-
Story
-
Resolution: Done
-
Major
-
None
Currently, ccoctl creates a public S3 bucket to host OIDC endpoint that is accessible over the internet. Many customers have complained about this approach as their security policies do not allow creation of public S3 bucket. We have explored the option of making S3 bucket private and having public CloudFront URL to access OIDC configuration files in S3. We already have this tested and documented by SPLAT team. As part of this card, we need to automate this process through ccoctl by having an optional parameter.
The sample ccoctl command to create the above-mentioned configuration can be
ccoctl aws create-all --name=<name> --region=<aws-region> --credentials-requests-dir=<path-to-directory-with-list-of-credentials-requests> --enable-cloudfront
SPLAT document : https://drive.google.com/file/d/1z16Gi11Bt4ox-55YuRnvLSm65N9hV8a1/view
- blocks
-
RFE-2898 OCP on AWS with manual STS requires private S3 bucket to host OIDC endpoint
-
- Accepted
-
- is depended on by
-
OCPBUGS-2280 [release-4.12] Add ccoctl option to create private s3 bucket with OIDC configurations served through public CloudFront URL
-
- Closed
-
- is related to
-
-
- Closed
-
-
-
- Closed
-
- relates to
-
CCO-219 Explore the option of creating private S3 bucket to host OIDC endpoint
-
- Closed
-
-
-
- To Do
-
- links to
