+++ This bug was initially created as a clone of Bug #1958424 +++ Currently the installer only supports static credentials from AWS config/credentials file or environment for authenticating with AWS. For the default credential modes (mint/passthrough) this restriction makes sense because the installer transfers those credentials to the cluster to mint/ passthrough creds to all the components. For manual mode this restriction can be removed as the credentials are used only by the installer and installer's internal components(terraform). This is especially important for allowing users to use STS Webhook identity work, where the users want the installer to assume a certain role using specific token specified by env variables or, the aws config file. The new credentials loading, loads the previously used env and static credentials provider first, when not provided it uses the AWS SDK's default internal logic to load of credentials from all kinds of supported methods Now, when the installer tried to create the secret for moving creds to secret, it checks if credentials are static. If the credentials are not static, these are only allowed in manual credentials modes like, FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for default credentials mode installer does not configure the terraform aws provider with specific credentials and since it also has the same behaviour as described above there should be no problem using these temporary credentials for terraform. xref: https://issues.redhat.com/browse/CCO-29
Verified on 4.7.0-0.nightly-2021-05-08-023036 ./openshift-install version ./openshift-install 4.7.0-0.nightly-2021-05-08-023036 built from commit 4861ba52c8eecb95ad077cf62864b83e26705aa3 release image registry.ci.openshift.org/ocp/release@sha256:2fc1c0015c72d060a0ca85c1759a1bd215649b76a5a7de9f355a7003207c46d6 1. non-static credentials with cco in default mode ./openshift-install create manifests INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider INFO Consuming Install Config from target directory FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for default credentials mode 2. non-static credentials with cco in Mint mode ./openshift-install create manifests INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider INFO Consuming Install Config from target directory FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for Mint credentials mode 3. non-static credentials with cco in Passthrough mode ./openshift-install create manifests INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider INFO Consuming Install Config from target directory FATAL failed to fetch Openshift Manifests: failed to generate asset "Openshift Manifests": AWS credentials provided by AssumeRoleProvider are not valid for Passthrough credentials mode 4. non-static credentials with cco in Manual mode ./openshift-install create manifests INFO Credentials loaded from the AWS config using "WebIdentityCredentials" provider INFO Consuming Install Config from target directory INFO Manifests created in: manifests and openshift ##the cluster can be installed successfully with non-static credentials ./openshift-install create cluster --log-level=debug DEBUG OpenShift Installer 4.7.0-0.nightly-2021-05-08-023036 DEBUG Built from commit 4861ba52c8eecb95ad077cf62864b83e26705aa3 ...... DEBUG Generating Terraform Variables... INFO Credentials loaded from the AWS config using "AssumeRoleProvider" provider DEBUG Fetching Kubeconfig Admin Client... DEBUG Loading Kubeconfig Admin Client... ...... DEBUG Time elapsed per stage: DEBUG Infrastructure: 10m33s DEBUG Bootstrap Complete: 12m59s DEBUG API: 1s DEBUG Bootstrap Destroy: 2m29s DEBUG Cluster Operators: 17m29s INFO Time elapsed: 43m49s
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (OpenShift Container Platform 4.7.11 bug fix update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHBA-2021:1550