Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Unable to Update ServiceAccountIAMMember #518

Open
1 task done
brais-real-edo opened this issue Apr 29, 2024 · 2 comments
Open
1 task done

[Bug]: Unable to Update ServiceAccountIAMMember #518

brais-real-edo opened this issue Apr 29, 2024 · 2 comments
Labels
bug Something isn't working needs:triage

Comments

@brais-real-edo
Copy link

brais-real-edo commented Apr 29, 2024
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Affected Resource(s)

cloudplatform.gcp.upbound.io/v1beta1 - ServiceAccountIAMMember

Resource MRs required to reproduce the bug

No response

Steps to Reproduce

Apply this manifest:

 apiVersion: cloudplatform.gcp.upbound.io/v1beta1

 kind: ServiceAccountIAMMember
 metadata:
   labels:
   ....
  name: ....
 spec:
  forProvider:
    member: 'serviceAccount:project.svc.id.goog[ns/ksa1]'
    role: roles/iam.workloadIdentityUser
    serviceAccountIdSelector:
      matchLabels:
        ....
  providerConfigRef:
    name: ...

The resource is created correctly
Once it is created, apply an updated version of the same resource changing spec.forProvider.member

apiVersion: cloudplatform.gcp.upbound.io/v1beta1
kind: ServiceAccountIAMMember
metadata:
  labels:
   ....
  name: ....
spec:
  forProvider:
    member: 'serviceAccount:project.svc.id.goog[ns/ksa2]'
    role: roles/iam.workloadIdentityUser
    serviceAccountIdSelector:
      matchLabels:
        ....
  providerConfigRef:
    name: ...

What happened?

Object isn't updated and shows the following error in Status:

 conditions:
    - lastTransitionTime: '2024-04-29T17:01:55Z'
      message: >-
        update failed: async update failed: refuse to update the external
        resource because the following update requires replacing it: cannot
        change the value of the argument "member" from
        "serviceAccount:project.svc.id.goog[ns/ksa1]" to
        "serviceAccount:project.svc.id.goog[ns/ksa2]"
      reason: ReconcileError
      status: 'False'
      type: Synced
    - lastTransitionTime: '2024-04-29T16:52:36Z'
      reason: Available
      status: 'True'
      type: Ready
    - lastTransitionTime: '2024-04-29T17:01:55Z'
      message: >-
        async update failed: refuse to update the external resource because the
        following update requires replacing it: cannot change the value of the
        argument "member" from
        "serviceAccount:project.svc.id.goog[ns/ksa1]" to
        "serviceAccount:project.svc.id.goog[ns/ksa2]"
      reason: AsyncUpdateFailure
      status: 'False'
      type: LastAsyncOperation

Relevant Error Output Snippet

Now, if we try to delete the resource,we get a 404:

conditions:
    - lastTransitionTime: '2024-04-29T15:48:11Z'
      message: >-
        delete failed: async delete failed: failed to delete the resource: [{0
        Error retrieving IAM policy for service account '': googleapi: got HTTP
        response code 404 with body: <!DOCTYPE html>

        <html lang=en>
          <meta charset=utf-8>
          <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
          <title>Error 404 (Not Found)!!1</title>
          <style>
            *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
          </style>
          <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
          <p><b>404.</b> <ins>That’s an error.</ins>
          <p>The requested URL <code>/v1/:getIamPolicy?alt=json&amp;options.requestedPolicyVersion=3&amp;prettyPrint=false</code> was not found on this server.  <ins>That’s all we know.</ins>
          []}]
      reason: ReconcileError
      status: 'False'
      type: Synced
    - lastTransitionTime: '2024-04-29T17:08:01Z'
      reason: Deleting
      status: 'False'
      type: Ready
    - lastTransitionTime: '2024-04-29T15:48:11Z'
      message: >-
        async delete failed: failed to delete the resource: [{0 Error retrieving
        IAM policy for service account '': googleapi: got HTTP response code 404
        with body: <!DOCTYPE html>

        <html lang=en>
          <meta charset=utf-8>
          <meta name=viewport content="initial-scale=1, minimum-scale=1, width=device-width">
          <title>Error 404 (Not Found)!!1</title>
          <style>
            *{margin:0;padding:0}html,code{font:15px/22px arial,sans-serif}html{background:#fff;color:#222;padding:15px}body{margin:7% auto 0;max-width:390px;min-height:180px;padding:30px 0 15px}* > body{background:url(//www.google.com/images/errors/robot.png) 100% 5px no-repeat;padding-right:205px}p{margin:11px 0 22px;overflow:hidden}ins{color:#777;text-decoration:none}a img{border:0}@media screen and (max-width:772px){body{background:none;margin-top:0;max-width:none;padding-right:0}}#logo{background:url(//www.google.com/images/branding/googlelogo/1x/googlelogo_color_150x54dp.png) no-repeat;margin-left:-5px}@media only screen and (min-resolution:192dpi){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat 0% 0%/100% 100%;-moz-border-image:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) 0}}@media only screen and (-webkit-min-device-pixel-ratio:2){#logo{background:url(//www.google.com/images/branding/googlelogo/2x/googlelogo_color_150x54dp.png) no-repeat;-webkit-background-size:100% 100%}}#logo{display:inline-block;height:54px;width:150px}
          </style>
          <a href=//www.google.com/><span id=logo aria-label=Google></span></a>
          <p><b>404.</b> <ins>That’s an error.</ins>
          <p>The requested URL <code>/v1/:getIamPolicy?alt=json&amp;options.requestedPolicyVersion=3&amp;prettyPrint=false</code> was not found on this server.  <ins>That’s all we know.</ins>
          []}]

Before trying to update it, the object could be removed successfully

Crossplane Version

1.15.0

Provider Version

1.1.0

Kubernetes Version

Client Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.12", GitCommit:"12031002905c0410706974560cbdf2dad9278919", GitTreeState:"clean", BuildDate:"2024-03-15T02:15:31Z", GoVersion:"go1.21.8", Compiler:"gc", Platform:"linux/amd64"} Kustomize Version: v5.0.1 Server Version: version.Info{Major:"1", Minor:"27", GitVersion:"v1.27.11-gke.1062000", GitCommit:"d08e2b8d118069b27c15a6a241af87c9bbba7fdc", GitTreeState:"clean", BuildDate:"2024-02-26T09:17:18Z", GoVersion:"go1.21.7 X:boringcrypto", Compiler:"gc", Platform:"linux/amd64"}

Kubernetes Distribution

GKE

Additional Info

No response
@brais-real-edo brais-real-edo added bug Something isn't working needs:triage labels Apr 29, 2024
@github-actions GitHub Actions
Copy link

This provider repo does not have enough maintainers to address every issue. Since there has been no activity in the last 90 days it is now marked as stale. It will be closed in 14 days if no further activity occurs. Leaving a comment starting with /fresh will mark this issue as not stale.

@github-actions github-actions bot added the stale label Jul 29, 2024
@brais-real-edo
Copy link
Author

/fresh

@github-actions github-actions bot removed the stale label Jul 30, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs:triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@brais-real-edo