Bug 1974640 - When installing on AWS, AWS_SHARED_CREDENTIALS_FILE is only obeyed for reading and not for writing credentials
Summary: When installing on AWS, AWS_SHARED_CREDENTIALS_FILE is only obeyed for readin...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Installer
Version: 4.8
Hardware: Unspecified
OS: Unspecified
low
low
Target Milestone: ---
: 4.9.0
Assignee: Aditya Narayanaswamy
QA Contact: Yunfei Jiang
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-06-22 08:38 UTC by Pierre Prinetti
Modified: 2021-10-18 17:36 UTC (History)
3 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
When AWS_SHARED_CREDENTIALS_FILE is pointing to an empty file, the installer asks the user for credentials and creates a file at location "~/.aws/credentials" irrespective of what is mentioned in the AWS_SHARED_CREDENTIALS_FILE location. Adding a fix that will create a new file in the location specified in the given env variable. This fix does not create a file if the location specified has a file with invalid credentials and asks the user to change the location as a safety measure to prevent overwriting user data.
Clone Of:
Environment:
Last Closed: 2021-10-18 17:35:57 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift installer pull 5155 0 None None None 2021-08-18 14:46:23 UTC
Red Hat Product Errata RHSA-2021:3759 0 None None None 2021-10-18 17:36:22 UTC

Description Pierre Prinetti 2021-06-22 08:38:10 UTC
Version:

$ openshift-install version
openshift-install-linux-4.9.0-0.nightly-2021-06-21-191858 4.9.0-0.nightly-2021-06-21-191858
built from commit e1e4b2aa57f29878ae8bc1ccf29a567bd8acaf22
release image quay.io/openshift-release-dev/ocp-release-nightly@sha256:09ded6a9b902067c1f2f43125d1343d3fde9e2212bb57a0964d4ca3154884409

Platform:

AWS - IPI

What happened?

When AWS_SHARED_CREDENTIALS_FILE is set to an empty file or an invalid path, the credentials collected through the interactive installer prompt (`openshift-install create install-config`) are written to ~/.aws/credentials, possibly overwriting what is there already.

What did you expect to happen?

I expected AWS_SHARED_CREDENTIALS_FILE to either be ignored, or fully supported.
Since credentials are read from $AWS_SHARED_CREDENTIALS_FILE, they should also be written to $AWS_SHARED_CREDENTIALS_FILE.

How to reproduce it (as minimally and precisely as possible)?

Note that before running the following commands, ~/.aws/credentials contains valid credentials. The prompt asks for new credentials because AWS_SHARED_CREDENTIALS_FILE is set to point to a non-existant path.

$ export AWS_SHARED_CREDENTIALS_FILE=$PWD/creds
$ openshift-install create install-config
? Platform aws
? AWS Access Key ID 123123
? AWS Secret Access Key [? for help] ******
INFO Writing AWS credentials to "/var/home/pierre/.aws/credentials" (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)
[...]

Comment 1 Etienne Simard 2021-06-22 18:44:24 UTC
This has been reviewed, and we will target a fix after the feature freeze.

Comment 2 Russell Teague 2021-07-12 18:30:20 UTC
Will address this in a future sprint.

Comment 3 Russell Teague 2021-08-02 17:58:35 UTC
Needs prioritized.

Comment 5 Yunfei Jiang 2021-08-26 02:16:32 UTC
verified. PASS.
OCP version:4.9.0-0.nightly-2021-08-25-185404

> non-exist AWS_SHARED_CREDENTIALS_FILE

export AWS_SHARED_CREDENTIALS_FILE=/tmp/non-exist-file
./openshift-install create install-config --dir cluster2
? SSH Public Key /home/cloud-user/.ssh/openshift-qe.pub
? Platform aws
? AWS Access Key ID aaa
? AWS Secret Access Key [? for help] ***
INFO Writing AWS credentials to "/tmp/non-exist-file" (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)

cat /tmp/non-exist-file
; https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html
[default]
aws_access_key_id     = aaa
aws_secret_access_key = bbb


> empty AWS_SHARED_CREDENTIALS_FILE
export AWS_SHARED_CREDENTIALS_FILE=
./openshift-install create install-config --dir cluster4
? SSH Public Key /home/cloud-user/.ssh/openshift-qe.pub
? Platform aws
INFO Credentials loaded from the "default" profile in file "/home/cloud-user/.aws/credentials"


> invalid ini file
export AWS_SHARED_CREDENTIALS_FILE=/tmp/invalid-cred
./openshift-install create install-config --dir cluster5
? SSH Public Key /home/cloud-user/.ssh/openshift-qe.pub
? Platform aws
? AWS Access Key ID assss
? AWS Secret Access Key [? for help] *******
INFO Writing AWS credentials to "/tmp/invalid-cred" (https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-files.html)


cat /tmp/in-valid-cred
aws_access_key_id     = AKIA
aws_secret_access_key = H0/6

[default]
aws_access_key_id     = assss
aws_secret_access_key = sasdasd

Comment 8 errata-xmlrpc 2021-10-18 17:35:57 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.9.0 bug fix and security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2021:3759


Note You need to log in before you can comment on or make changes to this bug.