Bug #17590
closed
[configuration] EC2 credentials variables are not consistently named in the /etc/arvados/config.yml file
Description
When setting up a new cluster in AWS I noticed the credentials variables for the Containers:CloudVMs:DriverParameters and Volumes:<volume>:DriverParameters sections are named inconsistently. This leads to involuntary, hard to debug, errors when creating the new config:
Containers:
CloudVMs:
Driver: ec2
DriverParameters:
AccessKeyID: AKIA...5
SecretAccessKey: 5x...MV
Volumes:
<cluster>-nyw5e-0000000000000000:
DriverParameters:
AccessKey: AKIA...5
SecretKey: 5x...MV
The names of these variables should be consistent across the file.
Updated by Peter Amstutz over 3 years ago
- Target version changed from 2021-04-28 bughunt sprint to 2021-05-12 sprint
Updated by Tom Clegg over 3 years ago
17590-ec2-config-keys @ b44a05493cba8cc40c81fc487cbea5ba33662d3c -- developer-run-tests: #2456
Updated by Tom Clegg over 3 years ago
17590-ec2-config-keys @ cef860fc944f66b4b52aa2ea6d66561944a7c065 -- developer-run-tests: #2459
Updated by Ward Vandewege over 3 years ago
Tom Clegg wrote:
17590-ec2-config-keys @ cef860fc944f66b4b52aa2ea6d66561944a7c065 -- developer-run-tests: #2459
- I think specifying the new keys while keeping the old ones around should be an error.
- Can you add a note to the upgrade guide?
- The config-check command says "deprecated or unknown config entry" but it sure would be nice if that could also give the hing that they were simply renamed. Does it only do that when Keepstore starts perhaps? This is what I see on tordo:
tordo:~# ./arvados-server config-check time="2021-05-07T13:52:12Z" level=warning msg="deprecated or unknown config entry: Clusters.tordo.API.RailsSessionSecretToken" time="2021-05-07T13:52:12Z" level=warning msg="deprecated or unknown config entry: Clusters.tordo.Volumes.tordo-nyw5e-000000000000000.DriverParameters.SecretKey" time="2021-05-07T13:52:12Z" level=warning msg="deprecated or unknown config entry: Clusters.tordo.Volumes.tordo-nyw5e-000000000000000.DriverParameters.AccessKey"
Otherwise, LGTM, thanks!
Updated by Tom Clegg over 3 years ago
Oops, it turns out the logs were unhelpful because the migration code wasn't running at all -- it was looking for driver=s3 (as spelled in the example config file) instead of driver=S3 (the spelling that actually works to select the S3 driver). With that fixed (in both migration and example config), config-check does this on tordo:
Your configuration is relying on deprecated entries. Suggest making the following changes.
--- without-deprecated-configs
+++ relying-on-deprecated-configs
@@ -495,10 +495,10 @@
ReadOnly: false
Driver: S3
DriverParameters:
- AccessKey: AAAAAAAAAAAAAAAAAAAA
+ AccessKeyID: AAAAAAAAAAAAAAAAAAAA
Bucket: tordo-nyw5e-000000000000000-volume
Region: us-east-1
- SecretKey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
+ SecretAccessKey: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
ReadOnly: false
Replication: 2
StorageClasses: null
time="2021-05-07T14:19:53Z" level=warning msg="deprecated or unknown config entry: Clusters.tordo.Volumes.tordo-nyw5e-000000000000000.DriverParameters.SecretKey"
time="2021-05-07T14:19:53Z" level=warning msg="deprecated or unknown config entry: Clusters.tordo.Volumes.tordo-nyw5e-000000000000000.DriverParameters.AccessKey"
time="2021-05-07T14:19:53Z" level=warning msg="deprecated or unknown config entry: Clusters.tordo.API.RailsSessionSecretToken"
time="2021-05-07T14:19:53Z" level=warning msg="using your old config keys tordo.Volumes.tordo-nyw5e-000000000000000.DriverParameters.AccessKey/SecretKey -- but you should rename them to AccessKeyID/SecretAccessKey"
Also made it an error to supply both old and new config keys, and added a note to the "upgrading" doc page.
17590-ec2-config-keys @ 659fa8bfd2f9820a9b7f955e9e9e63a1cc4275a1 -- developer-run-tests: #2463
Updated by Ward Vandewege over 3 years ago
17590-ec2-config-keys @ 659fa8bfd2f9820a9b7f955e9e9e63a1cc4275a1 -- developer-run-tests: #2463
LGTM, thanks!
Updated by Tom Clegg over 3 years ago
- % Done changed from 0 to 100
- Status changed from In Progress to Resolved
Applied in changeset arvados|19f96717d0a7f26c28f8e5c61417c4246cfcffe1.