Getting started with Red Hat OpenShift Service on AWS (ROSA)

Learn how to get started on Red Hat® OpenShift® Service on AWS, including how to use AWS Security Token Service (STS) to deploy a cluster.

Learn how to get started on Red Hat® OpenShift® Service on AWS, including how to use AWS Security Token Service (STS) to deploy a cluster.

Set up an IdP for ROSA

15 mins

To log in to your cluster, we recommend that you set up an identity provider (IdP). The following procedure uses GitHub as an example IdP. See the full list of supported IdPs by Red Hat® OpenShift® Service on AWS (ROSA).

What will you learn?

  • How to use an IdP to log in to your cluster

What do you need before starting?

Set up an IdP with GitHub

NOTE: To view all options run: rosa create idp --help

  1. Log into your GitHub account.
  2. You can either use an existing Organization that you're an admin of, or create a new one. If you already have one that you want to use, skip to step 7. Here we will create a new Organization for use with our new ROSA cluster. Click on the “+” icon in the top then click on “New Organization”.
    Screenshot of the Github menu dropdown for creating a new organization with a red outline around the fourth option titled “New organization”
  3. If you are asked to “Pick a plan for your team,” choose the most applicable to you, or just click “Join for free” on the bottom left.
  4. Choose a name for the organization, an email, and whether it is personal or business. Click Next.
    Screenshot of the form fields for setting up a new organization on Github
  5. If you have other users that you want to grant access to your ROSA cluster you can add their GitHub IDs to the organization or you can add them later. We will click “Complete Setup” without adding anyone else.
  6. You can fill in the requested information on the following page or just click “Submit” at the bottom.
  7. Go back to the terminal and enter the following command to set up the GitHub IdP.
    rosa create idp --cluster=<cluster-name> --interactive
  8. Enter the following values that are in bold below:
    • Type of identity provider: github
    • Identity Provider Name: rosa-github (Or this can be any name you choose)
    • Restrict to members of: organizations
    • GitHub organizations: my-rosa-cluster (or enter the name of your org)
  9. The command line interface (CLI) will provide you with a link. Copy and paste that into a browser and press enter. This will pre-fill the required information for you in order to register this application for OAuth. You don’t need to modify any of the information.
    Screenshot of the command line interface readout with the user’s organization information
  10. Click "Register application."
    Screenshot of the form fields for registering a new OAuth application on Github with a red outline around the Register application button at the bottom of the screen
  11. On the next page it will show you a “Client ID.” Copy this and paste it back into the terminal where it asks for “Client ID.” DO NOT CLOSE THIS TAB.
  12. The CLI now asks for a “Client Secret,” so go back in your browser and click on “Generate a new client secret” near the middle of the page towards the right.
    Screenshot of the application information screen with a red outline around the button under “Client secrets” titled “Generate a new client secret”
  13. A secret will be generated for you. Make sure to copy it as it will never be visible again.
  14. Paste it into the terminal where the CLI is asking for the Client Secret and press enter.
  15. Leave "GitHub Enterprise Hostname" blank.
  16. Select “claim.” (For more details see Identity provider parameters)
  17. Then the IdP will be created but can take up to 1 minute for the configuration to land onto your cluster.
    Your inputs should look similar to the following:  
    Screenshot of the command line interface readout when a user is inputting information to create an identity provider, or IdP
  18. Copy and paste the link returned at the end into your browser and you should see the IdP we just set up available. If you've followed this tutorial, it is called “rosa-github”. You can click on this and use your GitHub credentials to access the cluster.
    Screenshot of the option to login with GitHub credentials

Grant access to the cluster

  1. In order to grant access to other users of your cluster, you will need to add their GitHub user ID to the GitHub Organization used for this cluster. If you are following the tutorial, go to “Your organizations” page. 
  2. Click on your profile icon > Your organizations > {your organization name}. In our case, the organization name is “my-rosa-cluster”.
    Screenshot of the dropdown menu on a user’s Github profile with a red outline around the third option titled “Your organizations”
  3. Click on the “Invite someone” button.
    Screenshot of a Github organization repository with a red outline around the “Invite someone” button
  4. Enter their GitHub ID, select the correct user, and click “Invite.”
  5. Once the other user accepts the invitation, they will be able to log into the ROSA cluster via the console link and use their GitHub credentials.

You are now ready to grant admin rights.

This learning path is for operations teams or system administrators

Developers may want to check out

Get started on