Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1724684

Summary:	unable to deply cluster on AWS 4.1.x
Product:	OpenShift Container Platform	Reporter:	Sudarshan Chaudhari <suchaudh>
Component:	Documentation	Assignee:	Kathryn Alexander <kalexand>
Status:	CLOSED CURRENTRELEASE	QA Contact:	Johnny Liu <jialiu>
Severity:	medium	Docs Contact:	Vikram Goyal <vigoyal>
Priority:	high
Version:	4.1.z	CC:	adahiya, aos-bugs, erich, gerald.kimmel, jokerman, jrosenta, kalexand, mmccomas, vigoyal
Target Milestone:	---
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2019-08-12 13:31:55 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Sudarshan Chaudhari 2019-06-27 14:25:52 UTC

Description of problem:

Unable to deploy the cluster.

Logs are attached to the Bugzilla. The error is:
~~~
time="2019-06-25T10:23:56Z" level=fatal msg="failed to fetch Terraform Variables: failed to fetch dependency of \"Terraform Variables\": failed to fetch dependency of \"Bootstrap Ignition Config\": failed to fetch dependency of \"Master Machines\": failed to generate asset \"Platform Credentials Check\": validate AWS credentials: checking install permissions: error gathering AWS credentials details: error querying username: InvalidClientTokenId: The security token included in the request is invalid.\n\tstatus code: 403, request id: 5697b59a-9733-11e9-9a03-27542a2f5747"
~~~


Steps to Reproduce:
1. deploy cluster  using openshift-installer.

Actual results:
The installer is failing to install.

Expected results:
the infrastructure should be provisioned.

Additional info:
Checked: using the aws credentials the User is able to create the vms and has required permissions.
Is there anything additional required to check, do let us know.

Comment 5 Eric Rich 2019-06-28 15:51:51 UTC

Its possible the customer didn't follow: https://docs.openshift.com/container-platform/4.1/installing/installing_aws/installing-aws-account.html

Can we confirm that they have followed these docs?

Comment 6 Eric Rich 2019-07-02 15:46:01 UTC

Unless we're not using the API properly (for aws): Example https://github.com/aws/aws-sdk-go/issues/1436 
Then this is most likely a configuration issue (either on the client side or on the service side (with AWS).

Comment 7 Abhinav Dahiya 2019-07-03 00:24:06 UTC

can you run 
```
aws sts get-caller-identity
```

to provide information of the caller.

How are your credentials for AWS setup?

Comment 8 gerald.kimmel 2019-07-04 08:01:20 UTC

the output is

# aws sts get-caller-identity
{
    "UserId": "AIDAU7HYQUMBNXXXXXX",
    "Account": "341971XXXXXX",
    "Arn": "arn:aws:iam::341971XXXXXX:user/A64XXXXXX"
}

and the credentials are set up according to https://aws.amazon.com/de/premiumsupport/knowledge-center/authenticate-mfa-cli/ using ~/.aws/credentials

Comment 10 Abhinav Dahiya 2019-07-08 16:37:40 UTC

Since the MFA device can only produce temporary session tokens, and the installer requires credentials from a long lived user (atleast greater than that of the life of the cluster)

I think we should make that more clearer in the docs.

Comment 12 Eric Rich 2019-07-08 17:28:17 UTC

(In reply to Abhinav Dahiya from comment #10)
> Since the MFA device can only produce temporary session tokens, and the
> installer requires credentials from a long lived user (atleast greater than
> that of the life of the cluster)
> 
> I think we should make that more clearer in the docs.

So we fundamentally require that you follow: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html and not AWS supported tools like: https://aws.amazon.com/de/premiumsupport/knowledge-center/authenticate-mfa-cli/ 

In short, do we simply need to say we don't support using MFA with the CLI as documented by https://aws.amazon.com/de/premiumsupport/knowledge-center/authenticate-mfa-cli/ ?

Comment 16 Abhinav Dahiya 2019-07-23 16:23:58 UTC

(In reply to Eric Rich from comment #12)
> (In reply to Abhinav Dahiya from comment #10)
> > Since the MFA device can only produce temporary session tokens, and the
> > installer requires credentials from a long lived user (atleast greater than
> > that of the life of the cluster)
> > 
> > I think we should make that more clearer in the docs.
> 
> So we fundamentally require that you follow:
> https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.
> html and not AWS supported tools like:
> https://aws.amazon.com/de/premiumsupport/knowledge-center/authenticate-mfa-
> cli/ 
> 
> In short, do we simply need to say we don't support using MFA with the CLI
> as documented by
> https://aws.amazon.com/de/premiumsupport/knowledge-center/authenticate-mfa-
> cli/ ?

I think that's correct.

Comment 18 Kathryn Alexander 2019-07-31 20:46:51 UTC

PR's here: https://github.com/openshift/openshift-docs/pull/16085

Eric, Jianlin, will you PTAL?

Comment 19 Johnny Liu 2019-08-01 06:58:21 UTC

LGTM.

Comment 20 Kathryn Alexander 2019-08-01 15:03:28 UTC

Thank you! I moved the note to earlier in the files based on peer review feedback and merged the change.

Comment 21 Kathryn Alexander 2019-08-12 13:31:55 UTC

This change is live on docs.openshift: https://docs.openshift.com/container-platform/4.1/installing/installing_aws/installing-aws-account.html#installation-aws-iam-user_installing-aws-account

And on the portal: https://access.redhat.com/documentation/en-us/openshift_container_platform/4.1/html-single/installing/index#installation-aws-iam-user_installing-aws-account