Red Hat OpenShift Service on AWS (ROSA) explained

Learn about specific use cases, detailed deep dives, and specialized strategies to get the most out of Red Hat OpenShift Service on AWS for your business needs through this series of videos. 

You can also watch this interactive demonstration on how to install ROSA, from creating an account to deploying applications.

Learn about specific use cases, detailed deep dives, and specialized strategies to get the most out of Red Hat OpenShift Service on AWS for your business needs through this series of videos. 

You can also watch this interactive demonstration on how to install ROSA, from creating an account to deploying applications.

What is the AWS Security Token Service (STS)?

8 mins

Ryan Niksch (AWS) and Shaozhen Ding (Red Hat) discuss the AWS Secure Token Service (STS) that Red Hat OpenShift Service on AWS (ROSA) uses for least privilege access.

To view this video within our in-depth learning path, please visit the Getting started with Red Hat OpenShift Service on AWS (ROSA) page


Ryan Niksch (00:00):
Greetings. My name is Ryan Niksch. I am a Principal Solutions Architect with Amazon Web Services. Joining me here today is Shaozhen from Red Hat. Shaozhen say “hi,” and give us a very quick description of your role.

Shaozhen (00:14):
Hi. My name is Shaozhen. I'm a Red Hat Managed Service Black Belt.

Ryan Niksch (00:19):
So today a lot of customers are talking to me about the ROSA service or the Red Hat OpenShift Service on AWS. This is a jointly supported service, but managed by Red Hat. So it's managed OpenShift.

Shaozhen (00:37):

Ryan Niksch (00:38):
Very, very quickly. What is OpenShift? Why are customers interested in OpenShift?

What is OpenShift?

Shaozhen (00:43):
Yeah. OpenShift is an enterprise grid Kubernetes platform. It's beyond just Kubernetes. It is providing you a great developer experience as well as an operational experience.

Ryan Niksch (00:58):
Okay. And with customers when they're talking about OpenShift and AWS, OpenShift touches a lot of AWS services and there's a lot of integration for example, when we're scaling and things. What are you seeing in terms of customers get to a best security posture and ways in which they can implement least privilege and sort of constructs around best security with OpenShift and AWS services?

Leveraging STS AWS

Shaozhen (01:31):
Yeah. So we leverage the STS AWS security token services. So a ROSA cluster actually gathers least privilege and temporary token from STS.

Ryan Niksch (01:45):
Okay. So we've got a ROSA cluster.

Shaozhen (01:47):

Ryan Niksch (01:50):
And that ROSA cluster is going to talk to AWS's STS.

Shaozhen (01:56):

Ryan Niksch (01:56):
STS is a token vending service. So every time the ROSA cluster wants to touch something like an AWS service, what would some of those AWS services be? Typically, what does OpenShift interact with from an AWS service point of view?

Shaozhen (02:13):
Yeah. There are a lot of AWS services. We are integrated with that. For example, EB2.

Ryan Niksch (02:13):

Shaozhen (02:22):
EC2. Yeah.

Ryan Niksch (02:25):
And I'm assuming that is for the nodes as it scales up, scales down, or if it's provisioning new compute and the EBS, I'm assuming is for persistent volumes, those sort of things?

Shaozhen (02:37):
Yes, exactly.

Ryan Niksch (02:38):
So in older OpenShift implementations, we used to have an IAM user and that IAM user had a set of keys and these keys were rather static. They never changed. This really wasn't a temporary sort of environment. Also, these would not necessarily be least privilege. It'd be one massive policy for the entire OpenShift cluster.

Shaozhen (03:09):

Ryan Niksch (03:09):
How does moving to STS change that?

Advantages of STS

Shaozhen (03:12):
Yeah. So there are two advantages of using STS. So number one is STS gives you a temporary token, and the other one gives you the least privilege.

Ryan Niksch (03:33):
So instead of one policy on the older implementation, here we would see multiple policies. And would I be correct in saying that now inside OpenShift, each of the components of OpenShift gets its own specific policy?

Shaozhen (03:53):
Yeah. So inside of OpenShift, the ROSA service, there are different operator services. So each service, they're going to have their own role with the least privilege policy. Instead, you have a big giant key with all the policies attached. So that's how we actually gather least privilege policy to be implemented.

Ryan Niksch (04:16):
But the service would need to interact with STS. So there's a request process here.

Shaozhen (04:21):

Ryan Niksch (04:21):
Is there any permission building blocks needed to actually talk to STS?

Shaozhen (04:26):
Yeah. So Red Hat services, when it's trying to create a ROSA cluster or is provisioning OIDC provider and this OIDC provider actually trusts with IAM role. So there's a trust relationship between this OIDC and IAM role. And this role actually has a very least privilege policy. For example, only talks with EC2. And you definitely are going to have multiple IAM roles in this case. And for a particular service, ROSA is able to assume this particular IAM role and actually get a service account token from the OIDC provider. And in that case, the ROSA cluster or ROSA services is able to exchange with STS to get a AWS session token.

Ryan Niksch (05:39):
So the session token is really how long can I use that assumed role. When it times out, I have to go through this whole request process again?

Shaozhen (05:48):

Ryan Niksch (05:49):
From a least privilege perspective, it's really all of these separate policies per service. So the OpenShift installer, for example, will have a set of permissions that it needs. The machine autoscaler has a separate set of permissions.

Shaozhen (06:05):

Ryan Niksch (06:05):
And all of those are interacting with STS by interacting through that OIDC provider, getting the service token, which then gets me to a session token, and allows me to assume that role and use it temporarily.

Shaozhen (06:19):

Ryan Niksch (06:20):
This is a very significant change from where we were a few years ago with a more static configuration. Is this something that you're seeing as a more popular, more common implementation?

Shaozhen (06:32):
Yeah. For most enterprise customers, they prefer to use STS because this is a big deal for their security practice. And this temporary is the least privilege.

Ryan Niksch (06:43):
I think if I look at the customers that I'm working with, STS and the other thing that is incredibly popular is private clusters using AWS PrivateLink. I would actually go as far as to say PrivateLink and STS are the two most common implementations.

Shaozhen (07:00):

Ryan Niksch (07:01):
And this is now changing the way in which we build everything in OpenShift in general, as we bring new operators, new integrations. They're all going to be following this STS or temporary credential mentality.

Shaozhen (07:16):
Yeah. So STS enhances the security feature for authentication between all the operators or services inside of ROSA to AWS. In the next session, we can talk about what is PrivateLink, how we're going to make sure the network is secured in the private network.

Ryan Niksch (07:34):

Shaozhen (07:35):

Ryan Niksch (07:36):
Thank you very much for joining me.

Shaozhen (07:37):
Yeah. Thank you.

Ryan Niksch (07:39):
It's always a pleasure. And thank you for joining us.

Previous resource
ROSA: Who does what?
Next resource
SRE managing ROSA
Hybrid Cloud Logo LinkedIn YouTube Facebook Twitter



Try, buy, sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now