Credential validity is not exposed

Bug #1822117 reported by Peter Matulis on 2019-03-28
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
juju
Medium
Anastasia
2.5
High
Anastasia
2.6
High
Anastasia

Bug Description

$ juju bootstrap --credential jlaurin aws

<< DEACTIVATE jlaurin IN AWS CONSOLE >>

$ juju add-machine

failed to create 1 machine
ERROR cannot add a new machine:
The provided credentials could not be validated and
may not be authorized to carry out the request.
Ensure that your account is authorized to use the Amazon EC2 service and
that you are using the correct access keys.
These keys are obtained via the "Security Credentials"
page in the AWS console.
: AWS was not able to validate the provided access credentials (AuthFailure)

<< WAIT A FEW MINUTES >>

The output to `show-model` suggests that all is well ("alive", "available"):

$ juju show-model default

default:
  name: admin/default
  short-name: default
  model-uuid: 36c3147d-8008-4625-893b-7b7b956e275b
  model-type: iaas
  controller-uuid: 2e6a0e8e-d4ec-4931-892f-9416508ae009
  controller-name: aws-us-east-1
  is-controller: false
  owner: admin
  cloud: aws
  region: us-east-1
  type: ec2
  life: alive
  status:
    current: available
    since: 8 minutes ago
  users:
    admin:
      display-name: admin
      access: admin
      last-connection: 3 minutes ago
  sla: unsupported
  agent-version: 2.5.3
  credential:
    name: jlaurin
    owner: admin
    cloud: aws

The output for commands `list-credentials`, `show-credential`, and `show-credentials` also do not show anything different (but at least they do not suggest that the credential is valid).

n.b. The output received by the failed `add-machine` command could also be improved. Suggestion:

ERROR cannot add a new machine:
The provided credential appears to be invalid.
Ensure that your account is authorised to use the Amazon EC2 service and
that you are using the correct access keys.

I don't think we should use text that is hardcoded to a vendor's web site ("Security Credentials" page).

Anastasia (anastasia-macmood) wrote :

We do not use text from vendor's web site - this is our own copy of the text :) It is the most generic information that is worth providing without giving too much away in case the access was actually malicious. I would be very reluctant to re-word.

I am surprised to see that we do not show credential validity. I am pretty sure it was added but maybe follow-up changes swallowed that?

Could you please provide the output for a model with an invalid credential for `list-credentials`, `show-credential`, and `show-credentials` as well as 'juju status --format yaml'.

summary: - Credential validity status is not exposed
+ Credential validity is not exposed
Peter Matulis (petermatulis) wrote :

> We do not use text from vendor's web site

What I meant was, the text describes a 3rd party website, which is beyond our control and can change at any time:

<< These keys are obtained via the "Security Credentials"
page in the AWS console. >>

> Could you please provide output...

https://paste.ubuntu.com/p/zrd97C7K46/

Tim Penhey (thumper) on 2019-04-02
tags: added: credentials ux
Changed in juju:
status: New → Triaged
importance: Undecided → Medium
Peter Matulis (petermatulis) wrote :

See bug 1822637 for extra context.

Anastasia (anastasia-macmood) wrote :

For 2.6, we will display in 'juju status' that model is suspended due to an invalid credential. Note that this will also mean that we'd need to check and update model status back to whatever it was before it got suspended when a credential validity is flipped back to 'valid'.

In addition, for 2.7, we will expose credential validity in 'show-model' and 'show-credential' outputs.

Changed in juju:
assignee: nobody → Anastasia (anastasia-macmood)
status: Triaged → In Progress
tags: added: usability
Anastasia (anastasia-macmood) wrote :

I have bumped it to a High since from user's perspective, there is no obvious way to determine at the moment that a model cloud credential is invalid and the model is suspended.

+1, I think that this should be something that shows in the model status
output in the same place we show "migrating/etc" as well as the show-xxx
places noted above.

On Tue, May 21, 2019 at 2:15 AM Anastasia <email address hidden>
wrote:

> I have bumped it to a High since from user's perspective, there is no
> obvious way to determine at the moment that a model cloud credential is
> invalid and the model is suspended.
>
> --
> You received this bug notification because you are subscribed to juju.
> https://bugs.launchpad.net/bugs/1822117
>
> Title:
> Credential validity is not exposed
>
> To manage notifications about this bug go to:
> https://bugs.launchpad.net/juju/+bug/1822117/+subscriptions
>

Anastasia (anastasia-macmood) wrote :

Previously linked implementation was relying on status history to revert model status once the credential becomes valid. This is unreliable and undesirable. It was closed.

New PR against 2.6 does not care for history but still achieves the same result - model looks suspended and its status gets reverted when model credential is deemed valid again: https://github.com/juju/juju/pull/10237

Anastasia (anastasia-macmood) wrote :

PR to reflect credential validity in model status and to show correct output in 'juju models' and 'juju status' against develop (heading into 2.7): https://github.com/juju/juju/pull/10249

Anastasia (anastasia-macmood) wrote :

Addition of credential validity in 'show-model' and 'show-credential' output, develop: https://github.com/juju/juju/pull/10396

Changed in juju:
milestone: none → 2.7-beta1
Changed in juju:
status: In Progress → Fix Committed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers