The year 2022 was ending, time for housekeeping the Oracle Cloud Infrastructure account. And there was an old IAM account in the list, containing the “old” company name and nobody knew where this account was used for. So, we removed it. Some hours later I got a message: Pls can you look; we are not able to run OCI Resource Manager Stacks to ramp up training environments …
Cannot load package. The URL might not be valid. Contact the package author.
The error in the resource manager was clear – Cannot load package. The URL might not be valid. Contact the package author.
Our training department provides training setups based on Terraform scripts which are stored as a compressed file in the OCI Object Storage. The URL is provided by Pre-Authenticated Request. The OCI Resource Manager gets the compressed file, extracts it, and runs the Terraform jobs. Depending on the training and how many participants, all Oracle Cloud Infrastructure resources like VCN, Compute Instances, Block Volumes etc. are provisioned fully automated. We use this method for all our Oracle based trainings available on https://www.trivadis-training.com.
Let’s check the Pre-Authenticated Request
First, I checked if the request was still valid and not expired. As you can see here, the expiration date for the file is set to 2050. This is not the issue.
URL Direct Access
As this is a pre-authenticated URL, it should be available in browser. Here we get the message that the bucket does not exist or we are not authorized. But, the bucket exists and the expiration date is ok. There must be an issue with the authorization.
Speed Reading on docs.oracle.com is not a good Idea
Next step was to check the documentation: https://docs.oracle.com/en-us/iaas/Content/Object/Tasks/usingpreauthenticatedrequests.htm. Credits to Mishra from My Oracle Support who pointed me the right section in the document. Maybe it was too late or i was blind, so I jumped over this box and didn’t see the message – or ignored it. And don’t ask me why 😉
A short check with a new IAM user, created a pre-authenticated request and deleted the user afterwards confirmed the section in the manual. The URL was no longer reachable.
To do housekeeping in an Oracle Cloud Infrastructure tenancy is a clever idea. But take care when removing IAM users if you want to avoid side effects. In our case we must create all pre-authenticated requests again and update the stack information, a lot of work. Lesson learned? Do not delete users in IAM at the end of the year, even when nobody knows the user…
Unfortunately, there is actually no chance to see the owner of who has created the Pre-Authenticated Request, neither in the web console nor by OCI-CLI. No chance for tagging. Time for an Enhancement Request?
And read the docs, faithful…