ROSA CLI Default to STS
Updated -
Red Hat OpenShift Service on AWS
ROSA CLI Change of Default Action When Creating a Cluster
The Background
- The ROSA CLI is capable of creating a ROSA cluster using two different AWS credential modes: STS and non-STS (mint-mode)
- For ROSA CLI 1.2.8 and older, the default for this credential mode selection is non-STS mode, which uses long-term AWS credentials for the AWS role that the cluster requires for installation and functionality.
- For ROSA CLI 1.2.8 and older, if the user initiates cluster creation with
rosa create cluster
and relying on default selections, the cluster would be created with non-STS mode. Alternatively, to create a cluster with STS mode, and using default selections, the following command is valid:rosa create cluster --sts
. - Red Hat is dedicated to secure usage patterns with our products and services, which is the driving force behind this change of default workflow. We believe that AWS Security Token Service is the most secure method to interact with AWS cloud APIs.
The Change
- As of ROSA CLI version 1.3.0 the ROSA CLI will default to STS mode for cluster creation.
- This change means that this command will default to a STS-mode cluster:
rosa create cluster
.- Additionally, the
--sts
inrosa create cluster --sts
becomes redundant.
- Additionally, the
- For those that still wish to create non-STS clusters, you must specify that mode:
- as of ROSA CLI 1.3.0
rosa create cluster --non-sts
- as of ROSA CLI 1.3.0
Impact
- If you utilise automation or scripting that relies on the defaults provided with the ROSA CLI, then you may need to change your automation or scripting to accomodate this new default.
- In general, if you previously relied on the ROSA CLI defaults for cluster creation, the cluster creation workflow is different when using STS by default. You need to prepare appropriate AWS IAM STS roles and policies before creating a cluster. Please familiarise with ROSA STS workflow, from official documentation.
Comments