Currently the installer only supports static credentials from AWS config/credentials file or environment for authenticating with AWS. For the default credential modes (mint/passthrough) this restriction makes sense because the installer transfers those credentials to the cluster to mint/ passthrough creds to all the components. For manual mode this restriction can be removed as the credentials are used only by the installer and installer's internal components(terraform). This is especially important for allowing users to use STS Webhook identity work, where the users want the installer to assume a certain role using specific token specified by env variables or, the aws config file. The new credentials loading, loads the previously used env and static credentials provider first, when not provided it uses the AWS SDK's default internal logic to load of credentials from all kinds of supported methods Now, when the installer tried to create the secret for moving creds to secret, it checks if credentials are static. If the credentials are not static, these are only allowed in manual credentials modes like, FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for default credentials mode installer does not configure the terraform aws provider with specific credentials and since it also has the same behaviour as described above there should be no problem using these temporary credentials for terraform. xref: https://issues.redhat.com/browse/CCO-29
Greg, can you describe the verification process?
Possibly [1] is the recommended way to get Security Token Service creds [2] into a new cluster? [1]: https://github.com/openshift/release/blob/7e61829f682e1574513f78c3e94537836d824ab3/ci-operator/step-registry/ipi/conf/aws/oidc-creds/ipi-conf-aws-oidc-creds-commands.sh [2]: https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html
Or maybe these in-flight docs [1]? [1]: https://github.com/openshift/openshift-docs/pull/31136/files
[1] looks similar to [2]. Anyhow, enough guessing from me about stuff I don't understand ;) [1]: https://github.com/openshift/enhancements/blob/ce4d303db807622687159eb9d3248285a003fabb/enhancements/cloud-integration/aws/aws-sts-support.md [2]: https://github.com/openshift/release/blob/7e61829f682e1574513f78c3e94537836d824ab3/ci-operator/step-registry/ipi/conf/aws/oidc-creds/ipi-conf-aws-oidc-creds-commands.sh
Verified on 4.8.0-fc.3, the results are as expected. 1. non-static credentials with cco in default mode ./openshift-install create manifests ...... FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by WebIdentityCredentials are not valid for default credentials mode 2. non-static credentials with cco in Mint mode ./openshift-install create manifests ...... FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by WebIdentityCredentials are not valid for Mint credentials mode 3. non-static credentials with cco in Passthrough mode ./openshift-install create manifests ...... FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for Passthrough credentials mode 4. non-static credentials with cco in Manual mode ./openshift-install create manifests INFO Credentials loaded from the AWS config using "WebIdentityCredentials" provider INFO Consuming Install Config from target directory INFO Manifests created in: manifests and openshift ##the cluster can be installed successfully with non-static credentials ./openshift-install create cluster --log-level=debug ...... DEBUG Fetching Ironic bootstrap credentials... DEBUG Reusing previously-fetched Ironic bootstrap credentials DEBUG Generating Terraform Variables... INFO Credentials loaded from the AWS config using "WebIdentityCredentials" provider DEBUG Fetching Kubeconfig Admin Client... ...... DEBUG Time elapsed per stage: DEBUG Infrastructure: 11m8s DEBUG Bootstrap Complete: 11m40s DEBUG API: 2s DEBUG Bootstrap Destroy: 2m27s DEBUG Cluster Operators: 17m48s DEBUG Console: 1s INFO Time elapsed: 43m22s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.8.2 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2021:2438