- Obtain an API token by visiting https://oauth-openshift.apps.ci.l2s4.p1.openshiftapps.com/oauth/token/request
- Log in with
oc login - Start the job:
curl -X POST \
-H "Authorization: Bearer $(oc whoami -t)" \
'https://gangway-ci.apps.ci.l2s4.p1.openshiftapps.com/v1/executions/' \
-d '{"job_name": "periodic-ci-openshift-online-rosa-regional-platform-main-nightly", "job_execution_type": "1"}'The nightly job (periodic-ci-openshift-online-rosa-regional-platform-main-nightly) uses two AWS accounts (regional and management). It runs on a daily cron (0 7 * * *).
Credentials are stored in Vault at kv/selfservice/cluster-secrets-rosa-regional-platform-int/nightly-static-aws-credentials and mounted at /var/run/rosa-credentials/ with keys regional_access_key, regional_secret_key, management_access_key, management_secret_key.
The nightly e2e tests create ~72 types of AWS resources across two accounts. Teardown relies on terraform destroy, which can fail and leak resources. The nightly-resources-janitor job is a weekly fallback that purges everything except the CI identity (nightly-e2e IAM user) using aws-nuke.
- Schedule: Sundays at 12:00 UTC (
0 12 * * 0) - Prow job:
periodic-ci-openshift-online-rosa-regional-platform-main-nightly-resources-janitor - Script:
ci/nightly-resources-janitor.sh— runsci/janitor/purge-aws-account.shagainst both CI accounts - Dry-run toggle: Set
DRY_RUN=trueat the top ofci/nightly-resources-janitor.shto list resources without deleting
- IAM User
nightly-e2e(access keys, policies, group memberships) - IAM Role
OrganizationAccountAccessRole(and its policies) - AWS service-linked roles (
/aws-service-role/*)
# Dry-run (list only, no deletions)
./ci/janitor/purge-aws-account.sh
# Live run (actually delete resources)
./ci/janitor/purge-aws-account.sh --no-dry-runThe script uses whatever AWS credentials are active in your environment. The account must be in the allowlist in purge-aws-account.sh.
Results are available on the OpenShift CI Prow dashboard.