Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

iam tests fail with: "not authorized to perform: iam:UploadServerCertificate" #32

Open
1 task done
goneri opened this issue Dec 8, 2022 · 0 comments
Open
1 task done

iam tests fail with: "not authorized to perform: iam:UploadServerCertificate" #32

goneri opened this issue Dec 8, 2022 · 0 comments
Labels
CI

Comments

@goneri
Copy link
Member

goneri commented Dec 8, 2022

Summary

The error:

2022-12-08 02:25:32.429814 | controller | TASK [iam : Create Certificate with Chain and path] ****************************
2022-12-08 02:25:32.429818 | controller | task path: /home/zuul/.ansible/collections/ansible_collections/amazon/cloud/tests/integration/targets/iam/tasks/main.yml:160
2022-12-08 02:25:43.771469 | controller | File lookup using /var/tmp/ansible.ot9fr89g.test/cert2-key.pem as file
2022-12-08 02:25:43.771521 | controller | Using module file /home/zuul/.ansible/collections/ansible_collections/amazon/cloud/plugins/modules/iam_server_certificate.py
2022-12-08 02:25:43.771530 | controller | Pipelining is enabled.
2022-12-08 02:25:43.771537 | controller | <testhost> ESTABLISH LOCAL CONNECTION FOR USER: zuul
2022-12-08 02:25:43.771543 | controller | <testhost> EXEC /bin/sh -c 'ANSIBLE_DEBUG_BOTOCORE_LOGS=True /home/zuul/venv/bin/python && sleep 0'
2022-12-08 02:25:43.771550 | controller | The full traceback is:
2022-12-08 02:25:43.771556 | controller | Traceback (most recent call last):
2022-12-08 02:25:43.771563 | controller |   File "/tmp/ansible_amazon.cloud.iam_server_certificate_payload_57w2imqa/ansible_amazon.cloud.iam_server_certificate_payload.zip/ansible_collections/amazon/cloud/plugins/module_utils/core.py", line 260, in present
2022-12-08 02:25:43.771571 | controller |     resource = self.client.get_resource(
2022-12-08 02:25:43.771584 | controller |   File "/tmp/ansible_amazon.cloud.iam_server_certificate_payload_57w2imqa/ansible_amazon.cloud.iam_server_certificate_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/retries.py", line 96, in deciding_wrapper
2022-12-08 02:25:43.771602 | controller |     return retrying_wrapper(*args, **kwargs)
2022-12-08 02:25:43.771612 | controller |   File "/tmp/ansible_amazon.cloud.iam_server_certificate_payload_57w2imqa/ansible_amazon.cloud.iam_server_certificate_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 115, in _retry_wrapper
2022-12-08 02:25:43.771617 | controller |     return _retry_func(
2022-12-08 02:25:43.771622 | controller |   File "/tmp/ansible_amazon.cloud.iam_server_certificate_payload_57w2imqa/ansible_amazon.cloud.iam_server_certificate_payload.zip/ansible_collections/amazon/aws/plugins/module_utils/cloud.py", line 65, in _retry_func
2022-12-08 02:25:43.771628 | controller |     return func()
2022-12-08 02:25:43.771633 | controller |   File "/home/zuul/venv/lib/python3.9/site-packages/botocore/client.py", line 391, in _api_call
2022-12-08 02:25:43.771641 | controller |     return self._make_api_call(operation_name, kwargs)
2022-12-08 02:25:43.771646 | controller |   File "/home/zuul/venv/lib/python3.9/site-packages/botocore/client.py", line 719, in _make_api_call
2022-12-08 02:25:43.771651 | controller |     raise error_class(parsed_response, operation_name)
2022-12-08 02:25:43.771657 | controller | botocore.errorfactory.ResourceNotFoundException: An error occurred (ResourceNotFoundException) when calling the GetResource operation: AWS::IAM::ServerCertificate Handler returned status FAILED: The Server Certificate with name ansible-test-96259f54ff99 cannot be found. (Service: Iam, Status Code: 404, Request ID: c41d4165-6b94-422b-b7e6-6d67531dd0c1) (HandlerErrorCode: NotFound, RequestToken: 8c89a8a3-72a1-4660-8938-b20acec52efd)
2022-12-08 02:25:43.771663 | controller |
2022-12-08 02:25:43.771669 | controller | During handling of the above exception, another exception occurred:
2022-12-08 02:25:43.771674 | controller |
2022-12-08 02:25:43.771679 | controller | Traceback (most recent call last):
2022-12-08 02:25:43.771684 | controller |   File "/tmp/ansible_amazon.cloud.iam_server_certificate_payload_57w2imqa/ansible_amazon.cloud.iam_server_certificate_payload.zip/ansible_collections/amazon/cloud/plugins/module_utils/core.py", line 98, in wait_until_resource_request_success
2022-12-08 02:25:43.771689 | controller |     get_waiter(self.client, "resource_request_success").wait(
2022-12-08 02:25:43.771694 | controller |   File "/home/zuul/venv/lib/python3.9/site-packages/botocore/waiter.py", line 350, in wait
2022-12-08 02:25:43.771698 | controller |     raise WaiterError(
2022-12-08 02:25:43.771703 | controller | botocore.exceptions.WaiterError: Waiter resource_request_success failed: Waiter encountered a terminal failure state: For expression "ProgressEvent.OperationStatus" we matched expected path: "FAILED"
2022-12-08 02:25:43.771709 | controller | fatal: [testhost]: FAILED! => {
2022-12-08 02:25:43.771714 | controller |     "boto3_version": "1.20.0",
2022-12-08 02:25:43.771718 | controller |     "botocore_version": "1.23.0",
2022-12-08 02:25:43.771722 | controller |     "changed": false,
2022-12-08 02:25:43.771727 | controller |     "invocation": {
2022-12-08 02:25:43.771732 | controller |         "module_args": {
2022-12-08 02:25:43.771737 | controller |             "access_key": "ASIA6CCDWXDOFQY7PL5X",
2022-12-08 02:25:43.771741 | controller |             "aws_access_key": "ASIA6CCDWXDOFQY7PL5X",
2022-12-08 02:25:43.771746 | controller |             "aws_ca_bundle": null,
2022-12-08 02:25:43.771750 | controller |             "aws_config": null,
2022-12-08 02:25:43.771755 | controller |             "aws_secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
2022-12-08 02:25:43.771761 | controller |             "certificate_body": "-----BEGIN CERTIFICATE-----\nMIIDNzCCAh+gAwIBAgIUM+dvgd8i7EXYdAHxV7o54ZIkrCwwDQYJKoZIhvcNAQEL\nBQAwHTEbMBkGA1UEAwwSY2VydDEuYW5zaWJsZS50ZXN0MB4XDTIyMTIwODAyMjQw\nOFoXDTMyMTIwNTAyMjQwOFowHTEbMBkGA1UEAwwSY2VydDIuYW5zaWJsZS50ZXN0\nMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAw9X6qWeextqD8EEhNdme\nB4eZqdbnFAmXmE/P62BRwXOSorquxJlf7bLUVBVmopmUaiUj+Z7iGrXAt52NqqCy\nvX/GHs0ZK4xhTcL8w4maKk+XmwlsSUxYIeCTONxgguunbZyeZNYn1K4P9wmYIvLW\niIifV7Sz3cZErgltMkrcIkRoxBdE9HGMXMwab7QTelYpAG9+CS6KCs3VtBwnk+D+\ny3s07Ar0dB+xY9cK31EgJbtGu+8CKK60c3lx13NhmP4F4z0oi+rmvf1ARnJ46BoP\nRApH4jcsY49fh0HmoyeeBMY+IDVyzCGGSPi9qGlzr/WPvZw9iNfoZ+PJQllKT7VI\nxwIDAQABo28wbTAdBgNVHREEFjAUghJjZXJ0Mi5hbnNpYmxlLnRlc3QwDAYDVR0T\nBAUwAwEB/zAdBgNVHQ4EFgQU5tc9utWUTbBrBzo4grJ3VM3K3UswHwYDVR0jBBgw\nFoAUYhUcgr0J3jqvG8uJKvrYdCe+p0kwDQYJKoZIhvcNAQELBQADggEBAIHrIHWa\nWeo+XFhxz+epMnKyAIxQrDYtIJpnS+0ddLjJsW+hqADwF1sUJdOqncMlMxoCtsHC\nu9xDJq/4dTpRv2HC3GXhDXB4POiqYB0ep3yvVfFI94bkNiPMB5JjPANM3C9GcDBm\neh63ms50kF4GAKnkLLyfV+Utv2iePld09gjwh7QaEeZc5yKmZIUGuTY3ExJZ8XAW\nyzXiOD+9ENI9lWUyMUFAY6Cuw8f1QAO47plfF/Wov+GChJJISZwegkgPKGCFY07R\nKBph5oUzmRxP/DAiayJ7QpAOERLV4ohYQbRpUBiJanM3aP+Y8UyAU4fGtbQFIti+\n/sumU2+9RnOuwYo=\n-----END CERTIFICATE-----",
2022-12-08 02:25:43.771775 | controller |             "certificate_chain": "-----BEGIN CERTIFICATE-----\nMIIDNDCCAhygAwIBAgIUFACt24zyMcm55fuTKfhix3c2eIEwDQYJKoZIhvcNAQEL\nBQAwGjEYMBYGA1UEAwwPY2EuYW5zaWJsZS50ZXN0MB4XDTIyMTIwODAyMjQwN1oX\nDTMyMTIwNTAyMjQwN1owHTEbMBkGA1UEAwwSY2VydDEuYW5zaWJsZS50ZXN0MIIB\nIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqDWQp8vaICatZkP3rw1pZcJA\nxWxg0pv+asXegvD3W72ya6y1FRm8zeqzlN36f2Lzw2zAmchrKa5ssbTC1tlylyyI\nPmd2bxheX9V+r0uizPzVsLUloWpGc9xNTVEy310t3cg4sLr0l1STykubQ+Y+gFmX\n7bNCqZYM22LKWE4cyKJbrOO0IOU2sgfgCgcmJxsBVzzxpZOsvNx4lwuItcOsaUsF\nk0TZaXngyioa5tm8yK6G/r5idzR9Sy5egvs6ymqLr5QUCfNDJu8rbqYA4yLPfQYX\nHs4dN16qUX6lG7m3kYuCKu2JODW1ifozi1isxObWm+IRH6xTFFejW6hhXju0RwID\nAQABo28wbTAdBgNVHREEFjAUghJjZXJ0MS5hbnNpYmxlLnRlc3QwDAYDVR0TBAUw\nAwEB/zAdBgNVHQ4EFgQUYhUcgr0J3jqvG8uJKvrYdCe+p0kwHwYDVR0jBBgwFoAU\nIqQ1vZMEz1XqZblDBIZFOwjK7Z8wDQYJKoZIhvcNAQELBQADggEBAIB8FtW3ld5C\nbAFGWwFmcRik6Enbfe5sowZuHJG3WqR4nIr/Oaeiv1nTGMvHiO6JX1E+REX83j0A\nU7jtLN1SPyRILWcZCoZWjQGCC8H9QgIHW4vd509OqY/yPeBwe5QFmCjogzUJG6Rk\n4Q++yj74HL2v7WREFKy1rCvhtFRo0MX8qde3jJ5kRi2goSAJ2cdn+hw7sIsiHsBF\nADKpNKzTWX2q/e5obERxxYEBFXVQtApAbt3gQaggCfK492nAWSIJcpHhnYAKy43M\neWSQZHsxSaDd5T5m9dmNhGKivAjThQLNKDuhBWgJV+hpIPyUCqZPkiHsZlW8QieB\nUrFpp0M/XHE=\n-----END CERTIFICATE-----",
2022-12-08 02:25:43.771780 | controller |             "debug_botocore_endpoint_logs": true,
2022-12-08 02:25:43.771785 | controller |             "endpoint_url": null,
2022-12-08 02:25:43.771789 | controller |             "force": false,
2022-12-08 02:25:43.771794 | controller |             "path": "/example/",
2022-12-08 02:25:43.771799 | controller |             "private_key": "-----BEGIN RSA PRIVATE KEY-----\nMIIEpQIBAAKCAQEAw9X6qWeextqD8EEhNdmeB4eZqdbnFAmXmE/P62BRwXOSorqu\nxJlf7bLUVBVmopmUaiUj+Z7iGrXAt52NqqCyvX/GHs0ZK4xhTcL8w4maKk+Xmwls\nSUxYIeCTONxgguunbZyeZNYn1K4P9wmYIvLWiIifV7Sz3cZErgltMkrcIkRoxBdE\n9HGMXMwab7QTelYpAG9+CS6KCs3VtBwnk+D+y3s07Ar0dB+xY9cK31EgJbtGu+8C\nKK60c3lx13NhmP4F4z0oi+rmvf1ARnJ46BoPRApH4jcsY49fh0HmoyeeBMY+IDVy\nzCGGSPi9qGlzr/WPvZw9iNfoZ+PJQllKT7VIxwIDAQABAoIBAFgPWLMjXqDBcrGu\nv73EuMxe+8iE04zNkWbSgMaxHaI1E3tsIZlS9HFgyBx1MR0tnTCrucUN3lMvZlTK\nmoDe2PDgS1jfVhGggsKiSuGsdu/OsXfsIU7GbxzwrJLVeep1B+kAk7L5H5kBmjk2\nDbytYK2tbaVVIso3VPvDTmBejCU1vvdbGIumpaRh3PdTXoXGvXQZ7b4Ap2NDal/c\nwBmAQR5yc4/vJa58EOXHkuuKRHGaeqIJA15IqMXNO2pjOaROQfNxVbHqvTnJ0cHA\n2fJVKUUHD/mGsAHCFLQu+hGVGq1gWat5qF9Jwy0JxW1QfkIzo9N+mqgWTY9zkdXZ\nwS23Df0CgYEA0jCvU9tgRiFUZUSt/RozS/SaX+oWSPoK12JBfB2PuRM5qsdtUwrw\nIenDb9NZnqQPq9Y3Q8SJN+f6dzRReMQt3XMUDbkKDQJlXGVZJ5Kd3d5vTLXF7qMb\nflL273J7kzqnPpj/yLeyLNZdeVJT0+CDIT27sfPWPndbeS64pgnwu9sCgYEA7oRp\nbHw0ocv7zpxJHx4gSkXe+oyL/cbv+Ap/nixd45uMpH3VTdzu0DWAh5C13y3TGAhe\nY/8gLIefIKeVUvNmlm0Zq9UwixgNbbJ0EYorp8bRcaZXLP2jbrDNIO0Rlx5gJCQM\ns9BjkN0LNirH3ePRmwgwYIGUGBVhobVnXBWSEIUCgYEAiVhWuKz409qjkyi1qFWe\nf1tuJI6J0VXSD7ucnsWSTJVLcVSvEzxqfT6K/l9UiF0cAGUR565dG7Lx70K4mflX\nHwU7bVwkPSv7n8x53Wnozjmy8KU2mSDrrjf4M67TIPmKn1TKjxW5z6KjocsyC5kB\nFo+IPlfe/yJvG1h0P8rvC1ECgYEArMc6Xx2yOqo7JDXOOj5mgacPmUuKdTFQz8s7\nGudks+YQAXAtvhOW4zh+fLV1KdBWJAib56/+LIOp38vFvasX20v41qK+YWPxBk/J\nCJOggA7j1YH7kFnDtAFa9skEfwW/+y4qDW+dUGjvIDPpSHEpezZ5ZM846iFC8hMo\nZmoxvskCgYEAr8biqFMGgstK1znNrKiiJm5br/eINMH/t7McT2sAas8ZHmI2ftDB\n7jB69ZEx0LNfG/4Fcy9mNmbLeAcr6sejUJCJ8EAb+sFCz0pMGrEXTl5xYpeRV7tj\nbCc0BQb/xho25bigeJBCdSoaGxYmldZga9SCoZLg9NQft3+OAJDiTFg=\n-----END RSA PRIVATE KEY-----",
2022-12-08 02:25:43.771804 | controller |             "profile": null,
2022-12-08 02:25:43.771809 | controller |             "purge_tags": true,
2022-12-08 02:25:43.771814 | controller |             "region": "us-east-1",
2022-12-08 02:25:43.771818 | controller |             "secret_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
2022-12-08 02:25:43.771823 | controller |             "security_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
2022-12-08 02:25:43.771830 | controller |             "server_certificate_name": "ansible-test-96259f54ff99",
2022-12-08 02:25:43.771834 | controller |             "session_token": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
2022-12-08 02:25:43.771839 | controller |             "state": "present",
2022-12-08 02:25:43.771843 | controller |             "tags": null,
2022-12-08 02:25:43.771848 | controller |             "validate_certs": true,
2022-12-08 02:25:43.771853 | controller |             "wait": false,
2022-12-08 02:25:43.771857 | controller |             "wait_timeout": 320
2022-12-08 02:25:43.771862 | controller |         }
2022-12-08 02:25:43.771866 | controller |     },
2022-12-08 02:25:43.771871 | controller |     "msg": "Resource request failed to reach successful state: User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-prod/prod=remote=zuul-cloud is not authorized to perform: iam:UploadServerCertificate on resource: arn:aws:iam::966509639900:server-certificate/example/ansible-test-96259f54ff99 because no identity-based policy allows the iam:UploadServerCertificate action (Service: Iam, Status Code: 403, Request ID: 7329c667-e030-4948-b84b-f72eb76c104b)",
2022-12-08 02:25:43.771876 | controller |     "resource_actions": [
2022-12-08 02:25:43.771882 | controller |         "cloudcontrolapi:GetResource",
2022-12-08 02:25:43.771887 | controller |         "cloudcontrolapi:CreateResource",
2022-12-08 02:25:43.771891 | controller |         "cloudcontrolapi:GetResourceRequestStatus"
2022-12-08 02:25:43.771896 | controller |     ]
2022-12-08 02:25:43.771901 | controller | }

Issue Type

CI Bug Report

CI Jobs

https://a371b139c14986d71a7a-f8d8ccb59dea8cc5da7180eb1eb9230c.ssl.cf1.rackcdn.com/31/ab51d64dee931698ffc6935cfe46c9832cb17ebd/check/ansible-test-integration-amazon-cloud/1b374e1/job-output.txt

Pull Request

#31

Additional Information



Code of Conduct


    

  •  I agree to follow the Ansible Code of Conduct
    • 


      		
    

      
  





        



            

              
            

        

      


      
    








      

    



      

  
          


  
    
  
  

    
  goneri 

      added a commit
        to goneri/amazon.cloud
      that referenced
      this issue

    
      Dec 8, 2022
    
    

      


  

    

      


  

      
        @goneri
  





      

        
          disable the iam tests until the ACL issue is resolved.
        

          
            
          

      


      

          

    
    
    

  

      


      

      


      
      

        
          cdb2d3a
        
      

    

  

    

      
See: ansible-collections#32

    




    

  




  

  

    
  


  

      

    @goneri
goneri



    mentioned this issue
    
      Dec 8, 2022
    





  


  

      
   Merged

  







  




    

    

      
    

    


      

          @goneri
goneri




          added
  the 

  CI

 label


      Dec 8, 2022

    

  



  


  
    
  
  

    
  softwarefactory-project-zuul bot

      pushed a commit
      that referenced
      this issue

    
      Dec 8, 2022
    
    

      


  

    

      


  

      
        @goneri
  





      

        
          disable the iam tests until the ACL issue is resolved. (#33)
        

          
            
          

      


      

          

    
    
    

  

    


      


      

      


      
      

        
          752e61b
        
      

    

  

    

      
disable the iam tests until the ACL issue is resolved.

See: #32

    




    

  




  


  
    
  
  

    
  alinabuzachis 

      pushed a commit
        to alinabuzachis/amazon.cloud
      that referenced
      this issue

    
      Jan 4, 2023
    
    

      


  

    

      


  

      
        @goneri
      
        @alinabuzachis
  





      

        
          disable the iam tests until the ACL issue is resolved. (ansible-colle…
        

          
            
          

      


      

          

    
    
    

  

      


      

      


      
      

        
          e744322
        
      

    

  

    

      
…ctions#33)

disable the iam tests until the ACL issue is resolved.

See: ansible-collections#32

    




    

  













  
  

    

      

  





  




  
  

              

  
    Sign up for free
    to join this conversation on GitHub.
    Already have an account?
    Sign in to comment


  



  






  
                  




    

  


      
  

    Assignees
  



        

    No one assigned







      


  


  

    Labels
  



    

      

    CI









      

  

    

        

    Projects
  


        




    None yet




  



      


  

    
  

    Milestone
  


      No milestone





    
      
          


  

    
      

        
    

    Development
  




          
    
No branches or pull requests







    
  




      

    

  
      

  

    

      1 participant
    

    

        
          @goneri