Description of problem: Currently, ccoctl tool for credentials management only supports the AWS cloud. We need to revamp ccoctl so that that it becomes easy to extend it for other cloud platforms in the future. Version-Release number of selected component (if applicable): 4.8 How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
Hi Akhil, there is an issue for roles created by ccoctl, the trust relationships for components are wrong. The trust relationship ccoctl created is below: ##Such as role for image registry as below, the StringEquals have the wrong values. $ aws iam get-role --role-name lwan-tt-1-openshift-image-registry-installer-cloud-credentials | jq -r .Role.AssumeRolePolicyDocument { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::XXXXXXXXXX:oidc-provider/lwan-tt-1-oidc.s3.us-east-1.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "lwan-tt-1-oidc.s3.us-east-1.amazonaws.com:sub": [ "system:serviceaccount:cluster-image-registry-operator:cluster-image-registry-operator", "system:serviceaccount:registry:registry" ] } } } ] } But it should be as below: $ aws iam get-role --role-name lwan-ccoctl-openshift-image-registry-installer-cloud-credentials | jq -r .Role.AssumeRolePolicyDocument { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::XXXXXXXXXX:oidc-provider/lwan-ccoctl-oidc.s3.us-east-2.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "lwan-ccoctl-oidc.s3.us-east-2.amazonaws.com:sub": [ "system:serviceaccount:openshift-image-registry:registry", "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator" ] } } } ] } All components have the same issue. And the doc has a small issue in https://github.com/openshift/cloud-credential-operator/blob/master/docs/ccoctl.md#creating-openid-connect-provider for creating-openid-connect-provider subcommand, the parameter should be "--public-key-file", rather than "--public-key"
Hi Lin, Thanks for reporting this issue. I have opened a PR to fix it and docs correction https://github.com/openshift/cloud-credential-operator/pull/325
The `ccoctl create-iam-roles` issue has fix in commitid fed3bffc9d $ aws iam get-role --role-name lwan-tt-cco-5-openshift-image-registry-installer-cloud-credentia | jq -r .Role.AssumeRolePolicyDocument { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::XXXXXXXXXX:oidc-provider/lwan-tt-cco-5-oidc.s3.us-east-2.amazonaws.com" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "lwan-tt-cco-5-oidc.s3.us-east-2.amazonaws.com:sub": [ "system:serviceaccount:openshift-image-registry:cluster-image-registry-operator", "system:serviceaccount:openshift-image-registry:registry" ] } } } ] }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438