Bug 1632843

Summary:	AWS standalone masters don't accept the use of IAM roles
Product:	OpenShift Container Platform	Reporter:	Chris Callegari <ccallega>
Component:	Installer	Assignee:	Chris Callegari <ccallega>
Status:	CLOSED CURRENTRELEASE	QA Contact:	sheng.lao <shlao>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	3.11.0	CC:	aos-bugs, jokerman, mmccomas, mwoodson, scuppett
Target Milestone:	---	Keywords:	OpsBlocker
Target Release:	3.11.z
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2018-11-20 14:15:40 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Chris Callegari 2018-09-25 16:08:02 UTC

Description of problem:
New feature AWS standalone masters don't accept the use of IAM roles.  Please reenable this use.  Overrides must be made available for Use/no use, name, policy_name, and policy_json in case I want to make changes or use my own.

ps...Ensure ASG/EC2s can use IAM roles also.

Version-Release number of selected component (if applicable):
3.11

How reproducible:
Always

Steps to Reproduce:
1. Set openshift_aws_create_iam_role: True 
2. ansible-playbook -i hosts openshift-cluster/prerequisites.yml -e @provisioning_vars.yml
3. ansible-playbook -i hosts openshift-cluster/provision_install.yml -e @provisioning_vars.yml

Actual results:
Master, Compute, Infra EC2s don't use IAM roles

Expected results:
Master, Compute, Infra EC2s should use specified IAM roles

Additional info:


Description of problem:

Version-Release number of the following components:
rpm -q openshift-ansible
rpm -q ansible
ansible --version

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:
Please include the entire output from the last TASK line through the end of output if an error is generated

Expected results:

Additional info:
Please attach logs from ansible-playbook with the -vvv flag

Comment 1 Chris Callegari 2018-09-25 16:10:47 UTC

submitted via https://github.com/openshift/openshift-ansible/pull/10224

Comment 2 Chris Callegari 2018-09-25 16:11:09 UTC

Fix is merged into master

Comment 3 sheng.lao 2018-09-26 03:20:57 UTC

I think this pr fixed the bug too
https://bugzilla.redhat.com/show_bug.cgi?id=1630319

Comment 4 sheng.lao 2018-09-26 07:08:05 UTC

The PR-10224 has been merged to master branch, openshift-ansible-4.0, but the Target Release is 3.11.z. So This PR need to be back-ported to 3.11.z.

Fixed at openshift-ansible-4.0.0-0.4.0-8-gca962ff (master)

# aws iam list-instance-profiles |grep shlao
                    "RoleName": "qe-shlao-5-iam_compute", 
...
                    "RoleName": "qe-shlao-5-iam_infra", 
...
                    "RoleName": "qe-shlao-5-iam_master", 
...


# aws iam list-roles |grep -i shlao 
            "RoleName": "qe-shlao-5-iam_compute", 
...
            "RoleName": "qe-shlao-5-iam_infra", 
...
            "RoleName": "qe-shlao-5-iam_master", 
...

Comment 5 Stephen Cuppett 2018-11-20 14:14:13 UTC

There was a separate cherry-pick commit of this in 3.11 as well:

https://github.com/openshift/openshift-ansible/commit/fe059fce662f9f422c9d1359a3568f59849890ce

Comment 6 Stephen Cuppett 2018-11-20 14:15:40 UTC

Marking CLOSED CURRENTRELEASE.