OADP on ROSA fails with "NoCredentialProviders: no valid providers in chain. Deprecated."
Environment
- Red Hat OpenShift Service on AWS (ROSA) 4.11
- AWS Security Token Service (STS)
- OpenShift APIs for Data Protection (OADP)
Issue
-
When trying to use the AWS Security Token Service (STS) with Red Hat OpenShift Service on AWS (ROSA) and the OpenShift APIs for Data Protection (OADP), this fails due to the
BackupStorageLocation
showing the following error:status: lastValidationTime: "2023-01-18T15:19:40Z" message: "BackupStorageLocation \"example-1\" is unavailable: rpc error: code = Unknown desc = NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors" phase: Unavailable
-
When using S3 bucket encryption, the
BackupStorageLocation
also shows the following error message when trying to configure STS for OADP on ROSA:Last Validation Time: 2023-01-24T21:57:42Z Message: BackupStorageLocation "backup-dpa-1" is unavailable: rpc error: code = Unknown desc = WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity status code: 403, request id: f6xxxa01-b94e-4950-ac94-xxxxxab8f26
Resolution
Disclaimer: Links contained herein to external website(s) are provided for convenience only. Red Hat has not reviewed the links and is not responsible for the content or its availability. The inclusion of any link to an external website does not imply endorsement by Red Hat of the website or their entities, products or services. You agree that Red Hat is not responsible or liable for any loss or expenses that may result due to your use of (or reliance on) the external site or content.
- Follow the (unsupported) documentation to set up OADP on a ROSA STS cluster: https://mobb.ninja/docs/misc/oadp/rosa-sts
-
Make sure to use the
kmsKeyId
in theDataProtectionApplication
is set:apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: example-dpa namespace: example-adp spec: backupLocations: - bucket: cloudStorageRef: name: example-rosa-oadp credential: key: cloud name: cloud-credentials default: true config: kmsKeyId: kms-key-id configuration: velero: defaultPlugins: - openshift - aws
-
Also, verify that the trust policy used specifies the correct AWS region (
eu-central-1
in the below example):{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::1234567890:oidc-provider/rh-oidc.s3.eu-central-1.amazonaws.com/2EXAMPLEtofEXAMPLE2ohkEXAMPLE" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "rh-oidc.s3.eu-central-1.amazonaws.com/2EXAMPLEtofEXAMPLE2ohkEXAMPLE:sub": [ "system:serviceaccount:example-adp:openshift-adp-controller-manager", "system:serviceaccount:example-adp:velero" ] } } } ] }
Root Cause
- The KMS encryption key and trust policy are not set up correctly.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments