|
| 1 | +:_mod-docs-content-type: ASSEMBLY |
| 2 | +[id="cloud-experts-rosa-hcp-sts-explained"] |
| 3 | += AWS STS and ROSA with HCP explained |
| 4 | +include::_attributes/common-attributes.adoc[] |
| 5 | +include::_attributes/attributes-openshift-dedicated.adoc[] |
| 6 | +:context: cloud-experts-rosa-hcp-sts-explained |
| 7 | + |
| 8 | +toc::[] |
| 9 | + |
| 10 | +//rosaworkshop.io content metadata |
| 11 | +//Brought into ROSA product docs 2023-10-26 |
| 12 | +//Modified for HCP 2024-4-16 |
| 13 | + |
| 14 | +{hcp-title-first} uses an AWS (Amazon Web Services) Security Token Service (STS) for AWS Identity Access Management (IAM) to obtain the necessary credentials to interact with resources in your AWS account. |
| 15 | + |
| 16 | +[id="credential-methods-rosa-hcp"] |
| 17 | +== AWS STS credential method |
| 18 | +As part of {hcp-title}, Red Hat must be granted the necessary permissions to manage infrastructure resources in your AWS account. |
| 19 | +{hcp-title} grants the cluster's automation software limited, short-term access to resources in your AWS account. |
| 20 | + |
| 21 | +The STS method uses predefined roles and policies to grant temporary, least-privilege permissions to IAM roles. The credentials typically expire an hour after being requested. Once expired, they are no longer recognized by AWS and no longer have account access from API requests made with them. For more information, see the link:https://docs.aws.amazon.com/STS/latest/APIReference/welcome.html[AWS documentation]. |
| 22 | + |
| 23 | +AWS IAM STS roles must be created for each {hcp-title} cluster. The ROSA command line interface (CLI) (`rosa`) manages the STS roles and helps you attach the ROSA-specific, AWS-managed policies to each role. The CLI provides the commands and files to create the roles, attach the AWS-managed policies, and an option to allow the CLI to automatically create the roles and attach the policies. |
| 24 | +//See [insert new xref when we have one for HCP] for more information about the different `--mode` options. |
| 25 | + |
| 26 | +[id="hcp-sts-security"] |
| 27 | +== AWS STS security |
| 28 | +Security features for AWS STS include: |
| 29 | + |
| 30 | +* An explicit and limited set of policies that the user creates ahead of time. |
| 31 | +** The user can review every requested permission needed by the platform. |
| 32 | +* The service cannot do anything outside of those permissions. |
| 33 | +* There is no need to rotate or revoke credentials. Whenever the service needs to perform an action, it obtains credentials that expire in one hour or less. |
| 34 | +* Credential expiration reduces the risks of credentials leaking and being reused. |
| 35 | + |
| 36 | +{hcp-title} grants cluster software components least-privilege permissions with short-term security credentials to specific and segregated IAM roles. The credentials are associated with IAM roles specific to each component and cluster that makes AWS API calls. This method aligns with principles of least-privilege and secure practices in cloud service resource management. |
| 37 | + |
| 38 | +[id="components-specific-to-rosa-hcp-with-sts"] |
| 39 | +== Components of {hcp-title} |
| 40 | +* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. |
| 41 | +* *AWS STS* - A method for granting short-term, dynamic tokens to provide users the necessary permissions to temporarily interact with your AWS account resources. |
| 42 | +* *OpenID Connect (OIDC)* - A mechanism for cluster Operators to authenticate with AWS, assume the cluster roles through a trust policy, and obtain temporary credentials from AWS IAM STS to make the required API calls. |
| 43 | +* *Roles and policies* - The roles and policies used by {hcp-title} can be divided into account-wide roles and policies and Operator roles and policies. |
| 44 | ++ |
| 45 | +The policies determine the allowed actions for each of the roles. See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for ROSA clusters that use STS] for more details about the individual roles and policies and xref:../rosa_planning/rosa-sts-ocm-role.adoc#rosa-sts-ocm-role[ROSA IAM role resource] for more details about trust policies. |
| 46 | ++ |
| 47 | +-- |
| 48 | +** The account-wide roles are: |
| 49 | ++ |
| 50 | +*** ManagedOpenShift-Installer-Role |
| 51 | +*** ManagedOpenShift-Worker-Role |
| 52 | +*** ManagedOpenShift-Support-Role |
| 53 | ++ |
| 54 | +** The account-wide AWS-managed policies are: |
| 55 | ++ |
| 56 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAInstallerPolicy.html[ROSAInstallerPolicy] |
| 57 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAWorkerInstancePolicy.html[ROSAWorkerInstancePolicy] |
| 58 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSASRESupportPolicy.html[ROSASRESupportPolicy] |
| 59 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAIngressOperatorPolicy.html[ROSAIngressOperatorPolicy] |
| 60 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAAmazonEBSCSIDriverOperatorPolicy.html[ROSAAmazonEBSCSIDriverOperatorPolicy] |
| 61 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSACloudNetworkConfigOperatorPolicy.html[ROSACloudNetworkConfigOperatorPolicy] |
| 62 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAControlPlaneOperatorPolicy.html[ROSAControlPlaneOperatorPolicy] |
| 63 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAImageRegistryOperatorPolicy.html[ROSAImageRegistryOperatorPolicy] |
| 64 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKMSProviderPolicy.html[ROSAKMSProviderPolicy] |
| 65 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKubeControllerPolicy.html[ROSAKubeControllerPolicy] |
| 66 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAManageSubscription.html[ROSAManageSubscription] |
| 67 | +*** link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSANodePoolManagementPolicy.html[ROSANodePoolManagementPolicy] |
| 68 | +-- |
| 69 | ++ |
| 70 | +[NOTE] |
| 71 | +==== |
| 72 | +Certain policies are used by the cluster Operator roles, listed below. The Operator roles are created in a second step because they are dependent on an existing cluster name and cannot be created at the same time as the account-wide roles. |
| 73 | +==== |
| 74 | ++ |
| 75 | +** The Operator roles are: |
| 76 | ++ |
| 77 | +*** <operator_role_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials |
| 78 | +*** <operator_role_prefix>-openshift-cloud-network-config-controller-cloud-credentials |
| 79 | +*** <operator_role_prefix>-openshift-machine-api-aws-cloud-credentials |
| 80 | +*** <operator_role_prefix>-openshift-cloud-credential-operator-cloud-credentials |
| 81 | +*** <operator_role_prefix>-openshift-image-registry-installer-cloud-credentials |
| 82 | +*** <operator_role_prefix>-openshift-ingress-operator-cloud-credentials |
| 83 | ++ |
| 84 | +** Trust policies are created for each account-wide role and each Operator role. |
| 85 | + |
| 86 | +[id="deploying-rosa-hcp-with-sts-cluster"] |
| 87 | +== Deploying a {hcp-title} cluster |
| 88 | + |
| 89 | +Deploying a {hcp-title} cluster follows the following steps: |
| 90 | + |
| 91 | +. You create the account-wide roles. |
| 92 | +. You create the Operator roles. |
| 93 | +. Red Hat uses AWS STS to send the required permissions to AWS that allow AWS to create and attach the corresponding AWS-manged Operator policies. |
| 94 | +. You create the OIDC provider. |
| 95 | +. You create the cluster. |
| 96 | + |
| 97 | +During the cluster creation process, the ROSA CLI creates the required JSON files for you and outputs the commands you need. If desired, the ROSA CLI can also run the commands for you. |
| 98 | + |
| 99 | +The ROSA CLI can automatically create the roles for you, or you can manually create them by using the `--mode manual` or `--mode auto` flags. For further details about deployment, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster with customizations]. |
| 100 | +//Change the above xref when we have HCP specific docs |
| 101 | + |
| 102 | +[id="hcp-sts-process"] |
| 103 | +== {hcp-title} workflow |
| 104 | +The user creates the required account-wide roles. During role creation, a trust policy, known as a cross-account trust policy, is created which allows a Red Hat-owned role to assume the roles. Trust policies are also created for the EC2 service, which allows workloads on EC2 instances to assume roles and obtain credentials. AWS assigns a corresponding permissions policy to each role. |
| 105 | + |
| 106 | +After the account-wide roles and policies are created, the user can create a cluster. Once cluster creation is initiated, the user creates the Operator roles so that cluster Operators can make AWS API calls. These roles are then assigned to the corresponding permission policies that were created earlier and a trust policy with an OIDC provider. The Operator roles differ from the account-wide roles in that they ultimately represent the pods that need access to AWS resources. Because a user cannot attach IAM roles to pods, they must create a trust policy with an OIDC provider so that the Operator, and therefore the pods, can access the roles they need. |
| 107 | + |
| 108 | +Once the user assigns the roles to the corresponding policy permissions, the final step is creating the OIDC provider. |
| 109 | + |
| 110 | +image::cloud-experts-sts-explained_creation_flow_hcp.png[] |
| 111 | + |
| 112 | +When a new role is needed, the workload currently using the Red Hat role will assume the role in the AWS account, obtain temporary credentials from AWS STS, and begin performing the actions using API calls within the user's AWS account as permitted by the assumed role's permissions policy. The credentials are temporary and have a maximum duration of one hour. |
| 113 | + |
| 114 | +image::cloud-experts-sts-explained_highlevel.png[] |
| 115 | + |
| 116 | +//The entire workflow is depicted in the following graphic: |
| 117 | + |
| 118 | +//image::cloud-experts-sts-explained_entire_flow_hcp.png[] |
| 119 | + |
| 120 | +Operators use the following process to obtain the requisite credentials to perform their tasks. Each Operator is assigned an Operator role, a permissions policy, and a trust policy with an OIDC provider. The Operator will assume the role by passing a JSON web token that contains the role and a token file (`web_identity_token_file`) to the OIDC provider, which then authenticates the signed key with a public key. The public key is created during cluster creation and stored in an S3 bucket. The Operator then confirms that the subject in the signed token file matches the role in the role trust policy which ensures that the OIDC provider can only obtain the allowed role. The OIDC provider then returns the temporary credentials to the Operator so that the Operator can make AWS API calls. For a visual representation, see the following diagram: |
| 121 | + |
| 122 | +image::cloud-experts-sts-explained_oidc_op_roles_hcp.png[] |
0 commit comments