Uploaded image for project: 'OpenShift Cloud Credential Operator'
  1. OpenShift Cloud Credential Operator
  2. CCO-221

Document restricting access to OIDC S3 for STS installations using AWS CloudFront

XMLWordPrintable

    • Icon: Story Story
    • Resolution: Done
    • Icon: Major Major
    • None
    • None
    • False
    • None
    • False

      Currently, ccoctl creates a public S3 bucket to host OIDC endpoint that is accessible over the internet. Many customers have complained about this approach as their security policies do not allow creation of public S3 bucket. We have explored the option of making S3 bucket private and having public CloudFront URL to access OIDC configuration files in S3. We already have this tested and documented by SPLAT team. As part of this card, we need to transfer the content to CCO repo.

      SPLAT document : https://drive.google.com/file/d/1z16Gi11Bt4ox-55YuRnvLSm65N9hV8a1/view

      CCO document have content needs to be added: https://github.com/openshift/cloud-credential-operator/blob/master/docs/sts.md

        1. private_S3_options.png
          private_S3_options.png
          150 kB

              akhilrane Akhil Rane (Inactive)
              akhilrane Akhil Rane (Inactive)
              Jianping Shu Jianping Shu
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: