Uploaded image for project: 'OpenShift Hosted Control Plane'
  1. OpenShift Hosted Control Plane
  2. HOSTEDCP-1488

Use AWS Regionalized STS Endpoints

    XMLWordPrintable

Details

    • Story
    • Resolution: Done
    • Minor
    • None
    • None
    • None
    • False
    • None
    • False
    • 0
    • 0
    • 0

    Description

      User Story:

      As a ROSA customer, I want to enforce that my workloads follow AWS best-practices by using AWS Regionalized STS Endpoints instead of the global one.

      As Red Hat, I would like to follow AWS best-practices by using AWS Regionalized STS Endpoints instead of the global one.

      Per AWS docs:

      https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp_enable-regions.html 

      AWS recommends using Regional AWS STS endpoints instead of the global endpoint to reduce latency, build in redundancy, and increase session token validity.

      https://docs.aws.amazon.com/sdkref/latest/guide/feature-sts-regionalized-endpoints.html

      All new SDK major versions releasing after July 2022 will default to regional. New SDK major versions might remove this setting and use regional behavior. To reduce future impact regarding this change, we recommend you start using regional in your application when possible.

      Acceptance Criteria:

      Areas where HyperShift creates STS credentials use regionalized STS endpoints, e.g. https://github.com/openshift/hypershift/blob/ae1caa00ff3a2c2bfc1129f0168efc1e786d1d12/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go#L1225-L1228 

      Engineering Details:

      Attachments

        Activity

          People

            mshen.openshift Michael Shen
            mshen.openshift Michael Shen
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: