1. Proposed title of this feature request

Support switching to AWS STS as a Day-2 operation

2. What is the nature and description of the request?

With OCPPLAN-5656 / CCO-21 / CCO-20 OpenShift Container Platform 4 now supports using AWS Security Token Service (STS) as a Day Zero Operation. That means the Cloud Credential Operator can be configured to use STS on installation. However, there is currently no supported procedure to use STS after the inital installation as a Day-2 Operation.

This RFE requests that a supported and documented procedure is available to switch an OCP4 cluster from any other credentials mode to using AWS STS.

I remember seeing an unofficial / not supported procedure for this, however do not believe that this is public.

3. Why does the customer need this?

Especially for customers in regulated industries (banking, insurance), using the AWS Security Token Service wherever possible is a requirement. Customers that now already have production clusters running and would like to use AWS STS with OCP would now be required to create new clusters and migrate workload. This is often not feasible without longer downtime and significant efforts, thus switching existing clusters to use AWS STS is much preferred.

4. List any affected packages or components.

Cloud Credential Operator / Documentation