Uploaded image for project: 'OpenShift Bugs'
  1. OpenShift Bugs
  2. OCPBUGS-45280

GCP fails to assign permissions to installer created SA

XMLWordPrintable

    • Quality / Stability / Reliability
    • False
    • Hide

      None

      Show
      None
    • 2
    • None
    • None
    • None
    • Installer (PB) Sprint 263
    • 1
    • Done
    • Bug Fix
    • Hide
      * Previously, when installing a cluster on {gcp-short}, the installation program could fail to locate the service account it created due to a delay in activating the service account on Google's servers. With this update, the installation program waits an appropriate amount of time before attempting to use the created service account. (link:https://issues.redhat.com/browse/OCPBUGS-45280[OCPBUGS-45280])
      Show
      * Previously, when installing a cluster on {gcp-short}, the installation program could fail to locate the service account it created due to a delay in activating the service account on Google's servers. With this update, the installation program waits an appropriate amount of time before attempting to use the created service account. (link: https://issues.redhat.com/browse/OCPBUGS-45280 [ OCPBUGS-45280 ])
    • None
    • None
    • None
    • None

      Description of problem:

      DEBUG Creating ServiceAccount for control plane nodes 
DEBUG Service account created for XXXXX-gcp-r4ncs-m 
DEBUG Getting policy for openshift-dev-installer   
DEBUG adding roles/compute.instanceAdmin role, added serviceAccount:XXXXX-gcp-r4ncs-m@openshift-dev-installer.iam.gserviceaccount.com member 
DEBUG adding roles/compute.networkAdmin role, added serviceAccount:XXXXX-gcp-r4ncs-m@openshift-dev-installer.iam.gserviceaccount.com member 
DEBUG adding roles/compute.securityAdmin role, added serviceAccount:XXXXX-gcp-r4ncs-m@openshift-dev-installer.iam.gserviceaccount.com member 
DEBUG adding roles/storage.admin role, added serviceAccount:XXXXX-gcp-r4ncs-m@openshift-dev-installer.iam.gserviceaccount.com member 
ERROR failed to fetch Cluster: failed to generate asset "Cluster": failed to create cluster: failed during pre-provisioning: failed to add master roles: failed to set IAM policy, unexpected error: googleapi: Error 400: Service account XXXXX-gcp-r4ncs-m@openshift-dev-installer.iam.gserviceaccount.com does not exist., badRequest

It appears that the Service account was created correctly. The roles are assigned to the service account. It is possible that there needs to be a "wait for action to complete" on the server side to ensure that this will all be ok.

      Version-Release number of selected component (if applicable):

      How reproducible:

      Random. Appears to be a sync issue

      Steps to Reproduce:

          1. Run the installer for a normal GCP basic install
    2.
    3.

      Actual results:

          Installer fails saying that the Service Account that the installer created does not have the permissions to perform an action. Sometimes it takes numerous tries for this to happen (very intermittent).

      Expected results:

          Successful install

      Additional info:

              rh-ee-bbarbach Brent Barbachem
              rh-ee-bbarbach Brent Barbachem
              None
              None
              Jianli Wei Jianli Wei
              None
              Votes:
              2 Vote for this issue
              Watchers:
              8 Start watching this issue

                Created:
                Updated:
                Resolved: