[IBMCloud] [4.10] ServiceID API key credentials seems to be insufficient for ccoctl '--resource-group-name' parameter
pamoedom opened this issue · 9 comments
Hi @mkumatag, as discussed via Slack, I'm creating an issue here in order to track the strange behavior of ccoctl
when using ServiceID API key instead of a user-based one, example:
$ ./ccoctl ibmcloud create-service-id --name="${infraID}" --credentials-requests-dir="cco-creds" --resource-group-name="${resourceGN}" --output-dir="cco-mnfst"
Error: Failed to getResourceGroupID: Failed to list resource groups for the name: pamoedo-ibmtest10-rn2q5: Can not get resource groups without account id in parameter by service id token
NOTE: The ServiceID API key has Power Users
access group with default Access policies
in place.
Best Regards.
/assign
/kind bug
Hi @mkumatag, thanks for following up on this, appreciated!
BTW, I'm not sure that parameter --resource-group-name
is really necessary for ccoctl
to succeed with the create-service-id
operation but worths checking, thanks.
It is correct that --resource-group-name
is optional. Providing the parameter simply locks down the permissions for the Service IDs further down (recommended, but not required).
@pamoedom help me understand the difference between a "ServiceID API key" and a "user-based one". I don't want to assume I know which is which, so how do I generate one of each kind?
Hi @joelddiaz.
The ServiceID API key can be obtained from Manage -> Access (IAM) -> Service IDs -> Create -> API keys -> Create
but remember to give it Power User
access group also if you want to use it for OCP installation.
The regular (user-based) one can be created at Manage -> Access (IAM) -> API keys
Regards.
The fix is straightforward
diff --git a/pkg/cmd/provisioning/ibmcloud/create_service_id.go b/pkg/cmd/provisioning/ibmcloud/create_service_id.go
index 7a4a6c24..157c05ad 100644
--- a/pkg/cmd/provisioning/ibmcloud/create_service_id.go
+++ b/pkg/cmd/provisioning/ibmcloud/create_service_id.go
@@ -100,7 +100,8 @@ func createServiceIDs(client ibmcloud.Client, accountID *string,
if resourceGroupName != "" {
// Get the ID for the given resourceGroupName
listResourceGroupsOptions := &resourcemanagerv2.ListResourceGroupsOptions{
- Name: &resourceGroupName,
+ AccountID: accountID,
+ Name: &resourceGroupName,
}
resourceGroups, _, err := client.ListResourceGroups(listResourceGroupsOptions)
if err != nil {
But given our new no-feature freeze process, we have hard requirements on needing a bugzilla to push PRs to completion.
Perhaps we should close the GitHub Issues feature for this repo, as it will just end up causing manual copying/syncing...
Thanks @joelddiaz, if you want I can raise the proper BZ for this and you can link the PR if needed.
ACK @joelddiaz, here you have it, thks:
https://bugzilla.redhat.com/show_bug.cgi?id=2015133