Project

General

Profile

Actions

action #56471

closed

[kernel][publiccloud][flavor~"^GCE"] check permissions for GCE

Added by cfconrad about 5 years ago. Updated about 4 years ago.

Status:
Resolved
Priority:
High
Assignee:
Category:
Bugs in existing tests
Target version:
QE Kernel - QE Kernel Done
Start date:
2019-09-05
Due date:
% Done:

0%

Estimated time:
Difficulty:

Description

Observation

openQA test in scenario sle-12-SP5-GCE-BYOS-x86_64-publiccloud_boottime@gce_n1_standard_2 fails in
boottime

Test suite description

Test will measure boot time of SLE image inside Public Cloud providers ( Amazon,Microsoft, Google )

Reproducible

Fails since (at least) Build 0.9.1-1.8 (current job)

Expected result

Last good: 0.9.1-1.5 (or more recent)

Further details

Always latest result in this scenario: latest

Hints

We moved all departments into vault namespaces. Maybe @cfconrad made a mistake by creating qa-kernel/ namespace in vault (publiccloud.qa.suse.de)

# terraform apply -no-color myplan ; echo B~vFt-$?-
random_id.service[0]: Creating...
random_id.service[0]: Creation complete after 0s [id=pIiK4qR_r98]
google_compute_instance.openqa[0]: Creating...
Error: Error waiting for instance to create: The user does not have access to service account 'vaultopenqa-role-1567427855@suse-sle-qa.iam.gserviceaccount.com'.  User: 'vaultopenqa-role-1567427855@suse-sle-qa.iam.gserviceaccount.com'.  Ask a project owner to grant you the iam.serviceAccountUser role on the service account
on plan.tf line 59, in resource "google_compute_instance" "openqa":
59: resource "google_compute_instance" "openqa" {
B~vFt-1-
Actions #1

Updated by cfconrad about 5 years ago

  • Subject changed from [kernel][publiccloud] check credential missmatch for GCE to [kernel][publiccloud] check permissions for GCE
  • Description updated (diff)
Actions #2

Updated by cfconrad about 5 years ago

Add roles/iam.serviceAccountUser to qa-kernel/gcp/roleset/openqa-role

vault write qa-kernel/gcp/roleset/openqa-role \
project="suse-sle-qa"   \
secret_type="service_account_key"   \
bindings=-<<EOF
resource "//cloudresourcemanager.googleapis.com/projects/suse-sle-qa" {
     roles = ["roles/viewer", "roles/compute.admin", "roles/storage.objectCreator", "roles/iam.serviceAccountUser"]
}
EOF

Triggered all GCE jobs again: https://openqa.suse.de/tests/overview?distri=sle&version=12-SP5&build=0.9.1-1.8&groupid=210

Actions #4

Updated by cfconrad about 5 years ago

  • Status changed from New to Feedback
Actions #5

Updated by cfconrad about 5 years ago

  • Status changed from Feedback to Resolved
Actions #6

Updated by cfconrad about 5 years ago

  • Subject changed from [kernel][publiccloud] check permissions for GCE to [kernel][publiccloud][flavor~"^GCE"] check permissions for GCE
Actions #7

Updated by jlausuch about 5 years ago

  • Target version changed from 445 to 457
Actions #8

Updated by pcervinka about 4 years ago

  • Target version changed from 457 to QE Kernel Done
Actions

Also available in: Atom PDF