Bug 2015133 - [IBMCLOUD] ServiceID API key credentials seems to be insufficient for ccoctl '--resource-group-name' parameter
Summary: [IBMCLOUD] ServiceID API key credentials seems to be insufficient for ccoctl ...
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: OpenShift Container Platform
Classification: Red Hat
Component: Cloud Credential Operator
Version: 4.10
Hardware: x86_64
OS: Unspecified
medium
low
Target Milestone: ---
: 4.10.0
Assignee: Nobody
QA Contact: wang lin
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2021-10-18 13:34 UTC by Pedro Amoedo
Modified: 2022-03-12 04:39 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2022-03-12 04:39:16 UTC
Target Upstream Version:
Embargoed:


Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Github openshift cloud-credential-operator pull 402 0 None open Bug 2015133: populate accountID when listing resource groups 2021-10-18 13:58:58 UTC
Red Hat Product Errata RHSA-2022:0056 0 None None None 2022-03-12 04:39:32 UTC

Description Pedro Amoedo 2021-10-18 13:34:05 UTC
Description of problem:

"ccoctl" fails to create the corresponding "service-ids" when using a serviceID API key, example:

~~~
$ ./ccoctl ibmcloud create-service-id --name="${infraID}" --credentials-requests-dir="cco-creds" --resource-group-name="${resourceGN}" --output-dir="cco-mnfst"
Error: Failed to getResourceGroupID: Failed to list resource groups for the name: pamoedo-ibmtest10-rn2q5: Can not get resource groups without account id in parameter by service id token
~~~

NOTE: The ServiceID API key already has "Power Users" access group with default "Access policies" in place.

Version-Release number of selected component (if applicable):

'ccoctl' binary extracted from release 4.10.0-0.nightly

How reproducible:


Steps to Reproduce:
1. Extract "ccoctl" binary from the cloud-credential-operator container from the corresponding release image.
2. Extract the "CredentialsRequest" from the OCP release image.
3. Set "IC_API_KEY" env variable using the serviceID API key.
3. Execute "ccoctl" binary for ibmcloud variant.

Reference doc: https://docs.openshift.com/container-platform/4.9/authentication/managing_cloud_provider_credentials/cco-mode-sts.html#cco-mode-sts

Actual results:

Command execution fails.

Expected results:

Command should also work when using optional but recommended parameter "--resource-group-name" when using serviceID API key, not only with user-based API keys.

Comment 1 Pedro Amoedo 2021-10-18 13:35:39 UTC
Additional info:

This BZ was raised to properly support https://github.com/openshift/cloud-credential-operator/issues/401

Best Regards.

Comment 2 wang lin 2021-10-19 03:37:36 UTC
Verified using cluster-bot image with the PR merged.

1. create a service id and key
2. using above service id key to run ccoctl create-service-id , without this fix, ccoctl will hit the following error
###
$./ccoctl ibmcloud create-service-id --credentials-requests-dir ../credrequests-ibm --name lwan-ibm-svcid --output-dir ibmsecret --resource-group-name ccotest-rg
Failed to getResourceGroupID: Failed to list resource groups for the name: ccotest-rg: Can not get resource groups without account id in parameter by service id token
###
3. with the fix, the creation command can succeed.
###
$./ccoctl ibmcloud create-service-id --credentials-requests-dir ../credrequests-ibm --name lwan-ibm-svcid-2 --output-dir ibmsecret --resource-group-name ccotest-rg
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-cloud-controller-manager-ibm-cloud-credentials-credentials.yaml
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-machine-api-ibmcloud-credentials-credentials.yaml
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml
2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml
###
4. $ ibmcloud iam service-ids | grep lwan-ibm-svcid-2
ServiceId-04d3605c-9427-4753-96ab-9bdc88d70091   lwan-ibm-svcid-2-openshift-cloud-controller-manager-ibm-cloud-credentials   2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false   
ServiceId-2c609331-7f8b-4266-b85e-e7123894992e   lwan-ibm-svcid-2-openshift-image-registry-installer-cloud-credentials       2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false   
ServiceId-5ba74172-f37c-4b21-8036-7e28a015b32d   lwan-ibm-svcid-2-openshift-ingress-operator-cloud-credentials               2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false   
ServiceId-4f16c16f-5cb8-48b8-9d97-866dbf38e2df   lwan-ibm-svcid-2-openshift-machine-api-ibmcloud-credentials                 2021-10-19T03:06+0000   2021-10-19T03:06+0000                 false

Comment 5 wang lin 2021-10-20 01:53:08 UTC
move to VERIFIED manually.

Comment 9 errata-xmlrpc 2022-03-12 04:39:16 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2022:0056


Note You need to log in before you can comment on or make changes to this bug.