Bug 1927157 - [aws-c2s] STS is not supported on C2S region
Summary: [aws-c2s] STS is not supported on C2S region
Keywords:
Status: CLOSED WONTFIX
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.7
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: ---
: 4.8.0
Assignee: Devan Goodwin
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-02-10 09:10 UTC by Yunfei Jiang
Modified: 2021-03-10 16:00 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2021-03-02 00:26:35 UTC
Target Upstream Version:
Embargoed:

Attachments (Terms of Use)

Description Yunfei Jiang 2021-02-10 09:10:15 UTC 
Currently sts-preflight tool [1] or manual way [2] does not support STS on C2S region [3][4][5]

Creating this bug to track this feature to be supported on C2S.


[1] https://github.com/openshift/cloud-credential-operator/pull/290
[2] https://issues.redhat.com/browse/CCO-62
[3] https://github.com/openshift/cloud-credential-operator/pull/290#issuecomment-774636639
[4] https://github.com/openshift/cloud-credential-operator/pull/290#issuecomment-775161145
[5] https://github.com/openshift/cloud-credential-operator/pull/290#issuecomment-776051214
Comment 1 Greg Sheremeta 2021-02-16 17:06:03 UTC 
this will be resolved by work in 4.8

not a blocker for 4.7
Comment 2 Greg Sheremeta 2021-03-02 00:26:35 UTC 
The current design of STS cannot work in C2S. Unfortunately C2S needs to be treated like an entirely new platform for CCO purposes, and we require the usual RFE process for that. Obsoleting.
Comment 4 Matthew Staebler 2021-03-08 18:40:32 UTC 
@yunjiang Customers are going to need to get credentials from the CAP endpoint for all of the operators that need credentials. The customer will be responsible for implementing some means by which the credentials are periodically refreshed. I have put together a reference implementation of a cronjob that refreshes the credentials automatically. See https://github.com/staebler/cap-token-refresh.
Comment 5 Yunfei Jiang 2021-03-10 14:22:10 UTC 
Matthew, I've integrated CAP into our CI system, they work fine, checked cap-token-refresh logs and Secret, the credential were refreshed regularly.

I also got two questions:
1. The default expiration time of AWS credential created by CAP is one hour, is there a way to change this value?
2. Looks like we can not refresh the AWS credential during the OCP installation process, in most cases, the installation will be finished within 1 hour, but what will happen if it takes more than 1 hour? Even if we could refresh `~/.aws/credentials` during the installation,  the installer will not reload the new credential, is it right?

Thanks.
Comment 6 Matthew Staebler 2021-03-10 16:00:29 UTC 
(In reply to Yunfei Jiang from comment #5)
> Matthew, I've integrated CAP into our CI system, they work fine, checked
> cap-token-refresh logs and Secret, the credential were refreshed regularly.
> 
> I also got two questions:
> 1. The default expiration time of AWS credential created by CAP is one hour,
> is there a way to change this value?

I am pretty sure that there is a query parameter that you can add to the CAP URL to request a different lifetime for the credentials. I even have some recollection of seeing it at some point. But recently I have not been able to find any documentation for it.

> 2. Looks like we can not refresh the AWS credential during the OCP
> installation process, in most cases, the installation will be finished
> within 1 hour, but what will happen if it takes more than 1 hour? Even if we
> could refresh `~/.aws/credentials` during the installation,  the installer
> will not reload the new credential, is it right?

That is correct. The installer will not reload new credentials. But, the installer credentials are only needed up until the installer finishes the terraform phase.

> 
> Thanks.
Note You need to log in before you can comment on or make changes to this bug.