Bug 2002808

Summary: KCM does not use web identity credentials
Product: OpenShift Container Platform Reporter: Seth Jennings <sjenning>
Component: Cloud ComputeAssignee: Seth Jennings <sjenning>
Cloud Compute sub component: Cloud Controller Manager QA Contact: Milind Yadav <miyadav>
Status: CLOSED ERRATA Docs Contact:
Severity: medium    
Priority: unspecified CC: aos-bugs, mfedosin
Version: 4.8   
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-12 04:38:07 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 2002811    

Description Seth Jennings 2021-09-09 18:37:25 UTC 
Description of problem:
See https://github.com/kubernetes/kubernetes/pull/104314#issue-709659173

Version-Release number of selected component (if applicable):
4.8

How reproducible:
Always

Steps to Reproduce:
1.
2.
3.

Actual results:
role_arn and web_identity_token_file are not used by the custom AWS credential chain defined by the in-tree cloud provider.

Expected results:
Default credential chain is used and web identity credentials work.

Additional info:
A number of customers are wanting OCP run with only STS credentials (no user access ids/keys).  This is recommend by AWS.  Hypershift is doing this.  OCP can't run in STS-only mode until this is fixed.
Comment 3 Mike Fedosin 2021-10-14 10:34:19 UTC 
The bug has been fixed with https://github.com/openshift/kubernetes/pull/927
Comment 5 Milind Yadav 2021-10-21 04:24:10 UTC 
Do we need to check - 
oc get secrets aws-cloud-credentials -n openshift-machine-api -o yaml to confirm ?  Or the check in comment#4 good ?
Comment 7 Seth Jennings 2021-10-25 14:17:05 UTC 
This fix allows the KCM to use STS credentials.

There is currently no support for this in standalone OCP as the KCM does not use the CCO to obtain credentials; it obtains access to AWS through the master instance role.

This is being done to support Hypershift, where the KCM runs on an instance in one AWS account, but must have privileges in another AWS account.
Comment 10 errata-xmlrpc 2022-03-12 04:38:07 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056