Uploaded image for project: 'OpenShift Container Platform (OCP) Strategy'
  1. OpenShift Container Platform (OCP) Strategy
  2. OCPSTRAT-1350

Transition HCP CLI to Use AWS STS for Role, Policy, and Infra Management

XMLWordPrintable

    • BU Product Work
    • False
    • Hide

      None

      Show
      None
    • False
    • 0% To Do, 0% In Progress, 100% Done
    • M
    • 9
    • 0
    • Program Call

      Feature Overview (aka. Goal Summary)  

      Promote secure authentication methods in HCP CLI by deprecating the use of long-term `AWS credentials` and favoring STS assume role flows. This change aims to enhance security by encouraging the adoption of short-term token-based authentication, reducing the risk associated with promoting insecure usage patterns.

      Goals (aka. expected user outcomes)

      • Switch HCP CLI to STS mode to promote secure usage and discourage sudo creds.

       

      Requirements (aka. Acceptance Criteria):

      • Implement `sts` mode that strictly uses AWS STS for interacting with infrastructure.
      • Deprecate the --aws-creds flag in the HCP CLI to discourage the use of long-term AWS credentials.
      • Ensure that the HCP CLI provides clear error messages and guidance when deprecated methods are used

      Anyone reviewing this Feature needs to know which deployment configurations that the Feature will apply to (or not) once it's been completed.  Describe specific needs (or indicate N/A) for each of the following deployment scenarios. For specific configurations that are out-of-scope for a given release, ensure you provide the OCPSTRAT (for the future to be supported configuration) as well.

      Deployment considerations List applicable specific needs (N/A = not applicable)
      Self-managed, managed, or both self-managed
      Classic (standalone cluster)  
      Hosted control planes Yes
      Multi node, Compact (three node), or Single node (SNO), or all  
      Connected / Restricted Network all
      Architectures, e.g. x86_x64, ARM (aarch64), IBM Power (ppc64le), and IBM Z (s390x) all
      Operator compatibility  
      Backport needed (list applicable versions)  
      UI need (e.g. OpenShift Console, dynamic plugin, OCM) CLI
      Other (please specify)  

      Use Cases (Optional):

      Admin initiates a setup command via the HCP CLI. The CLI automatically uses STS to assume a temporary role that has permission to create the necessary roles and policies for the new environment. Once the roles are in place, the CLI seamlessly continues the setup process.

      Questions to Answer (Optional):

      Include a list of refinement / architectural questions that may need to be answered before coding can begin.  Initial completion during Refinement status.

      Background

      In light of security best practices and evolving compliance requirements, transitioning to STS assume role flows is important. This shift aims to align the HCP CLI with industry standards and security best practices.

      Customer Considerations

      Support must be provided to assist customers in transitioning from using long-term AWS credentials to STS. This includes comprehensive documentation and responsive support channels.

      Documentation Considerations

      Revise documentation sections related to authentication to remove references to long-term credential usage `--aws-creds` / deprecate it and emphasize STS assume role processes. Include examples and common troubleshooting tips.

              azaalouk Adel Zaalouk
              azaalouk Adel Zaalouk
              Roke Jung
              Liangquan Li Liangquan Li
              Servesha Dudhgaonkar Servesha Dudhgaonkar
              Derek Carr Derek Carr
              Dave Mulford Dave Mulford
              Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

                Created:
                Updated:
                Resolved: