Bug 2103236

Summary: GCP: Error message for insufficient permissions needs to be improved
Product: OpenShift Container Platform Reporter: Patrick Dillon <padillon>
Component: InstallerAssignee: Aditya Narayanaswamy <anarayan>
Installer sub component: openshift-installer QA Contact: Jianli Wei <jiwei>
Status: CLOSED ERRATA Docs Contact: Mike Pytlak <mpytlak>
Severity: low    
Priority: low CC: anarayan, mpytlak
Version: 4.11   
Target Milestone: ---   
Target Release: 4.12.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
* Previously, if a cluster failed to install on Google Cloud Platform because the service account had insufficient permissions, the resulting error message did not mention this as the cause of the failure. This update improves the error message, which now instructs users to check the permissions that are assigned to the service account. (link:https://bugzilla.redhat.com/show_bug.cgi?id=2103236[*BZ#2103236*])
 Story Points: ---
Clone Of: Environment:
Last Closed: 2023-01-17 19:51:19 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Patrick Dillon 2022-07-01 18:02:53 UTC 
In GCP, if you use a service account with no service principal (I have one created in the installer gce account called padillon-bad-sa-test) and try to run the survey you will get a confusing error message:


# ./openshift-install create install-config
? Platform gcp
? Service Account (absolute path to file or JSON content) [Enter 2 empty lines to finish]/root/badCreds.json




? Service Account (absolute path to file or JSON content) 
/root/badCreds.json
INFO Saving the credentials to "/root/.gcp/osServiceAccount.json" 
FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": please provide options to select from

We need to improve this error message.
Comment 3 Jianli Wei 2022-07-12 04:22:52 UTC 
>Create a service-account and a key for the testing:

$ gcloud iam service-accounts create jiwei-bug2103236 --display-name="jiwei-bug2103236"
Created service account [jiwei-bug2103236].
$ gcloud iam service-accounts keys create service-account-key.json --iam-account=jiwei-bug2103236.gserviceaccount.com
created key [370e3145237bebe8c5211092cb2f0df2246ff24e] of type [json] as [service-account-key.json] for [jiwei-bug2103236.gserviceaccount.com]
$ gcloud projects get-iam-policy openshift-qe --flatten="bindings[].members" --format="table(bindings.role)" --filter="bindings.members:jiwei-bug2103236.gserviceaccount.com"
$ 

>Re-created the issue with older version:

[cloud-user@jiwei-0712-03-rhel8-mirror ~]$ ./openshift-install version
./openshift-install 4.11.0-0.nightly-2022-07-06-062815
built from commit b2e7be726e400022e71ef3b8bd01a2093e53bc5a
release image registry.ci.openshift.org/ocp/release@sha256:4ae13c0e064cf59caa9869107e1c0a6a99820796937213938b01eca3966ac57a
release architecture amd64
[cloud-user@jiwei-0712-03-rhel8-mirror ~]$ ./openshift-install create install-config
? Platform gcp
INFO Credentials loaded from file "/home/cloud-user/.gcp/osServiceAccount.json" 
FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": please provide options to select from 
[cloud-user@jiwei-0712-03-rhel8-mirror ~]$ 

>Verified the issue with 4.12.0-0.nightly-2022-07-11-054352:

[cloud-user@jiwei-0712-03-rhel8-mirror ~]$ ./openshift-install version
./openshift-install 4.12.0-0.nightly-2022-07-11-054352
built from commit 8879e19b4cb0256686a573f842363186f30f0ed7
release image registry.ci.openshift.org/ocp/release@sha256:e7f48276819b351a005ae69882ddcebf21c35abec633cf935f5a4a245a8c2161
release architecture amd64
[cloud-user@jiwei-0712-03-rhel8-mirror ~]$ ./openshift-install create install-config
? Platform gcp
INFO Credentials loaded from file "/home/cloud-user/.gcp/osServiceAccount.json" 
FATAL failed to fetch Install Config: failed to fetch dependency of "Install Config": failed to fetch dependency of "Base Domain": failed to generate asset "Platform": failed to get projects for the given service principal, please check your permissions 
[cloud-user@jiwei-0712-03-rhel8-mirror ~]$
Comment 6 errata-xmlrpc 2023-01-17 19:51:19 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.12.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:7399