Setting up an IdP for Red Hat OpenShift Service on AWS
To log in to your cluster, we recommend that you set up an identity provider (IdP). The following procedure uses GitHub as an example IdP. See the full list of supported IdPs by Red Hat® OpenShift® Service on AWS (ROSA).
What will you learn?
- How to use an IdP to log in to your cluster
What do you need before starting?
Set up an IdP with GitHub
NOTE: To view all options run: rosa create idp --help
- Log into your GitHub account.
You can either use an existing Organization that you're an admin of, or create a new one. If you already have one that you want to use, skip to step 7. Here we will create a new Organization for use with our new ROSA cluster. Click on the “+” icon in the top then click on “New Organization”.
- If you are asked to “Pick a plan for your team,” choose the most applicable to you, or just click “Join for free” on the bottom left.
Choose a name for the organization, an email, and whether it is personal or business. Click Next.
- If you have other users that you want to grant access to your ROSA cluster you can add their GitHub IDs to the organization or you can add them later. We will click “Complete Setup” without adding anyone else.
- You can fill in the requested information on the following page or just click “Submit” at the bottom.
- Go back to the terminal and enter the following command to set up the GitHub IdP.
rosa create idp --cluster=<cluster-name>--interactive - Enter the following values that are in bold below:
- Type of identity provider: github
- Identity Provider Name: rosa-github (Or this can be any name you choose)
- Restrict to members of: organizations
- GitHub organizations: my-rosa-cluster (or enter the name of your org)
The command line interface (CLI) will provide you with a link. Copy and paste that into a browser and press enter. This will pre-fill the required information for you in order to register this application for OAuth. You don’t need to modify any of the information.
Click "Register application."
- On the next page it will show you a “Client ID.” Copy this and paste it back into the terminal where it asks for “Client ID.” DO NOT CLOSE THIS TAB.
The CLI now asks for a “Client Secret,” so go back in your browser and click on “Generate a new client secret” near the middle of the page towards the right.
- A secret will be generated for you. Make sure to copy it as it will never be visible again.
- Paste it into the terminal where the CLI is asking for the Client Secret and press enter.
- Leave "GitHub Enterprise Hostname" blank.
- Select “claim.” (For more details see Identity provider parameters)
Then the IdP will be created but can take up to 1 minute for the configuration to land onto your cluster.
Your inputs should look similar to the following:
Copy and paste the link returned at the end into your browser and you should see the IdP we just set up available. If you've followed this tutorial, it is called “rosa-github”. You can click on this and use your GitHub credentials to access the cluster.
Grant access to the cluster
- In order to grant access to other users of your cluster, you will need to add their GitHub user ID to the GitHub Organization used for this cluster. If you are following the tutorial, go to “Your organizations” page.
Click on your profile icon > Your organizations > {your organization name}. In our case, the organization name is “my-rosa-cluster”.
Click on the “Invite someone” button.
- Enter their GitHub ID, select the correct user, and click “Invite.”
- Once the other user accepts the invitation, they will be able to log into the ROSA cluster via the console link and use their GitHub credentials.
You are now ready to grant admin rights.
