-
Feature Request
-
Resolution: Unresolved
-
Major
-
None
-
None
-
None
-
None
-
Product / Portfolio Work
-
None
-
False
-
-
None
-
None
-
-
-
None
-
None
-
None
-
None
-
None
1. Proposed title of this feature request
Enable AWS EFS CSI across account support for ROSA classic.
2. What is the nature and description of the request?
ROSA Classic not able to use AWS EFS across account and when creating PVC with another account file system Storage Class following error will appear:
failed to provision volume with StorageClass "efs-cross-account-mount-sc": rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied
My steps when using this feature on ROSA Classic 4.17:
a. Following below doc to install EFS CSI Driver Operator:
[0]https://cloud.redhat.com/experts/rosa/aws-efs/
my IAM role for CSI Driver Operator is holly-aws-efs-csi-operator with trust policy and efs policy.
b. Following below doc to implement across account EFS mount:
b-1: IAM role for storage class secret: my-efs-acrossaccount-role has trust policy to ROSA located Account and required two policies.
b-2: STS assume role for my-efs-acrossaccount-role policy attached to holly-aws-efs-csi-operator IAM role.
b-3: AmazonElasticFileSystemClientFullAccess policy attached to ManagedOpenshift-ControlPlane-role.
b-4: storage class secret:
$ oc -n openshift-cluster-csi-drivers create secret generic my-efs-cross-account --from-literal=awsRoleArn='arn:aws:iam::640168423195:role/holly-efs-acrossaccount-role'
b-5: create role and rolebinding to driver controller SA:
$ oc -n openshift-cluster-csi-drivers create role access-secrets --verb=get,list,watch --resource=secrets
$ oc -n openshift-cluster-csi-drivers create rolebinding --role=access-secrets default-to-secrets --serviceaccount=openshift-cluster-csi-drivers:aws-efs-csi-driver-controller-sa
c. create storage class with Account B file system ID.
d. create PVC with above storage class but seeing error:
Normal ExternalProvisioning 3m54s (x85 over 23m) persistentvolume-controller Waiting for a volume to be created either by the external provisioner 'efs.csi.aws.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered. Normal Provisioning 23s (x14 over 23m) efs.csi.aws.com_ip-10-0-49-189_34982ccf-d97b-41cd-a191-c65571322608 External provisioner is provisioning volume for claim "openshift-cluster-csi-drivers/test" Warning ProvisioningFailed 23s (x14 over 23m) efs.csi.aws.com_ip-10-0-49-189_34982ccf-d97b-41cd-a191-c65571322608 failed to provision volume with StorageClass "efs-cross-account-mount-sc": rpc error: code = Unauthenticated desc = Access Denied. Please ensure you have the right AWS permissions: Access denied
The reason might be when install efs operator we are using oidc setting on the secret which have role in one account so EFS csi driver can not write or read EFS from another AWS account Unless there a way to setup AWS IAM ROLE to trust other AWS account.
3. Why does the customer need this? (List the business requirements here)
This feature is said to be supported on ROSA but per testing it's having issue both from our ends and customer's ends with the same error above.
4. List any affected packages or components.
- depends on
-
-
- Release Pending
-
