OCM-24429 | feat: Updated rosa list ocm-role to display console access

[robpblake]

Adds to the output of rosa list ocm-role a field that allows customers to see if the OCM Role they have configured has the no-console profile.

Example output

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      No     No           No

PR Summary

This PR updates the rosa list ocm-role command to show if the OCM Role the customer has configured has can be used to deploy clusters via console.redhat.com. This field is captured via the CONSOLE ACCESS column in the output, which displays No if the user has a --no-console version of the OCM Role configured, and yes otherwise

Examples of the various forms of role showing in the output:

Admin Profile:

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      Yes    No           Yes

Standard Profile:

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      No     No           Yes

No Console profile:

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      No     No           No

Related Issues and PRs

• Jira: https://redhat.atlassian.net/browse/OCM-24429
• Related design/docs: https://github.com/openshift-online/rosa-enhancements/pull/50/changes

Type of Change

• feat - adds a new user-facing capability.
• fix - resolves an incorrect behavior or bug.
• docs - updates documentation only.
• style - formatting or naming changes with no logic impact.
• refactor - code restructuring with no behavior change.
• test - adds or updates tests only.
• chore - maintenance work (tooling, housekeeping, non-product code).
• build - changes build system, packaging, or dependencies for build output.
• ci - changes CI pipelines, jobs, or automation workflows.
• perf - improves performance without changing intended behavior.

Previous Behavior

Prior to this behavior, there was no column indicating if the OCM Role had console access

Behavior After This Change

The column is now present if the user has configured a no-console OCM Role

How to Test (Step-by-Step)

The easiest way to test is to manually apply Tags to your IAM role for the OCM Role.

Test Steps

1. Tag an existing OCM Role with rosa_no_console_role:true. Run rosa list ocm-role and see that the CONSOLE ACCESS column displays No
2. Remove the rosa_no_console_role tag from the OCM Role. Run rosa list ocm-role again and see that the CONSOLE_ACCESS column displays Yes

Expected Results

Described above

Proof of the Fix

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      No     No           No

PR Summary

This PR updates the rosa list ocm-role command to show if the OCM Role the customer has configured has can be used to deploy clusters via console.redhat.com. This field is captured via the CONSOLE ACCESS column in the output, which displays No if the user has a --no-console version of the OCM Role configured, and yes otherwise

Examples of the various forms of role showing in the output:

Admin Profile:

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      Yes    No           Yes

Standard Profile:

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      No     No           Yes

No Console profile:

rblake@rblake-mac rosa % rosa list ocm-role
I: Fetching ocm roles
ROLE NAME                                 ROLE ARN                                                                      LINKED  ADMIN  AWS Managed  CONSOLE ACCESS
rblake-OCM-Role-123456789                  arn:aws:iam::123456789:role/rblake-OCM-Role-123456789                       No      No     No           No

Additionally, JSON output for various commands where the internal struct is deserialized:

# OCM Role
rblake@rblake-mac rosa % rosa list ocm-role -o json
I: Fetching ocm roles
[
  {
    "RoleName": "ManagedOpenShift-OCM-Role-12541229",
    "RoleARN": "arn:aws:iam::765374464689:role/ManagedOpenShift-OCM-Role-12541229",
    "Linked": "Yes",
    "Admin": "Yes",
    "NoConsole": "No"
  },
  {
    "RoleName": "AG-OCM-Role-5318290",
    "RoleARN": "arn:aws:iam::765374464689:role/AG-OCM-Role-5318290",
    "Linked": "No",
    "Admin": "No",
    "NoConsole": "No"
  },

# User Role

rblake@rblake-mac rosa % rosa list user-role -o json
I: Fetching user roles
[
  {
    "RoleName": "ManagedOpenShift-User-ocmqe-aaraj-Role",
    "RoleARN": "arn:aws:iam::765374464689:role/ManagedOpenShift-User-ocmqe-aaraj-Role",
    "Linked": "No"
  }
]

# Account Roles
rblake@rblake-mac rosa % rosa list account-role -o json
I: Fetching account roles
[
  {
    "RoleType": "Installer",
    "Version": "4.13",
    "RoleName": "CSE2ETests-HCP-ROSA-Installer-Role",
    "RoleARN": "arn:aws:iam::765374464689:role/CSE2ETests-HCP-ROSA-Installer-Role",
    "ManagedPolicy": true
  },

Breaking Changes

• No breaking changes
• Yes, this PR introduces a breaking change (describe impact and migration plan below)

Breaking Change Details / Migration Plan

Developer Verification Checklist

• [X ] Commit subject/title follows [JIRA-TICKET] | [TYPE]: <MESSAGE>.
• PR description clearly explains both what changed and why.
• Relevant Jira/GitHub issues and related PRs are linked.
• make install-hooks has been run in this clone.
• Tests were added/updated where appropriate.
• I manually tested the change.
• make test passes.
• make lint passes.
• make rosa passes.
• Documentation or repo-local agent guidance was added/updated where appropriate.
• Any risk, limitation, or follow-up work is documented.

Summary by CodeRabbit

• New Features
  • Expanded OCM roles listing with a new CONSOLE ACCESS column, clearer AWS-managed/linked indicators, and improved ordering so linked roles appear first; roles marked as no-console now show as having no console access and are treated as non-admin in the listing.
• Tests
  • Added comprehensive tests for the OCM roles command covering table formatting, console-access logic, role enrichment and ordering, and API/error scenarios.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

This PR adds a NoConsole role tag key and a NoConsole field on aws.Role with RoleYes/RoleNo constants, updates ListOCMRoles to read the no_console_role tag (forcing Admin=No when set) and uses the constants in sorting, refactors the rosa list ocm-roles rendering into printOCMRoles(writer, roles) to add a CONSOLE ACCESS column and use output.Yes/output.No, and adds Ginkgo tests for formatting and ListOCMRoles enrichment and sorting.

🚥 Pre-merge checks | ✅ 13 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 0.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.
Test Structure And Quality	⚠️ Warning	Assertions lack meaningful failure messages: Expect(err).ToNot(HaveOccurred()) at lines 170, 219 and Expect(err).To(HaveOccurred()) at line 177 omit diagnostic context per check requirement #4.	Add failure messages to error assertions like: Expect(err).ToNot(HaveOccurred(), "failed to list OCM roles") to aid diagnosis when tests fail.

✅ Passed checks (13 passed)

Check name	Status	Explanation
Title check	✅ Passed	The PR title clearly indicates the main change: adding console access display to the rosa list ocm-role command, matching the primary objective.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names in cmd_test.go are static, descriptive strings with no dynamic values, generated suffixes, timestamps, UUIDs, or variable interpolation.
Microshift Test Compatibility	✅ Passed	The PR adds Ginkgo unit tests for the ROSA CLI tool, not e2e tests against OpenShift clusters. No Kubernetes or unavailable OpenShift APIs are used or mocked.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The new Ginkgo tests added are CLI unit/integration tests for the rosa tool, not OpenShift e2e tests. They don't interact with cluster topology or make multi-node assumptions.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only CLI command code and AWS integration logic; no deployment manifests, operators, or Kubernetes scheduling constraints are introduced.
Ote Binary Stdout Contract	✅ Passed	This is the ROSA CLI tool, not an OTE binary. The stdout writes are appropriate for a CLI command. Tests use buffers instead of stdout, maintaining isolation.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	The new Ginkgo tests in cmd/list/ocmroles/cmd_test.go are unit tests (not e2e), located outside tests/e2e/, with mocked AWS clients and ghttp servers—no IPv4 assumptions or external connectivity.
No-Weak-Crypto	✅ Passed	No weak crypto (MD5/SHA1/DES/RC4/3DES/Blowfish/ECB), custom crypto implementations, or non-constant-time secret comparisons found. PR only adds UI column and role metadata fields.
Container-Privileges	✅ Passed	PR changes are Go source code only; no container/K8s manifests or Dockerfile modifications present, so the privileged container check is not applicable.
No-Sensitive-Data-In-Logs	✅ Passed	PR contains no new logging of sensitive data; only displays public role metadata (RoleName, RoleARN, status flags) and generic error messages.
Description check	✅ Passed	The PR description covers most required sections including PR summary, detailed issue description, related issues, type of change, previous/new behavior, test steps, and proof of fix.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

cmd/list/ocmroles/cmd_test.go (1)

62-121: ⚡ Quick win

Tighten column-specific assertions for printOCMRoles.

Current checks for "Yes"/"No" are ambiguous and can pass from other columns, which weakens verification of CONSOLE ACCESS.

Suggested assertion pattern

+import "strings"
...
- dataLine := string(lines[1])
- Expect(dataLine).To(ContainSubstring("No"))
+ cols := strings.Split(string(lines[1]), "\t")
+ Expect(cols).To(HaveLen(6))
+ Expect(cols[5]).To(Equal("No"))

As per coding guidelines **/*_test.go: Flag weak tests that only restate implementation or changes that weaken existing assertions.

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/list/ocmroles/cmd_test.go` around lines 62 - 121, Tests for printOCMRoles
assert presence of "Yes"/"No" globally which can match other columns; update the
three specs ("Shows No in CONSOLE ACCESS when NoConsole is true", "Shows Yes in
CONSOLE ACCESS when NoConsole is false", and "Shows AWS Managed correctly") to
assert the CONSOLE ACCESS column specifically by parsing the printed table row
into columns (e.g., split dataLine on the same delimiter printOCMRoles uses or
use a regex capturing columns) and then compare the exact column value for
console access (and similarly the Managed column), referencing printOCMRoles,
the lines slice and dataLine variables to locate where to change assertions.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/list/ocmroles/cmd.go`:
- Around line 95-97: The call to writer.Flush() in cmd/list/ocmroles/cmd.go
ignores its returned error; update the code after printOCMRoles(writer,
ocmRoles) to capture the error from writer.Flush(), and if non-nil report it via
the package's reporter (e.g., reporter.Errorf or reporter.Error) with a clear
message including the error, then exit with the same behavior used elsewhere in
this package (os.Exit(1) or the established exit helper). Ensure you reference
the same reporter and exit pattern used by nearby commands so handling is
consistent with printOCMRoles and other cmd/*.go files.

---

Nitpick comments:
In `@cmd/list/ocmroles/cmd_test.go`:
- Around line 62-121: Tests for printOCMRoles assert presence of "Yes"/"No"
globally which can match other columns; update the three specs ("Shows No in
CONSOLE ACCESS when NoConsole is true", "Shows Yes in CONSOLE ACCESS when
NoConsole is false", and "Shows AWS Managed correctly") to assert the CONSOLE
ACCESS column specifically by parsing the printed table row into columns (e.g.,
split dataLine on the same delimiter printOCMRoles uses or use a regex capturing
columns) and then compare the exact column value for console access (and
similarly the Managed column), referencing printOCMRoles, the lines slice and
dataLine variables to locate where to change assertions.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: 35396420-383e-4ac8-969e-a29f055b18f0

📥 Commits

Reviewing files that changed from the base of the PR and between b71fe92 and 01f4009.

📒 Files selected for processing (4)

• cmd/list/ocmroles/cmd.go
• cmd/list/ocmroles/cmd_test.go
• pkg/aws/policies.go
• pkg/aws/tags/tags.go

[coderabbitai]

⚠️ Potential issue | 🟡 Minor | ⚡ Quick win

Handle tabwriter flush errors before exiting.

writer.Flush() returns an error; currently failures are ignored, so output issues can be silently missed.

Suggested fix

 	printOCMRoles(writer, ocmRoles)
-	writer.Flush()
+	if err := writer.Flush(); err != nil {
+		r.Reporter.Errorf("Failed to flush ocm roles output: %v", err)
+		os.Exit(1)
+	}

As per coding guidelines cmd/**/*.go: Keep error handling consistent with reporter usage, exit behavior, and surrounding package messages.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	printOCMRoles(writer, ocmRoles)
	writer.Flush()
	}
	printOCMRoles(writer, ocmRoles)
	if err := writer.Flush(); err != nil {
	r.Reporter.Errorf("Failed to flush ocm roles output: %v", err)
	os.Exit(1)
	}
	}

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/list/ocmroles/cmd.go` around lines 95 - 97, The call to writer.Flush() in
cmd/list/ocmroles/cmd.go ignores its returned error; update the code after
printOCMRoles(writer, ocmRoles) to capture the error from writer.Flush(), and if
non-nil report it via the package's reporter (e.g., reporter.Errorf or
reporter.Error) with a clear message including the error, then exit with the
same behavior used elsewhere in this package (os.Exit(1) or the established exit
helper). Ensure you reference the same reporter and exit pattern used by nearby
commands so handling is consistent with printOCMRoles and other cmd/*.go files.

[olucasfreitas]

I would leave writer.Flush() out of this PR because cmd/list/accountroles/cmd.go and the other tabwriter list commands follow the same pattern today. If we want to harden that path, it is better as a small follow-up done consistently across the command area.

[coderabbitai]

@olucasfreitas, that's a fair point — patching it in isolation here would create inconsistency rather than improve it. Deferring to a dedicated follow-up that covers all tabwriter list commands makes sense.

Would you like me to open a GitHub issue to track the hardening of writer.Flush() error handling consistently across the cmd/list/ tabwriter commands?

[amandahla]

nitpicking: would make sense changing it to a positive boolean? like console = true, has console access.

[robpblake]

@amandahla I have kept the internal structures aligned with the --no-console flag, so for example if customers run rosa list ocm-roles -o json the field there says NoConsole:Yes which I think helps keeps everything aligned and it's the pattern we have for Admin.

WDYT?

[olucasfreitas]

--no-console works fine for the input flag, but pushing NoConsole into aws.Role changes the shared output model. On this branch json.Marshal([]aws.Role{{RoleName:"example"}}) prints [{"RoleName":"example","NoConsole":""}], so every []aws.Role structured output path picks up the new field.

[coderabbitai]

Actionable comments posted: 0

[olucasfreitas]

@robpblake when you can, please fill out the PR description following our template, the team uses it to gather as much context as we can for the PR and for future testing

[olucasfreitas]

Structured output here will now emit the new NoConsole field because aws.Role is encoded directly. That leaks an internal inverted flag name instead of the console-access state the PR is trying to show.

[robpblake]

@olucasfreitas / @amandahla This is ready for your review when convenient.

cheers,

Rob

[openshift-ci]

@robpblake: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[olucasfreitas]

/approve
/lgtm
/hold

@amandahla unhold when you have taken a last look here

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: olucasfreitas, robpblake

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [olucasfreitas,robpblake]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment