Support for Direct Use of aws-pod-identity-webhook with AWS STS in OCP
Environment
- Red Hat OpenShift Container Platform 4.10 or later
- Amazon Web Services (AWS)
- Cloud Credentials Operator
- Credential Mint-Mode
- AWS Security Token Service (STS)
- AWS IAM (Identity and Access Management) Roles for resources outside the OCP cluster
Issue
- Provide credentials to external resources only to specific service accounts
- Documentation is unclear about support for
aws-pod-identity-webhookoutside of an implementation details for CCO manual mode - Use "eks.amazonaws.com/role-arn" annotations
Resolution
Yes this use case is supported.
Root Cause
The aws-pod-identity-webhook allows for providing a service account credentials with IAM roles using AWS STS. STS is unused in OCP in Mint Mode because the cluster has the provided credentials to mint IAM users as requested by CredentialsRequests custom resources. However, the CCO operator is active and available to use.
The OCP documentation doesn't currently make this clear, but the ROSA (Red Hat OpenShift Service on AWS) documentation does cover it. See Assuming an AWS IAM role for a service account
. Also see the follow blog entries Fine-grained IAM roles for Red Hat OpenShift Service on AWS (ROSA) workloads with STS and Running Pods in OpenShift With AWS IAM Roles for service accounts AKA IRSA
Performing the same tasks on OCP is covered in the blog Fine Grained IAM Roles for OpenShift Applications
There are several open issues related to implementing this, so if you run into problems, please open a support case.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments