Goal:

As an user I would like to the OpenShift Installer to use temporary credentials when communicating with the cloud APIs

Problem:

Most organizations organize users and permissions such that

• No users have static credentials, rather users use temporary credentials when communicating with cloud APIs
• Single user can have different permissions in different contexts/accounts

So requiring static credentials to create OpenShift clusters in the specific account/context is difficult for users.

Why is this important:

• Support users in organizations that only have access to the account where the cluster needs to be created using AssumeRole like work-flows.
• Support users where the organization enforces temporary credentials to access cloud APIs
• This also allows the Openshift installer to use cloud-services based credentials like instance-metadata.

Previous Work:

None

Prioritized epics + deliverables (in scope / not in scope):

• Support STS API based and ec2metadata based credential sources for AWS

• • https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use.html
• Support service account impersonation and delegation for GCP
  • https://cloud.google.com/iam/docs/creating-short-lived-service-account-credentials
• Support User Assigned Identities for Azure
  • https://docs.microsoft.com/en-us/azure/active-directory/managed-identities-azure-resources/overview

Customers: