Error from operator: user not authorized to access the service

[christiemolloy]

When creating a Service Account today, I received this message from the operator:
"Cannot create service account Error: User not authorized to access the service."
I created a new namespace and used the API token that is always valid. I generated a new API token but that was also invalid.

@wtrocki mentioned that the issue is that you can only have 2 service accounts per user.

#162

cc: @secondsun

apiVersion: rhoas.redhat.com/v1alpha1
kind: CloudServiceAccountRequest
metadata:
  selfLink: >-
    /apis/rhoas.redhat.com/v1alpha1/namespaces/christie-wed/cloudserviceaccountrequests/rh-cloud-services-serviceaccount-request
  resourceVersion: '4553107'
  name: rh-cloud-services-serviceaccount-request
  uid: 20cc66f7-7d72-404c-8045-204169d0a708
  creationTimestamp: '2021-04-14T17:11:40Z'
  generation: 7
  managedFields:
    - apiVersion: rhoas.redhat.com/v1alpha1
      fieldsType: FieldsV1
      fieldsV1:
        'f:metadata':
          'f:finalizers':
            .: {}
            'v:"cloudserviceaccountrequests.rhoas.redhat.com/finalizer"': {}
        'f:status':
          .: {}
          'f:conditions': {}
          'f:message': {}
          'f:serviceAccountSecretName': {}
          'f:updated': {}
      manager: okhttp
      operation: Update
      time: '2021-04-14T17:11:40Z'
    - apiVersion: rhoas.redhat.com/v1alpha1
      fieldsType: FieldsV1
      fieldsV1:
        'f:spec':
          .: {}
          'f:accessTokenSecretName': {}
          'f:serviceAccountDescription': {}
          'f:serviceAccountName': {}
          'f:serviceAccountSecretName': {}
      manager: Mozilla
      operation: Update
      time: '2021-04-14T17:19:03Z'
  namespace: christie-wed
  finalizers:
    - cloudserviceaccountrequests.rhoas.redhat.com/finalizer
spec:
  accessTokenSecretName: rh-cloud-services-api-accesstoken
  forceRefresh: '2021-04-14T17:19:03.549Z'
  serviceAccountDescription: Created by rhoas operator
  serviceAccountName: rhoas-operator-lu3z
  serviceAccountSecretName: rh-cloud-services-service-account
status:
  conditions:
    - lastTransitionGeneration: 7
      lastTransitionTime: '2021-04-14T17:19:03.605159Z'
      message: ''
      reason: ''
      status: Unknown
      type: AcccesTokenSecretValid
    - lastTransitionGeneration: 7
      lastTransitionTime: '2021-04-14T17:19:03.948205Z'
      message: User not authorized to access the service
      reason: com.openshift.cloud.ApiException
      status: 'False'
      type: ServiceAccountCreated
    - lastTransitionGeneration: 7
      lastTransitionTime: '2021-04-14T17:19:03.605301Z'
      message: ''
      reason: ''
      status: Unknown
      type: ServiceAccountSecretCreated
    - lastTransitionGeneration: 7
      lastTransitionTime: '2021-04-14T17:19:03.948245Z'
      message: User not authorized to access the service
      reason: com.openshift.cloud.ApiException
      status: 'False'
      type: Finished
  message: ''
  serviceAccountSecretName: ''
  updated: ''

[wtrocki]

In backend we have reused 403 status for limit to 2 instances. We need to find actual error in logs (operator logs) and use string.indexOf to differentiate between limit and unauthorized.

Quick patch

This seems like change that will be strongly required for Summit and has no risk involved