Description of problem: "ccoctl" fails to create the corresponding "service-ids" when using a serviceID API key, example: ~~~ $ ./ccoctl ibmcloud create-service-id --name="${infraID}" --credentials-requests-dir="cco-creds" --resource-group-name="${resourceGN}" --output-dir="cco-mnfst" Error: Failed to getResourceGroupID: Failed to list resource groups for the name: pamoedo-ibmtest10-rn2q5: Can not get resource groups without account id in parameter by service id token ~~~ NOTE: The ServiceID API key already has "Power Users" access group with default "Access policies" in place. Version-Release number of selected component (if applicable): 'ccoctl' binary extracted from release 4.10.0-0.nightly How reproducible: Steps to Reproduce: 1. Extract "ccoctl" binary from the cloud-credential-operator container from the corresponding release image. 2. Extract the "CredentialsRequest" from the OCP release image. 3. Set "IC_API_KEY" env variable using the serviceID API key. 3. Execute "ccoctl" binary for ibmcloud variant. Reference doc: https://docs.openshift.com/container-platform/4.9/authentication/managing_cloud_provider_credentials/cco-mode-sts.html#cco-mode-sts Actual results: Command execution fails. Expected results: Command should also work when using optional but recommended parameter "--resource-group-name" when using serviceID API key, not only with user-based API keys.
Additional info: This BZ was raised to properly support https://github.com/openshift/cloud-credential-operator/issues/401 Best Regards.
Verified using cluster-bot image with the PR merged. 1. create a service id and key 2. using above service id key to run ccoctl create-service-id , without this fix, ccoctl will hit the following error ### $./ccoctl ibmcloud create-service-id --credentials-requests-dir ../credrequests-ibm --name lwan-ibm-svcid --output-dir ibmsecret --resource-group-name ccotest-rg Failed to getResourceGroupID: Failed to list resource groups for the name: ccotest-rg: Can not get resource groups without account id in parameter by service id token ### 3. with the fix, the creation command can succeed. ### $./ccoctl ibmcloud create-service-id --credentials-requests-dir ../credrequests-ibm --name lwan-ibm-svcid-2 --output-dir ibmsecret --resource-group-name ccotest-rg 2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-cloud-controller-manager-ibm-cloud-credentials-credentials.yaml 2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-machine-api-ibmcloud-credentials-credentials.yaml 2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml 2021/10/19 11:06:45 Saved credentials configuration to: ibmsecret/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml ### 4. $ ibmcloud iam service-ids | grep lwan-ibm-svcid-2 ServiceId-04d3605c-9427-4753-96ab-9bdc88d70091 lwan-ibm-svcid-2-openshift-cloud-controller-manager-ibm-cloud-credentials 2021-10-19T03:06+0000 2021-10-19T03:06+0000 false ServiceId-2c609331-7f8b-4266-b85e-e7123894992e lwan-ibm-svcid-2-openshift-image-registry-installer-cloud-credentials 2021-10-19T03:06+0000 2021-10-19T03:06+0000 false ServiceId-5ba74172-f37c-4b21-8036-7e28a015b32d lwan-ibm-svcid-2-openshift-ingress-operator-cloud-credentials 2021-10-19T03:06+0000 2021-10-19T03:06+0000 false ServiceId-4f16c16f-5cb8-48b8-9d97-866dbf38e2df lwan-ibm-svcid-2-openshift-machine-api-ibmcloud-credentials 2021-10-19T03:06+0000 2021-10-19T03:06+0000 false
move to VERIFIED manually.
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056