ROSA Update or Upgrade failed to check for missing gate agreements upgrade for cluster Forbidden access to update resource

Solution Verified - Updated -

Environment

Red Hat OpenShift Service on AWS (ROSA)

Issue

  • When using ROSA cli to perform a cluster update/upgrade it may fail due to the following error.
[user@ip-XX-XX-XXX-XXX ~]$ ./rosa version
**1.2.15
Your ROSA CLI is up to date.**
[user@ip-XX-XX-XXX-XXX ~]$ ./rosa upgrade cluster -c xX-XxxxXXxx-Xx
? Version: 4.11.27
? IAM Roles/Policies upgrade mode: auto
I: Ensuring account and operator role policies for cluster 'xXxxxxXxxxxxxxXxxxxxXX' are compatible with upgrade.
I: Account roles/policies for cluster 'xXxxxxXxxxxxxxXxxxxxXX' are already up-to-date.
I: Operator roles/policies associated with the cluster 'xXxxxxXxxxxxxxXxxxxxXX' are already up-to-date.
I: Account and operator roles for cluster 'xXxxxxxX' are compatible with upgrade
? Are you sure you want to upgrade cluster to version '4.11.27'? Yes
**E: failed to check for missing gate agreements upgrade for cluster 'dl-xXxxxxxX-1d': Forbidden access to update resource 'xXxxxxXxxxxxxxXxxxxxXX'**
[user@ip-XX-XX-XXX-XXX ~]$ 

Error:
E: failed to check for missing gate agreements upgrade for cluster 'dl-xXxxxxxX-1d': Forbidden access to update resource 'xXxxxxXxxxxxxxXxxxxxXX'

Resolution

  • In order to upgrade the cluster we need to get the token of the cluster owner from the OpenShift Cluster Manager Console.

Steps:

  1. Enter rosa login in a terminal.
  2. It will prompt you to open a web browser and go to:
https://console.redhat.com/openshift/token/rosa
  1. If you are asked to log in, then please do.
  2. Click on the "Load token" button.
  3. Copy the token and paste it back into the CLI prompt and press enter. Alternatively, you can just copy the full rosa login --token=abc... command and paste that in the terminal.

Example:

rosa login --token="<redacted>XXXXXXXxxxXXXXXXXxxxXXXXxxXXXxxxXXXXxxXXXxxXXXxxxxXXXxxxXX"

Root Cause

The upgrade of the cluster can only be carried out by either the cluster owner or the user who installed it. Even if other users possess cluster-admin privileges, they will encounter this problem.

Diagnostic Steps

Perform the cluster upgrade and use another account who isn't the owner of that cluster.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments