diff --git a/doc/dev_guide/create_aws_role.sh b/doc/dev_guide/create_aws_role.sh index 77ed02467..c7fc622d2 100755 --- a/doc/dev_guide/create_aws_role.sh +++ b/doc/dev_guide/create_aws_role.sh @@ -26,6 +26,7 @@ AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text) # The OIDC provider is in the structure: # 1) .s3..amazonaws.com. for OIDC bucket configurations are in an S3 public bucket # 2) `.cloudfront.net` for OIDC bucket configurations in an S3 private bucket with a public CloudFront distribution URL +# 3) OIDC Endpoint URL for ROSA HCP clusters without https:// (example oidc.os1.devshift.org/) OIDC_PROVIDER=$(oc get authentication cluster -ojson | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///") # the permission (S3 full access) POLICY_ARN_STRINGS="arn:aws:iam::aws:policy/AmazonS3FullAccess" diff --git a/doc/dev_guide/troubleshoot_sts_cluster.md b/doc/dev_guide/troubleshoot_sts_cluster.md index 864037c5a..c4b9fca0d 100644 --- a/doc/dev_guide/troubleshoot_sts_cluster.md +++ b/doc/dev_guide/troubleshoot_sts_cluster.md @@ -41,6 +41,8 @@ aws sts assume-role-with-web-identity --role-arn --role-session-name You should see in the output the credentials (which includes the `AccessKeyId`, `SecretAccessKey`, and `SessionToken` - output example is in file `doc/dev_guide/create_aws_sts_setup_on_minikube.md`, but in case the role is wrong you'll see still `AccessDenied`, so you can create a new role with the script and test it. +Note: if this invalid role was sent as a part of OCP cluster you would need to update the subscription that have this environment variable: in odf-operator and mcg-operator subscriptions (in both of them - either in the UI or editing the YAMLs), search for the ROLEARN env name and update the value. + #### 2) Cluster configurations ```