OIDC-config for ROSA: security awareness

Updated -

This article serves as supplemental documentation for customers that deploy ROSA clusters with the oidc-config workflow, which is the default option for ROSA with HCP, ROSA deployment with Terraform and ROSA deployed with shared-VPC.

What is the OIDC-config workflow? See official documentation
In short, this workflow allows more flexibility and an ideal cluster deployment sequence for ROSA clusters (that use AWS STS).

Customers that deploy ROSA clusters should be aware that
- The OIDC-config workflow is secure and intended for use with a single ROSA cluster, within a single AWS account.
- The OIDC-config workflow, if misused or misunderstood, could allow identity impersonation between clusters.
- Without understanding the implications, re-use of an OIDC provider for additional clusters introduces the following possibilities:
- Clusters would be able to impersonate each other.
- A cluster would be able gain AWS IAM credentials intended for another cluster
- A single private key is generated for all clusters sharing the same OIDC configuration

If you have any concerns or questions, please feel free to open a support case.

Comments