Uploaded image for project: 'OpenShift Specialist Platform Team'
  1. OpenShift Specialist Platform Team
  2. SPLAT-671

[aws][cco] Provide a better guidance to troubleshoot STS tokens

    • Icon: Task Task
    • Resolution: Done
    • Icon: Major Major
    • None
    • None

      We need to provide better guidance to help internal teams and customers to troubleshoot STS credentials provided by CCO when deploying a cluster with authentication mode with STS credentials on AWS.

      Recently we provided a few contents that helped customers[1], but yesterday [ mimccune@redhat.com asked | https://coreos.slack.com/archives/C011MLLLY4W/p1657827807146079] help with an interesting support case[2] to have something to review the credentials provided by CCO (through CredentialsRequests) and effectively created on IAM Role policies. Marco has provided one script[3] to the customer with steps to make "e2e" tests for MAPI which:

      • Discovery of the token provided as ServiceAccount to MAPI
      • Compare the IAM Role Policy permissions against CCO CredentialsRequests permissions
      • Assume the role with the token provided by the service account, getting STS short-lived credentials, and using it to authenticate to AWS API
      • Use the short-lived token to create manually (using AWS CLI) one instance, testing RunInstance EC2 API, based on existing worker machine attributes (tl;dr: adding manually one machine).

      This script is useful to validate the flow and component, thus we can detect any step that can be failing. It will be nice to have something ready to be shared with internal teams and customers.

      GOAL

      Share the information and results collected from customer case and internal research. Some options are:

      • KCS describing the tests executed with scenarios with Policies limiting access to ec2:runInstances operation, or equivalent required by MAPI
      • Script with better feedback for each step when testing the tokens, comparing the permissions, and trying to use the short-lived credentials
      • Spike/Propose some tool to be like a "problem detector" with IAM read permissions comparing and testing the tokens provided by CCO to components that are working correctly and have desired permissions.

      ENGINEERING CONTENT

      [1] Content created recently with this topic:

      [2] Support case: https://access.redhat.com/support/cases/#/case/03226796

      [3] Hacking steps/script provided on the support case: https://mtulio.net/playbooks/openshift/ocp-aws-cco-run-instance/

              rhn-support-mrbraga Marco Braga
              rhn-support-mrbraga Marco Braga
              Votes:
              0 Vote for this issue
              Watchers:
              2 Start watching this issue

                Created:
                Updated:
                Resolved:

                  Estimated:
                  Original Estimate - Not Specified
                  Not Specified
                  Remaining:
                  Remaining Estimate - 0 minutes
                  0m
                  Logged:
                  Time Spent - 1 day
                  1d