Show all errors from AWS authorization step

Now users will always have a slightly more informative message explaning
what went wrong.

app/assets/javascripts/create_cluster/eks_cluster/store/actions.js

@@ -44,7 +44,7 @@ export const createRole = ({ dispatch, state: { createRolePath } }, payload) =>
     })
     .catch(error => {
       let message = error;
-      if (error.response && error.response.data && error.response.data.message) {
+      if (error?.response?.data?.message) {
         message = error.response.data.message;
       }
       dispatch('createRoleError', { error: message });

app/services/clusters/aws/authorize_role_service.rb

@@ -51,10 +51,20 @@ module Clusters
       def response_details(exception)
         message =
           case exception
+          when ::Aws::STS::Errors::AccessDenied
+            _("Access denied: %{error}") % { error: exception.message }
+          when ::Aws::STS::Errors::ServiceError
+            _("AWS service error: %{error}") % { error: exception.message }
+          when ActiveRecord::RecordNotFound
+            _("Error: Unable to find AWS role for current user")
           when ActiveRecord::RecordInvalid
             exception.message
-          when ::Aws::STS::Errors::AccessDenied
-            "Access denied: #{exception.message}"
+          when Clusters::Aws::FetchCredentialsService::MissingRoleError
+            _("Error: No AWS provision role found for user")
+          when ::Aws::Errors::MissingCredentialsError
+            _("Error: No AWS credentials were supplied")
+          else
+            _('An error occurred while authorizing your role')
           end
 
         { message: message }.compact

locale/gitlab.pot

@@ -1334,6 +1334,9 @@ msgstr ""
 msgid "AWS Secret Access Key.  Only required if not using role instance credentials"
 msgstr ""
 
+msgid "AWS service error: %{error}"
+msgstr ""
+
 msgid "Abort"
 msgstr ""
 
@@ -1373,6 +1376,9 @@ msgstr ""
 msgid "Access denied! Please verify you can add deploy keys to this repository."
 msgstr ""
 
+msgid "Access denied: %{error}"
+msgstr ""
+
 msgid "Access expiration date"
 msgstr ""
 
@@ -3042,6 +3048,9 @@ msgstr ""
 msgid "An error occurred while adding formatted title for epic"
 msgstr ""
 
+msgid "An error occurred while authorizing your role"
+msgstr ""
+
 msgid "An error occurred while checking group path. Please refresh and try again."
 msgstr ""
 
@@ -11094,9 +11103,18 @@ msgstr ""
 msgid "Error: %{error_message}"
 msgstr ""
 
+msgid "Error: No AWS credentials were supplied"
+msgstr ""
+
+msgid "Error: No AWS provision role found for user"
+msgstr ""
+
 msgid "Error: Unable to create deploy freeze"
 msgstr ""
 
+msgid "Error: Unable to find AWS role for current user"
+msgstr ""
+
 msgid "ErrorTracking|Active"
 msgstr ""
 

spec/frontend/create_cluster/eks_cluster/store/actions_spec.js

@@ -186,7 +186,7 @@ describe('EKS Cluster Store Actions', () => {
             role_external_id: payload.externalId,
             region: DEFAULT_REGION,
           })
-          .reply(400, error);
+          .reply(400, null);
       });
 
       it('dispatches createRoleError action', () =>
@@ -195,16 +195,11 @@ describe('EKS Cluster Store Actions', () => {
           payload,
           state,
           [],
-          [
-            { type: 'requestCreateRole' },
-            { type: 'createRoleError', payload: { error: 'Request failed with status code 400' } },
-          ],
+          [{ type: 'requestCreateRole' }, { type: 'createRoleError', payload: { error } }],
         ));
     });
 
     describe('when request fails with a message', () => {
-      let error;
-
       beforeEach(() => {
         const errResp = { message: 'Something failed' };
 

spec/services/clusters/aws/authorize_role_service_spec.rb

@@ -37,12 +37,10 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do
   end
 
   context 'errors' do
-    let(:body) { {} }
-
     shared_examples 'bad request' do
       it 'returns an empty hash' do
         expect(subject.status).to eq(:unprocessable_entity)
-        expect(subject.body).to eq(body)
+        expect(subject.body).to eq({ message: message })
       end
 
       it 'logs the error' do
@@ -54,13 +52,14 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do
 
     context 'role does not exist' do
       let(:user) { create(:user) }
+      let(:message) { 'Error: Unable to find AWS role for current user' }
 
       include_examples 'bad request'
     end
 
     context 'supplied ARN is invalid' do
       let(:role_arn) { 'invalid' }
-      let(:body) { { message: 'Validation failed: Role arn must be a valid Amazon Resource Name' } }
+      let(:message) { 'Validation failed: Role arn must be a valid Amazon Resource Name' }
 
       include_examples 'bad request'
     end
@@ -72,26 +71,29 @@ RSpec.describe Clusters::Aws::AuthorizeRoleService do
 
       context 'error fetching credentials' do
         let(:error) { Aws::STS::Errors::ServiceError.new(nil, 'error message') }
+        let(:message) { 'AWS service error: error message' }
 
         include_examples 'bad request'
       end
 
       context 'error in assuming role' do
-        let(:message) { "User foo is not authorized to perform: sts:AssumeRole on resource bar" }
-        let(:error) { Aws::STS::Errors::AccessDenied.new(nil, message) }
-        let(:body) { { message: "Access denied: #{message}" } }
+        let(:raw_message) { "User foo is not authorized to perform: sts:AssumeRole on resource bar" }
+        let(:error) { Aws::STS::Errors::AccessDenied.new(nil, raw_message) }
+        let(:message) { "Access denied: #{raw_message}" }
 
         include_examples 'bad request'
       end
 
       context 'credentials not configured' do
         let(:error) { Aws::Errors::MissingCredentialsError.new('error message') }
+        let(:message) { "Error: No AWS credentials were supplied" }
 
         include_examples 'bad request'
       end
 
       context 'role not configured' do
         let(:error) { Clusters::Aws::FetchCredentialsService::MissingRoleError.new('error message') }
+        let(:message) { "Error: No AWS provision role found for user" }
 
         include_examples 'bad request'
       end