Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-38723

GCP deployments using short-lived credential formats require new permissions

XMLWordPrintable

    • Moderate
    • None
    • Installer (PB) Sprint 258, Installer (PB) Sprint 259, Installer Sprint 260
    • 3
    • False
    • Hide

      None

      Show
      None

      Description of problem:

      GCP Short lived credentials does not fill out certain fields in the GCP structure. This causes failures when creating resources such as signed urls. In order to create these resources the user should add the role Service Account User which has the permission "iam.serviceAccounts.signBlob".  

      Version-Release number of selected component (if applicable):

          4.17

      How reproducible:

          Always

      Steps to Reproduce:

          1. 
    2.
    3.

      Actual results:

          time="2024-08-15T19:34:26Z" level=fatal msg="failed to fetch Cluster Infrastructure Variables: failed to generate asset \"Cluster Infrastructure Variables\": failed to provision gcp bootstrap storage resources: failed to create a signed url: unable to sign bytes: googleapi: Error 403: Permission 'iam.serviceAccounts.signBlob' denied on resource (or it may not exist).\nDetails:\n[\n  {\n    \"@type\": \"type.googleapis.com/google.rpc.ErrorInfo\",\n    \"domain\": \"iam.googleapis.com\",\n    \"metadata\": {\n      \"permission\": \"iam.serviceAccounts.signBlob\"\n    },\n    \"reason\": \"IAM_PERMISSION_DENIED\"\n  }\n]"

      Expected results:

      Successful install

      Additional info:

            rh-ee-bbarbach Brent Barbachem
            rh-ee-bbarbach Brent Barbachem
            Jianli Wei Jianli Wei
            Votes:
            0 Vote for this issue
            Watchers:
            6 Start watching this issue

              Created:
              Updated: