ROSA upgrade fails with "Forbidden access to update resource"

Solution Verified - Updated

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4.x

Issue

  • When using ROSA cli to perform a cluster upgrade, it fails with the following error:

    [user@ip-XX-XX-XXX-XXX ~]$ ./rosa version
1.2.15
Your ROSA CLI is up to date.

[user@ip-XX-XX-XXX-XXX ~]$ ./rosa upgrade cluster -c xX-XxxxXXxx-Xx
? Version: 4.11.27
? IAM Roles/Policies upgrade mode: auto
I: Ensuring account and operator role policies for cluster 'xXxxxxXxxxxxxxXxxxxxXX' are compatible with upgrade.
I: Account roles/policies for cluster 'xXxxxxXxxxxxxxXxxxxxXX' are already up-to-date.
I: Operator roles/policies associated with the cluster 'xXxxxxXxxxxxxxXxxxxxXX' are already up-to-date.
I: Account and operator roles for cluster 'xXxxxxxX' are compatible with upgrade
? Are you sure you want to upgrade cluster to version '4.11.27'? Yes
E: failed to check for missing gate agreements upgrade for cluster 'dl-xXxxxxxX-1d': Forbidden access to update resource 'xXxxxxXxxxxxxxXxxxxxXX'

Resolution

  • In order to upgrade the cluster, it is required to get the token of the cluster owner from the This content is not included.OpenShift Cluster Manager Console. The steps below shows how to retrieve it:

    1. Go to a terminal and run the rosa login command:
    $ rosa login
    1. It will prompt you to open a web browser and go to:

This content is not included.https://console.redhat.com/openshift/token/rosa

3. If you are asked to log in, please do so.

4. Click on the "Load token" button.

5. Then, copy the token and paste it back into the CLI prompt and press enter. Alternatively, you can just copy the full `rosa login --token=abc####` command and paste that into the terminal, for example:


```
rosa login --token="<redacted>XXXXXXXxxxXXXXXXXxxxXXXXxxXXXxxxXXXXxxXXXxxXXXxxxxXXXxxxXX"
```

Root Cause

  • The upgrade of the cluster can only be carried out by either the cluster owner or the user who installed it. Even if other users possess cluster-admin privileges, they will encounter this problem.

Diagnostic Steps

  • To reproduce this issue, simply perform the cluster upgrade with another account who isn't the owner or installer of that cluster.
SBR
Product(s)
Components
Category
Tags

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.