Description: When using ccoctl to create resources on aws and gcp with some of resources already existing, it will use the existing ones on aws , conversely, it will throw an error on gcp ###gcp### $ ./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0105 --project openshift-qe --region us-central1 --output-dir test-gcp-secret 2022/01/05 20:54:20 Credentials loaded from file "/home/lwan/.gcp/osServiceAccount.json" 2022/01/05 20:54:20 Using existing RSA keypair found at test-gcp-secret/serviceaccount-signer.private 2022/01/05 20:54:20 Copying signing key for use by installer 2022/01/05 20:54:23 Failed to create workload identity pool: failed to create workload identity pool lwan-gcp0105: googleapi: Error 409: Requested entity already exists, alreadyExists ###aws### $ ./ccoctl aws create-all --credentials-requests-dir credrequests-aws/ --name lwan-aws-0105 --region us-east-2 --output-dir secret-aws 2022/01/05 21:05:14 Using existing RSA keypair found at secret-aws/serviceaccount-signer.private 2022/01/05 21:05:14 Copying signing key for use by installer 2022/01/05 21:05:15 Bucket lwan-aws-0105-oidc already exists and is owned by the user 2022/01/05 21:05:16 OpenID Connect discovery document in the S3 bucket lwan-aws-0105-oidc at .well-known/openid-configuration updated 2022/01/05 21:05:16 Reading public key 2022/01/05 21:05:16 JSON web key set (JWKS) in the S3 bucket lwan-aws-0105-oidc at keys.json updated 2022/01/05 21:05:18 Existing Identity Provider found with ARN: arn:aws:iam::301721915996:oidc-provider/lwan-aws-0105-oidc.s3.us-east-2.amazonaws.com 2022/01/05 21:05:18 Ignoring CredentialsRequest openshift-cloud-credential-operator/cr-test-stale as it is marked for in-cluster deletion 2022/01/05 21:05:19 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-machine-api-aws-cloud-credentials found 2022/01/05 21:05:19 Updated Role policy for Role lwan-aws-0105-openshift-machine-api-aws-cloud-credentials 2022/01/05 21:05:19 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-cloud-credential-operator-cloud-credenti found 2022/01/05 21:05:20 Updated Role policy for Role lwan-aws-0105-openshift-cloud-credential-operator-cloud-credenti 2022/01/05 21:05:20 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-image-registry-installer-cloud-credentia found 2022/01/05 21:05:20 Updated Role policy for Role lwan-aws-0105-openshift-image-registry-installer-cloud-credentia 2022/01/05 21:05:20 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-ingress-operator-cloud-credentials found 2022/01/05 21:05:21 Updated Role policy for Role lwan-aws-0105-openshift-ingress-operator-cloud-credentials 2022/01/05 21:05:21 Existing role arn:aws:iam::301721915996:role/lwan-aws-0105-openshift-cluster-csi-drivers-ebs-cloud-credential found 2022/01/05 21:05:21 Updated Role policy for Role lwan-aws-0105-openshift-cluster-csi-drivers-ebs-cloud-credential How reproducible: Always Steps to Reproduce: 1. Run the ccoctl create command with the same name twice on both aws and gcp Actual result: The behaviors are different between aws and gcp Expected result: The behaviors would better to be similar
Verified on registry.ci.openshift.org/ocp/release:4.10.0-0.ci-2022-01-14-034708 ### Running the below command twice, won't throw error. $ ./ccoctl gcp create-all --credentials-requests-dir credrequests-gcp --name lwan-gcp0114 --project openshift-qe --region us-central1 --output-dir test-gcp-secret-3 2022/01/14 12:45:06 Credentials loaded from file "/home/lwan/.gcp/osServiceAccount.json" 2022/01/14 12:45:06 Generating RSA keypair 2022/01/14 12:45:09 Writing private key to test-gcp-secret-3/serviceaccount-signer.private 2022/01/14 12:45:09 Writing public key to test-gcp-secret-3/serviceaccount-signer.public 2022/01/14 12:45:09 Copying signing key for use by installer 2022/01/14 12:45:11 Workload identity pool lwan-gcp0114 already exists 2022/01/14 12:45:12 Bucket lwan-gcp0114-oidc already exists 2022/01/14 12:45:13 OpenID Connect discovery document in the S3 bucket lwan-gcp0114-oidc at .well-known/openid-configuration updated 2022/01/14 12:45:13 Reading public key 2022/01/14 12:45:14 JSON web key set (JWKS) in the S3 bucket lwan-gcp0114-oidc at keys.json updated 2022/01/14 12:45:14 Workload identity provider lwan-gcp0114 already exists in pool lwan-gcp0114 2022/01/14 12:45:26 Existing IAM service account lwan-gcp0114-openshift-gcp-ccm found 2022/01/14 12:45:28 Updated policy bindings for IAM service account lwan-gcp0114-openshift-gcp-ccm 2022/01/14 12:45:28 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cloud-controller-manager-gcp-ccm-cloud-credentials-credentials.yaml 2022/01/14 12:45:40 Existing IAM service account lwan-gcp0114-openshift-cluster-api-gcp found 2022/01/14 12:45:41 Updated policy bindings for IAM service account lwan-gcp0114-openshift-cluster-api-gcp 2022/01/14 12:45:41 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cluster-api-gcp-cloud-credentials-credentials.yaml 2022/01/14 12:45:52 Existing IAM service account lwan-gcp0114-openshift-machine-api-gcp found 2022/01/14 12:45:53 Updated policy bindings for IAM service account lwan-gcp0114-openshift-machine-api-gcp 2022/01/14 12:45:53 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-machine-api-gcp-cloud-credentials-credentials.yaml 2022/01/14 12:46:04 Existing IAM service account lwan-gcp0114-cloud-credential-operator-gcp-ro-creds found 2022/01/14 12:46:06 Updated policy bindings for IAM service account lwan-gcp0114-cloud-credential-operator-gcp-ro-creds 2022/01/14 12:46:06 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cloud-credential-operator-cloud-credential-operator-gcp-ro-creds-credentials.yaml 2022/01/14 12:46:16 Existing IAM service account lwan-gcp0114-openshift-image-registry-gcs found 2022/01/14 12:46:19 Updated policy bindings for IAM service account lwan-gcp0114-openshift-image-registry-gcs 2022/01/14 12:46:19 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-image-registry-installer-cloud-credentials-credentials.yaml 2022/01/14 12:46:29 Existing IAM service account lwan-gcp0114-openshift-ingress-gcp found 2022/01/14 12:46:30 Updated policy bindings for IAM service account lwan-gcp0114-openshift-ingress-gcp 2022/01/14 12:46:30 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-ingress-operator-cloud-credentials-credentials.yaml 2022/01/14 12:46:41 Existing IAM service account lwan-gcp0114-openshift-gcp-pd-csi-driver-operator found 2022/01/14 12:46:42 Updated policy bindings for IAM service account lwan-gcp0114-openshift-gcp-pd-csi-driver-operator 2022/01/14 12:46:42 Saved credentials configuration to: test-gcp-secret-3/manifests/openshift-cluster-csi-drivers-gcp-pd-cloud-credentials-credentials.yaml
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Moderate: OpenShift Container Platform 4.10.3 security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:0056