing test process","severity":"error","time":"2024-06-06T04:34:39Z"}
error: failed to execute wrapped command: exit status 1
Expected results:
create hostedcluster successful
Additional info:
Full Logs: https://docs.google.com/document/d/1AnvAHXPfPYtP6KRcAKOebAx1wXjhWMOn3TW604XK09o/edit
The same command can be successfully created the second time
- blocks
-
-
- Closed
-
-
OCPSTRAT-1350 Transition HCP CLI to Use AWS STS for Role, Policy, and Infra Management
-
- Closed
-
- is cloned by
-
-
- Closed
-
- links to
-
RHEA-2024:3718
OpenShift Container Platform 4.17.z bug fix update