Findings

I do not believe that OCPSTRAT-171 applies to the ACM console, because the CredentialRequestOperator is used for access to the cloud provider on which the operator is running in order to make configuration changes for its own operation. For example, when a cluster is in STS mode, OLM can warn users when installing operators that require AWS access that manual setup will be required in order for the operator to work properly with CCO.

This is not the case for ACM console. We do not require access to the hosting cloud provider for basic operation. Users can optionally provide AWS credentials for deployment of additional clusters using Hive, or for access to S3 buckets for HCP deployment. We could open additional separate features to support these operations via STS if there is customer demand for it. CC sberens@redhat.combweidenb@redhat.com

For Hive deployment using STS, it is already supported by the operator. See Provisioning AWS STS Clusters. This is similar to the main OCP instructions for Configuring an AWS cluster to use short-term credentials title, although the commands are a bit different.

We could update the console Hive-based AWS deployment wizard to support this by doing something like the following:

• Offer a choice between selecting a credential and providing the private service account signing key and installer manifests generated by the ccoctl tool. If the latter is chosen, YAML generation would create two new secrets and modify the install-yaml.config appropriately.
• Mark such clusters in some way so that we can provide a reminder on destroy to clean up resources created by ccoctl.

For hosted control planes, I am not sure if there is any STS support available.