Description of problem: The CCO currently will generate specific resourceGroup access, via policies, for IBM Cloud. However, the attributes incorrectly map the resourceGroupId to a generic resource, when it should be mapped to a resourceGroupId This does not properly grant access to the resourceGroup as expected. Version-Release number of selected component (if applicable): 4.10 How reproducible: Consistently using minimal IAM permissions (some components use broad IAM permissions yet, but we are planning to change to minimal permissions). Steps to Reproduce: Generate the Secrets from CredentialsRequests. In this case, a set of minimum IAM permissions was targeted for testing, https://github.com/openshift/cluster-image-registry-operator/pull/716 `$ ccoctl ibmcloud create-shared-secrets --credentials-requests-dir=... --output-dir=...` Actual results: ``` { "attributes":[ { "name":"accountId", "value":"my-account-id", }, { "name":"resourceType", "value":"resource-group", }, { "name":"resourceGroupId", "value":"my-resource-group-id" } ], } ``` Expected results: ``` { "attributes":[ { "name":"accountId", "value":"my-account-id", }, { "name":"resourceType", "value":"resource-group", }, { "name":"resource", "value":"my-resource-group-id" } ], } ``` Additional info: IBM Cloud has produced a PR to address this issue https://github.com/openshift/cloud-credential-operator/pull/385
Hi Manjunath, I am a newer for ibm cloud, when i run the command `$ ccoctl ibmcloud create-shared-secrets --credentials-requests-dir=... --output-dir=... --resource-group-name=ccotest-rg` the output is like below, i can't find an attribute with name resourceType and value resource-group. could you show me more info how to reproduce or verify this issue? ### { "attributes": [ { "name": "serviceName", "value": "power-iaas", "operator": "stringEquals" }, { "name": "resourceGroupId", "value": "7e8025a578aa4a0a90XXXXXXXX", "operator": "stringEquals" }, { "name": "accountId", "value": "fdc2e14cf8bc4d53XXXXXXXX", "operator": "stringEquals" } ] } ###
As mentioned here https://github.com/openshift/cloud-credential-operator/pull/385#pullrequestreview-759283773, this issue happens only of for the attribute type - resource-group, you can use the following CR to test this: ``` apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: cred1 namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: IBMCloudProviderSpec policies: - roles: - "crn:v1:bluemix:public:iam::::serviceRole:Manager" - "crn:v1:bluemix:public:iam::::role:Editor" - "crn:v1:bluemix:public:iam::::role:Viewer" attributes: - name: "serviceName" value: "is" - roles: - "crn:v1:bluemix:public:iam::::role:Viewer" - "crn:v1:bluemix:public:iam::::role:Operator" attributes: - name: "resourceType" value: "resource-group" secretRef: namespace: openshift-machine-api name: ibm-cred-4 ``` Note: contains the `resource-group` in the second policy.
Thanks Manjunath. Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-09-22-030936 with this fix , the output is as expected. { "attributes": [ { "name": "resourceType", "value": "resource-group", "operator": "stringEquals" }, { "name": "resource", "value": "7e8025a578aa4a0a9XXXXXX", "operator": "stringEquals" }, { "name": "accountId", "value": "fdc2e14cf8bc4d53aXXXXXX", "operator": "stringEquals" } ] } using image without this fix:registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2021-09-19-144306, it will show the below { "attributes": [ { "name": "resourceType", "value": "resource-group", "operator": "stringEquals" }, { "name": "resourceGroupId", "value": "7e8025a578aa4a0XXXXXXXXXX", "operator": "stringEquals" }, { "name": "accountId", "value": "fdc2e14cf8bc4dXXXXXXXXXX", "operator": "stringEquals" } ] }
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056