Note: This bug is displayed in read-only format because the product is no longer active in Red Hat Bugzilla.

Bug 1958424

Summary: aws: support more auth options in manual mode
Product: OpenShift Container Platform Reporter: Greg Sheremeta <gshereme>
Component: InstallerAssignee: Greg Sheremeta <gshereme>
Installer sub component: openshift-installer QA Contact: wang lin <lwan>
Status: CLOSED ERRATA Docs Contact:
Severity: urgent    
Priority: urgent CC: lwan, wking, yunjiang
Version: 4.8   
Target Milestone: ---   
Target Release: 4.8.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of:
: 1958428 (view as bug list) Environment:
Last Closed: 2021-07-27 23:07:25 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1958428    

Description Greg Sheremeta 2021-05-07 21:22:30 UTC 
Currently the installer only supports static credentials from
AWS config/credentials file or environment for authenticating with AWS.

For the default credential modes (mint/passthrough) this restriction makes
sense because the installer transfers those credentials to the cluster to mint/
passthrough creds to all the components.

For manual mode this restriction can be removed as the credentials are used only
by the installer and installer's internal components(terraform). This is especially
important for allowing users to use STS Webhook identity work, where the users want the
installer to assume a certain role using specific token specified by env variables or,
the aws config file.

The new credentials loading,

loads the previously used env and static credentials provider first,
when not provided it uses the AWS SDK's default internal logic to load of credentials
from all kinds of supported methods
Now, when the installer tried to create the secret for moving creds to secret, it checks if
credentials are static. If the credentials are not static, these are only allowed in manual
credentials modes like,

FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for default credentials mode
installer does not configure the terraform aws provider with specific credentials and since
it also has the same behaviour as described above there should be no problem using these temporary
credentials for terraform.

xref: https://issues.redhat.com/browse/CCO-29
Comment 2 W. Trevor King 2021-05-08 00:57:56 UTC 
Greg, can you describe the verification process?
Comment 3 W. Trevor King 2021-05-08 02:11:24 UTC 
Possibly [1] is the recommended way to get Security Token Service creds [2] into a new cluster?

[1]: https://github.com/openshift/release/blob/7e61829f682e1574513f78c3e94537836d824ab3/ci-operator/step-registry/ipi/conf/aws/oidc-creds/ipi-conf-aws-oidc-creds-commands.sh
[2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
Comment 4 W. Trevor King 2021-05-08 02:12:43 UTC 
Or maybe these in-flight docs [1]?

[1]: https://github.com/openshift/openshift-docs/pull/31136/files
Comment 5 W. Trevor King 2021-05-08 02:14:39 UTC 
[1] looks similar to [2].  Anyhow, enough guessing from me about stuff  I don't understand ;)

[1]: https://github.com/openshift/enhancements/blob/ce4d303db807622687159eb9d3248285a003fabb/enhancements/cloud-integration/aws/aws-sts-support.md
[2]: https://github.com/openshift/release/blob/7e61829f682e1574513f78c3e94537836d824ab3/ci-operator/step-registry/ipi/conf/aws/oidc-creds/ipi-conf-aws-oidc-creds-commands.sh
Comment 6 wang lin 2021-05-08 04:49:45 UTC 
Verified on 4.8.0-fc.3, the results are as expected.

1. non-static credentials with cco in default mode
 ./openshift-install create manifests
......
FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by WebIdentityCredentials are not valid for default credentials mode 

2. non-static credentials with cco in Mint mode
 ./openshift-install create manifests
......
FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by WebIdentityCredentials are not valid for Mint credentials mode 

3. non-static credentials with cco in Passthrough mode
./openshift-install create manifests
......
FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for Passthrough credentials mode 

4. non-static credentials with cco in Manual mode
./openshift-install create manifests
INFO Credentials loaded from the AWS config using "WebIdentityCredentials" provider 
INFO Consuming Install Config from target directory 
INFO Manifests created in: manifests and openshift 

##the cluster can be installed successfully with non-static credentials
./openshift-install create cluster --log-level=debug
......
DEBUG   Fetching Ironic bootstrap credentials...   
DEBUG   Reusing previously-fetched Ironic bootstrap credentials 
DEBUG Generating Terraform Variables...            
INFO Credentials loaded from the AWS config using "WebIdentityCredentials" provider 
DEBUG Fetching Kubeconfig Admin Client...          
......
DEBUG Time elapsed per stage:                      
DEBUG     Infrastructure: 11m8s                    
DEBUG Bootstrap Complete: 11m40s                   
DEBUG                API: 2s                       
DEBUG  Bootstrap Destroy: 2m27s                    
DEBUG  Cluster Operators: 17m48s                   
DEBUG            Console: 1s                       
INFO Time elapsed: 43m22s
Comment 9 errata-xmlrpc 2021-07-27 23:07:25 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:2438