scylla-cluster-tests icon indicating copy to clipboard operation
scylla-cluster-tests copied to clipboard

Published 20 hours ago verified publisher icon scylladb

SCT does not support Okta generated credentials

Open eliransin opened this issue 1 year ago • 5 comments

Use Case

We are trying to use SCT in order to automate creation of fully operational clusters for dev manual testing. However the problem is related to running any SCT test from a dev machine.

Additional Information

Currently we don't get keys and secret keys for AWS anymore but we need to generate them through okta Link to the notion procedure: https://www.notion.so/How-to-login-on-AWS-CLI-and-assume-a-role-bcc4e36042ea4ae9a76ea65e7aafe283?pvs=4

After we did so we use something similar to this recipe in order to create the cluste: https://docs.google.com/document/d/1T6rgl4avdpLSwaoNmIpOobS_19RN66tWhJguWKyKNac/edit?usp=sharing

TL;DR we use it with creation of a new runner and assumed role keys of DeveloperAccessRole

Example

We try the following command: /docker/env/hydra.sh --execute-on-new-runner run-pytest --backend aws -c test-cases/PR-provision-test.yaml lon gevity_test.py::LongevityTest::test_custom_time

And we get the following error: ERROR longevity_test.py::LongevityTest::test_custom_time - botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole opera tion: User: arn:aws:sts::797456418907:assumed-role/DeveloperAccessRole/[[email protected]](mailto:[email protected]) is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::158855661827:role/ScyllaAMIAccessRole

Conclusion

The following command has been tried by myself and @wmitros , the difference is that I have generated credentials and not assumed role credentials. For me it worked while for @wmitros it didn't.

Piority Details

This blocks the progress on https://github.com/scylladb/scylla-enterprise/issues/3049 which is a P1 issue. I would like to request high priority on this please

eliransin avatar Jul 20 '23 08:07 eliransin

/cc @wmitros @mykaul @roydahan

eliransin avatar Jul 20 '23 08:07 eliransin

This is the cause of the recent change of moving Scylla AMIs to different accounts.

Sending it to IT to grant AssumeRole to that the Dev role

fruch avatar Jul 20 '23 09:07 fruch

Regardless there are two options to avoid this one:

  1. run it on Jenkins job
  2. take an older branch, i.e. branch-2023.1, that doesn't have the new AMI project support

fruch avatar Jul 20 '23 09:07 fruch

Thanks. @fruch have you already sent this request of should I? In case this is the later, what are the roles I should ask assume permissions for? Tx

eliransin avatar Jul 23 '23 09:07 eliransin

Thanks. @fruch have you already sent this request of should I? In case this is the later, what are the roles I should ask assume permissions for? Tx

I've sent an email to IT, you are on that mail as well

fruch avatar Jul 23 '23 09:07 fruch