Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Major
Fix Version/s: None
Affects Version/s: 4.16, 4.17, 4.18, 4.19, 4.20, 4.21
Component/s: Cloud Credential Operator
Labels:
None

Activity Type:
Quality / Stability / Reliability
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Story Points:
None
Severity:
None
Regression:
None

Target Backport Versions:
None
Target Version:

4.18.z
Release Blocker:
Rejected
Sprint:
None

SFDC Cases Counter:
SFDC Cases Open:
SFDC Cases Links:

PX Impact Score:

Release Note Status:
In Progress
Release Note Type:
Bug Fix
Release Note Text:

Hide
Previously, the ccoctl utility did not support pagination when retrieving CloudFront distributions. As a result, if the distribution to be deleted was not included in the first batch of results, the CloudFront distribution and its associated origin access identity could not be deleted successfully during the ccoctl aws delete operation.
This update adds pagination support to the ccoctl utility when fetching CloudFront distributions, ensuring that the distribution can be located and deleted properly.

Show
Previously, the ccoctl utility did not support pagination when retrieving CloudFront distributions. As a result, if the distribution to be deleted was not included in the first batch of results, the CloudFront distribution and its associated origin access identity could not be deleted successfully during the ccoctl aws delete operation. This update adds pagination support to the ccoctl utility when fetching CloudFront distributions, ensuring that the distribution can be located and deleted properly.

Escape Reason:
None
Escape Impact:
None
Corrective Measures:
None
SDLC stage when should've been found:
None

This is a clone of issue OCPBUGS-65478. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-63690. The following is the description of the original issue:
—
This is a clone of issue OCPBUGS-63561. The following is the description of the original issue:
—
Description of problem:

CloudFront Distribution not deleted by ccoctl aws delete.
Compared the logs, seems it didn't get the distribution by tags successfully.
Current log:
[cloud-user@preserved-jshu verify]$ ./ccoctl aws delete --name jshuaws11 --region us-east-1
...
2025/10/26 21:49:05 Identity Provider bucket jshuaws11-oidc deleted
2025/10/26 21:49:25 failed to delete the CloudFront origin access identity with ID E3I4QD2PBVGYZ6: operation error CloudFront: DeleteCloudFrontOriginAccessIdentity, https response error StatusCode: 409, RequestID: c93445d3-673d-4d3d-a37a-641827cea46a, CloudFrontOriginAccessIdentityInUse: The CloudFront origin access identity is still being used.
2025/10/26 21:49:40 Policy jshuaws11-openshift-cloud-credential-operator-cloud-credential-o associated with IAM Role jshuaws11-openshift-cloud-credential-operator-cloud-credential-o deleted
...

Old successful log:
[cloud-user@jshu-gcp cco]$ ./ccoctl aws delete --name jshu-sts3 --region=us-east-2
...
2023/06/22 12:27:44 Identity Provider bucket jshu-sts3-oidc deleted
2023/06/22 12:27:54 Waiting 30s for CloudFront distribution with ID E1JUIQ3GZNMFP2 to be disabled...
2023/06/22 12:28:24 Waiting 30s for CloudFront distribution with ID E1JUIQ3GZNMFP2 to be disabled...
...
2023/06/22 12:35:59 CloudFront distribution with ID E1JUIQ3GZNMFP2 deleted
2023/06/22 12:36:00 CloudFront origin access identity with ID E2WDDMOY5FRX91 deleted
...

Version-Release number of selected component (if applicable):

4.21

How reproducible:

always

Steps to Reproduce:

    1.ccoctl aws create-all --create-private-s3-bucket --name jshuaws11 --region us-east-1 --output-dir output11 --credentials-requests-dir /home/cloud-user/jshu/cco/awscr-420
    2.ccoctl aws delete --name jshuaws11 --region us-east-1

Actual results:

CloudFront Distribution and origin access identity NOT deleted
like
2025/10/26 21:49:25 failed to delete the CloudFront origin access identity with ID E3I4QD2PBVGYZ6: operation error CloudFront: DeleteCloudFrontOriginAccessIdentity, https response error StatusCode: 409, RequestID: c93445d3-673d-4d3d-a37a-641827cea46a, CloudFrontOriginAccessIdentityInUse: The CloudFront origin access identity is still being used.

Expected results:

CloudFront Distribution and origin access identity deleted
like
2023/06/22 12:35:59 CloudFront distribution with ID E1JUIQ3GZNMFP2 deleted 2023/06/22 12:36:00 CloudFront origin access identity with ID E2WDDMOY5FRX91 deleted

Additional info:

I tested 4.21/4.20/4.16

blocks

OCPBUGS-65480 CloudFront Distribution not deleted by ccoctl aws delete

ASSIGNED

clones

OCPBUGS-65478 CloudFront Distribution not deleted by ccoctl aws delete

ON_QA

is blocked by

OCPBUGS-65478 CloudFront Distribution not deleted by ccoctl aws delete

ON_QA

is cloned by

OCPBUGS-65480 CloudFront Distribution not deleted by ccoctl aws delete

ASSIGNED

links to

openshift/cloud-credential-operator#947: [release-4.18] OCPBUGS-65479: ccoctl: use pagination when listing resources in aws

Assignee:: Jeremiah Stuever

Reporter:: Jianping Shu

Need Info From:: None

Contributors:: None

QA Contact:: Jianping Shu

Doc Contact:: None

Votes:: 0 Vote for this issue

Watchers:: 2 Start watching this issue

Created:: 2025/11/11 7:55 PM

Updated:: 2025/11/19 7:45 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates