Chapter 12. Configuring AWS STS for Red Hat Quay

Support for Amazon Web Services (AWS) Security Token Service (STS) is available for standalone Red Hat Quay deployments and Red Hat Quay on OpenShift Container Platform. AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized.

Configuring AWS STS is a multi-step process that requires creating an AWS IAM user, creating an S3 role, and configuring your Red Hat Quay config.yaml file to include the proper resources.

Use the following procedures to configure AWS STS for Red Hat Quay.

12.1. Creating an IAM user

Use the following procedure to create an IAM user.

Procedure

  1. Log in to the Amazon Web Services (AWS) console and navigate to the Identity and Access Management (IAM) console.
  2. In the navigation pane, under Access management click Users.

  3. Click Create User and enter the following information:

    1. Enter a valid username, for example, quay-user.
    2. For Permissions options, click Add user to group.
  4. On the review and create page, click Create user. You are redirected to the Users page.
  5. Click the username, for example, quay-user.
  6. Copy the ARN of the user, for example, arn:aws:iam::123492922789:user/quay-user.
  7. On the same page, click the Security credentials tab.
  8. Navigate to Access keys.
  9. Click Create access key.
  10. On the Access key best practices & alternatives page, click Command Line Interface (CLI), then, check the confirmation box. Then click Next.
  11. Optional. On the Set description tag - optional page, enter a description.
  12. Click Create access key.

  13. Copy and store the access key and the secret access key.

    Important

    This is the only time that the secret access key can be viewed or downloaded. You cannot recover it later. However, you can create a new access key any time.

  14. Click Done.

12.2. Creating an S3 role

Use the following procedure to create an S3 role for AWS STS.

Prerequisites

  • You have created an IAM user and stored the access key and the secret access key.

Procedure

  1. If you are not already, navigate to the IAM dashboard by clicking Dashboard.
  2. In the navigation pane, click Roles under Access management.

  3. Click Create role.

    • Click Custom Trust Policy, which shows an editable JSON policy. By default, it shows the following information: 

      {
	"Version": "2012-10-17",
	"Statement": [
		{
			"Sid": "Statement1",
			"Effect": "Allow",
			"Principal": {},
			"Action": "sts:AssumeRole"
		}
	]
}

  4. Under the Principal configuration field, add your AWS ARN information. For example: 

    {
    "Version": "2012-10-17",
    "Statement": [
   	 {
   		 "Sid": "Statement1",
   		 "Effect": "Allow",
   		 "Principal": {
   		 	"AWS": "arn:aws:iam::123492922789:user/quay-user"
   		 },
   		 "Action": "sts:AssumeRole"
   	 }
    ]
}
  5. Click Next.
  6. On the Add permissions page, type AmazonS3FullAccess in the search box. Check the box to add that policy to the S3 role, then click Next.

  7. On the Name, review, and create page, enter the following information:

    1. Enter a role name, for example, example-role.
    2. Optional. Add a description.
  8. Click the Create role button. You are navigated to the Roles page. Under Role name, the newly created S3 should be available.

12.3. Configuring Red Hat Quay to use AWS STS

Use the following procedure to edit your Red Hat Quay config.yaml file to use AWS STS.

Procedure

  1. Update your config.yaml file for Red Hat Quay to include the following information: 

    # ...
DISTRIBUTED_STORAGE_CONFIG:
   default:
    - STSS3Storage
    - sts_role_arn: <role_arn> 1
      s3_bucket: <s3_bucket_name> 2
      storage_path: <storage_path> 3
      sts_user_access_key: <s3_user_access_key> 4
      sts_user_secret_key: <s3_user_secret_key> 5
# ...
    1
    The unique Amazon Resource Name (ARN) required when configuring AWS STS
    2
    The name of your s3 bucket.
    3
    The storage path for data. Usually /datastorage.
    4
    The generated AWS S3 user access key required when configuring AWS STS.
    5
    The generated AWS S3 user secret key required when configuring AWS STS.
  2. Restart your Red Hat Quay deployment.

Verification

  1. Tag a sample image, for example, busybox, that will be pushed to the repository. For example: 

    $ podman tag docker.io/library/busybox <quay-server.example.com>/<organization_name>/busybox:test

  2. Push the sample image by running the following command: 

    $ podman push <quay-server.example.com>/<organization_name>/busybox:test
  3. Verify that the push was successful by navigating to the Organization that you pushed the image to in your Red Hat Quay registry → Tags.
  4. Navigate to the Amazon Web Services (AWS) console and locate your s3 bucket.
  5. Click the name of your s3 bucket.
  6. On the Objects page, click datastorage/.

  7. On the datastorage/ page, the following resources should seen:

    • sha256/

    • uploads/

      These resources indicate that the push was successful, and that AWS STS is properly configured.