Bug 2015133

Summary: [IBMCLOUD] ServiceID API key credentials seems to be insufficient for ccoctl '--resource-group-name' parameter
Product: OpenShift Container Platform Reporter: Pedro Amoedo <pamoedom>
Component: Cloud Credential OperatorAssignee: Nobody <nobody>
Status: CLOSED ERRATA QA Contact: wang lin <lwan>
Severity: low Docs Contact:
Priority: medium    
Version: 4.10CC: lwan, mkumatag
Target Milestone: ---   
Target Release: 4.10.0   
Hardware: x86_64   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2022-03-12 04:39:16 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Pedro Amoedo 2021-10-18 13:34:05 UTC 
Description of problem:

"ccoctl" fails to create the corresponding "service-ids" when using a serviceID API key, example:

~~~
$ ./ccoctl ibmcloud create-service-id --name="${infraID}" --credentials-requests-dir="cco-creds" --resource-group-name="${resourceGN}" --output-dir="cco-mnfst"
Error: Failed to getResourceGroupID: Failed to list resource groups for the name: pamoedo-ibmtest10-rn2q5: Can not get resource groups without account id in parameter by service id token
~~~

NOTE: The ServiceID API key already has "Power Users" access group with default "Access policies" in place.

Version-Release number of selected component (if applicable):

'ccoctl' binary extracted from release 4.10.0-0.nightly

How reproducible:


Steps to Reproduce:
1. Extract "ccoctl" binary from the cloud-credential-operator container from the corresponding release image.
2. Extract the "CredentialsRequest" from the OCP release image.
3. Set "IC_API_KEY" env variable using the serviceID API key.
3. Execute "ccoctl" binary for ibmcloud variant.

Reference doc: https://docs.openshift.com/container-platform/4.9/authentication/managing_cloud_provider_credentials/cco-mode-sts.html#cco-mode-sts

Actual results:

Command execution fails.

Expected results:

Command should also work when using optional but recommended parameter "--resource-group-name" when using serviceID API key, not only with user-based API keys.
Comment 1 Pedro Amoedo 2021-10-18 13:35:39 UTC 
Additional info:

This BZ was raised to properly support https://github.com/openshift/cloud-credential-operator/issues/401

Best Regards.
Comment 2 wang lin 2021-10-19 03:37:36 UTC 
Verified using cluster-bot image with the PR merged.

1. create a service id and key
2. using above service id key to run ccoctl create-service-id , without this fix, ccoctl will hit the following error
###
$./ccoctl ibmcloud create-service-id --credentials-requests-dir ../credrequests-ibm --name lwan-ibm-svcid --output-dir ibmsecret --resource-group-name ccotest-rg
Failed to getResourceGroupID: Failed to list resource groups for the name: ccotest-rg: Can not get resource groups without account id in parameter by service id token
###
3. with the fix, the creation command can succeed.
###
$./ccoctl ibmcloud create-service-id --credentials-requests-dir ../credrequests-ibm --name lwan-ibm-svcid-2 --output-dir ibmsecret --resource-group-name ccotest-rg
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-cloud-controller-manager-ibm-cloud-credentials-credentials.yaml
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-machine-api-ibmcloud-credentials-credentials.yaml
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
###
4. $ ibmcloud iam service-ids | grep lwan-ibm-svcid-2
ServiceId-04d3605c-9427-4753-96ab-9bdc88d70091   lwan-ibm-svcid-2-openshift-cloud-controller-manager-ibm-cloud-credentials   2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false   
ServiceId-2c609331-7f8b-4266-b85e-e7123894992e   lwan-ibm-svcid-2-openshift-image-registry-installer-cloud-credentials       2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false   
ServiceId-5ba74172-f37c-4b21-8036-7e28a015b32d   lwan-ibm-svcid-2-openshift-ingress-operator-cloud-credentials               2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false   
ServiceId-4f16c16f-5cb8-48b8-9d97-866dbf38e2df   lwan-ibm-svcid-2-openshift-machine-api-ibmcloud-credentials                 2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false
Comment 5 wang lin 2021-10-20 01:53:08 UTC 
move to VERIFIED manually.
Comment 9 errata-xmlrpc 2022-03-12 04:39:16 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056