Description of problem: See https://github.com/kubernetes/kubernetes/pull/104314#issue-709659173 Version-Release number of selected component (if applicable): 4.8 How reproducible: Always Steps to Reproduce: 1. 2. 3. Actual results: role_arn and web_identity_token_file are not used by the custom AWS credential chain defined by the in-tree cloud provider. Expected results: Default credential chain is used and web identity credentials work. Additional info: A number of customers are wanting OCP run with only STS credentials (no user access ids/keys). This is recommend by AWS. Hypershift is doing this. OCP can't run in STS-only mode until this is fixed.
The bug has been fixed with https://github.com/openshift/kubernetes/pull/927
Do we need to check - oc get secrets aws-cloud-credentials -n openshift-machine-api -o yaml to confirm ? Or the check in comment#4 good ?
This fix allows the KCM to use STS credentials. There is currently no support for this in standalone OCP as the KCM does not use the CCO to obtain credentials; it obtains access to AWS through the master instance role. This is being done to support Hypershift, where the KCM runs on an instance in one AWS account, but must have privileges in another AWS account.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056