1958428 – aws: support more auth options in manual mode

Bug 1958428 - aws: support more auth options in manual mode

Summary: aws: support more auth options in manual mode

Keywords:
Status:	CLOSED ERRATA
Alias:	None
Product:	OpenShift Container Platform
Classification:	Red Hat
Component:	Installer
Sub Component:
Version:	4.7
Hardware:	Unspecified
OS:	Unspecified
Priority:	urgent
Severity:	urgent
Target Milestone:	---
Target Release:	4.7.z
Assignee:	aos-install
QA Contact:	wang lin
Docs Contact:
URL:
Whiteboard:
Depends On:	1958424
Blocks:
TreeView+	depends on / blocked

Reported:	2021-05-07 21:41 UTC by W. Trevor King
Modified:	2021-05-19 15:17 UTC (History)
CC List:	5 users (show)
Fixed In Version:
Doc Type:	If docs needed, set a value
Doc Text:
Clone Of:	1958424
Environment:
Last Closed:	2021-05-19 15:17:15 UTC
Target Upstream Version:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Github	openshift installer pull 4914	0	None	closed	Bug 1958428: aws: support more auth options in manual mode	2021-05-10 15:50:43 UTC
Red Hat Product Errata	RHBA-2021:1550	0	None	None	None	2021-05-19 15:17:39 UTC

Description W. Trevor King 2021-05-07 21:41:41 UTC

+++ This bug was initially created as a clone of Bug #1958424 +++

Currently the installer only supports static credentials from
AWS config/credentials file or environment for authenticating with AWS.

For the default credential modes (mint/passthrough) this restriction makes
sense because the installer transfers those credentials to the cluster to mint/
passthrough creds to all the components.

For manual mode this restriction can be removed as the credentials are used only
by the installer and installer's internal components(terraform). This is especially
important for allowing users to use STS Webhook identity work, where the users want the
installer to assume a certain role using specific token specified by env variables or,
the aws config file.

The new credentials loading,

loads the previously used env and static credentials provider first,
when not provided it uses the AWS SDK's default internal logic to load of credentials
from all kinds of supported methods
Now, when the installer tried to create the secret for moving creds to secret, it checks if
credentials are static. If the credentials are not static, these are only allowed in manual
credentials modes like,

FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for default credentials mode
installer does not configure the terraform aws provider with specific credentials and since
it also has the same behaviour as described above there should be no problem using these temporary
credentials for terraform.

xref: https://issues.redhat.com/browse/CCO-29

Comment 2 wang lin 2021-05-08 07:44:12 UTC

Verified on 4.7.0-0.nightly-2021-05-08-023036
./openshift-install version
./openshift-install 4.7.0-0.nightly-2021-05-08-023036
built from commit 4861ba52c8eecb95ad077cf62864b83e26705aa3
release image registry.ci.openshift.org/ocp/release@sha256:2fc1c0015c72d060a0ca85c1759a1bd215649b76a5a7de9f355a7003207c46d6

1. non-static credentials with cco in default mode
 ./openshift-install create manifests
INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider 
INFO Consuming Install Config from target directory 
FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for default credentials mode 


2. non-static credentials with cco in Mint mode
  ./openshift-install create manifests
INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider 
INFO Consuming Install Config from target directory 
FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for Mint credentials mode 
 

3. non-static credentials with cco in Passthrough mode
./openshift-install create manifests
INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider 
INFO Consuming Install Config from target directory 
FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for Passthrough credentials mode 

4. non-static credentials with cco in Manual mode
./openshift-install create manifests
INFO Credentials loaded from the AWS config using "WebIdentityCredentials" provider 
INFO Consuming Install Config from target directory 
INFO Manifests created in: manifests and openshift 

##the cluster can be installed successfully with non-static credentials
./openshift-install create cluster --log-level=debug
DEBUG OpenShift Installer 4.7.0-0.nightly-2021-05-08-023036 
DEBUG Built from commit 4861ba52c8eecb95ad077cf62864b83e26705aa3 
......
DEBUG Generating Terraform Variables...            
INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider 
DEBUG Fetching Kubeconfig Admin Client...          
DEBUG Loading Kubeconfig Admin Client...           
......
DEBUG Time elapsed per stage:                      
DEBUG     Infrastructure: 10m33s                   
DEBUG Bootstrap Complete: 12m59s                   
DEBUG                API: 1s                       
DEBUG  Bootstrap Destroy: 2m29s                    
DEBUG  Cluster Operators: 17m29s                   
INFO Time elapsed: 43m49s

Comment 5 errata-xmlrpc 2021-05-19 15:17:15 UTC

Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHBA-2021:1550

Note You need to log in before you can comment on or make changes to this bug.