[IBMCloud] [4.10] ServiceID API key credentials seems to be insufficient for ccoctl '--resource-group-name' parameter

Question

[IBMCloud] [4.10] ServiceID API key credentials seems to be insufficient for ccoctl '--resource-group-name' parameter

pamoedom opened this issue 3 years ago · 9 comments

Hi @mkumatag, as discussed via Slack, I'm creating an issue here in order to track the strange behavior of ccoctl when using ServiceID API key instead of a user-based one, example:

$ ./ccoctl ibmcloud create-service-id --name="${infraID}" --credentials-requests-dir="cco-creds" --resource-group-name="${resourceGN}" --output-dir="cco-mnfst"
Error: Failed to getResourceGroupID: Failed to list resource groups for the name: pamoedo-ibmtest10-rn2q5: Can not get resource groups without account id in parameter by service id token

NOTE: The ServiceID API key has Power Users access group with default Access policies in place.

Best Regards.

Answer 1 · 2021-10-15T12:35:36.000Z

access group:

access policies:

Answer 2 · 2021-10-15T12:36:26.000Z

/assign
/kind bug

Answer 3 · 2021-10-15T13:42:05.000Z

Hi @mkumatag, thanks for following up on this, appreciated!
BTW, I'm not sure that parameter --resource-group-name is really necessary for ccoctl to succeed with the create-service-id operation but worths checking, thanks.

Answer 4 · 2021-10-15T14:05:10.000Z

It is correct that --resource-group-name is optional. Providing the parameter simply locks down the permissions for the Service IDs further down (recommended, but not required).

@pamoedom help me understand the difference between a "ServiceID API key" and a "user-based one". I don't want to assume I know which is which, so how do I generate one of each kind?

Answer 5 · 2021-10-15T15:58:38.000Z

Hi @joelddiaz.

The ServiceID API key can be obtained from Manage -> Access (IAM) -> Service IDs -> Create -> API keys -> Create but remember to give it Power User access group also if you want to use it for OCP installation.

The regular (user-based) one can be created at Manage -> Access (IAM) -> API keys

Regards.

Answer 6 · 2021-10-15T20:12:45.000Z

The fix is straightforward

diff --git a/pkg/cmd/provisioning/ibmcloud/create_service_id.go b/pkg/cmd/provisioning/ibmcloud/create_service_id.go
index 7a4a6c24..157c05ad 100644
--- a/pkg/cmd/provisioning/ibmcloud/create_service_id.go
+++ b/pkg/cmd/provisioning/ibmcloud/create_service_id.go
@@ -100,7 +100,8 @@ func createServiceIDs(client ibmcloud.Client, accountID *string,
        if resourceGroupName != "" {
                // Get the ID for the given resourceGroupName
                listResourceGroupsOptions := &resourcemanagerv2.ListResourceGroupsOptions{
-                       Name: &resourceGroupName,
+                       AccountID: accountID,
+                       Name:      &resourceGroupName,
                }
                resourceGroups, _, err := client.ListResourceGroups(listResourceGroupsOptions)
                if err != nil {

But given our new no-feature freeze process, we have hard requirements on needing a bugzilla to push PRs to completion.

Perhaps we should close the GitHub Issues feature for this repo, as it will just end up causing manual copying/syncing...

Answer 7 · 2021-10-18T07:51:30.000Z

Thanks @joelddiaz, if you want I can raise the proper BZ for this and you can link the PR if needed.

Answer 8 · 2021-10-18T11:07:43.000Z

@pamoedom yes please

Answer 9 · 2021-10-18T13:36:07.000Z

ACK @joelddiaz, here you have it, thks:
https://bugzilla.redhat.com/show_bug.cgi?id=2015133