search

scylladb / scylla-cluster-tests

Tests for Scylla Clusters
GNU Affero General Public License v3.0
57 stars 94 forks source link

SCT does not support Okta generated credentials #6398

Open eliransin opened 1 year ago

eliransin commented 1 year ago

Use Case

We are trying to use SCT in order to automate creation of fully operational clusters for dev manual testing. However the problem is related to running any SCT test from a dev machine.

Additional Information

Currently we don't get keys and secret keys for AWS anymore but we need to generate them through okta Link to the notion procedure: https://www.notion.so/How-to-login-on-AWS-CLI-and-assume-a-role-bcc4e36042ea4ae9a76ea65e7aafe283?pvs=4

After we did so we use something similar to this recipe in order to create the cluste: https://docs.google.com/document/d/1T6rgl4avdpLSwaoNmIpOobS_19RN66tWhJguWKyKNac/edit?usp=sharing

TL;DR we use it with creation of a new runner and assumed role keys of DeveloperAccessRole

Example

We try the following command: /docker/env/hydra.sh --execute-on-new-runner run-pytest --backend aws -c test-cases/PR-provision-test.yaml lon gevity_test.py::LongevityTest::test_custom_time

And we get the following error: ERROR longevity_test.py::LongevityTest::test_custom_time - botocore.exceptions.ClientError: An error occurred (AccessDenied) when calling the AssumeRole opera tion: User: arn:aws:sts::797456418907:assumed-role/DeveloperAccessRole/[wojciech.mitros@scylladb.com](mailto:wojciech.mitros@scylladb.com) is not authorized to perform: sts:AssumeRole on resource: arn:aws:iam::158855661827:role/ScyllaAMIAccessRole

Conclusion

The following command has been tried by myself and @wmitros , the difference is that I have generated credentials and not assumed role credentials. For me it worked while for @wmitros it didn't.

Piority Details

This blocks the progress on https://github.com/scylladb/scylla-enterprise/issues/3049 which is a P1 issue. I would like to request high priority on this please

eliransin commented 1 year ago

/cc @wmitros @mykaul @roydahan

fruch commented 1 year ago

This is the cause of the recent change of moving Scylla AMIs to different accounts.

Sending it to IT to grant AssumeRole to that the Dev role

fruch commented 1 year ago

Regardless there are two options to avoid this one:

1) run it on Jenkins job 2) take an older branch, i.e. branch-2023.1, that doesn't have the new AMI project support

eliransin commented 1 year ago

Thanks. @fruch have you already sent this request of should I? In case this is the later, what are the roles I should ask assume permissions for? Tx

fruch commented 1 year ago

Thanks. @fruch have you already sent this request of should I? In case this is the later, what are the roles I should ask assume permissions for? Tx

I've sent an email to IT, you are on that mail as well