Chapter 12. Configuring AWS STS for Red Hat Quay


Support for Amazon Web Services (AWS) Security Token Service (STS) is available for standalone Red Hat Quay deployments, Red Hat Quay on OpenShift Container Platform, and Red Hat OpenShift Service on AWS (ROSA). AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized.

Configuring AWS STS for OpenShift Container Platform or ROSA requires creating an AWS IAM user, creating an S3 role, and configuring your Red Hat Quay config.yaml file to include the proper resources.

12.1. Configuring Red Hat Quay to use AWS STS

Use the following procedure to edit your Red Hat Quay config.yaml file to use AWS STS.

Procedure

  1. Update your config.yaml file for Red Hat Quay to include the following information:

    # ...
    DISTRIBUTED_STORAGE_CONFIG:
       default:
        - STSS3Storage
        - sts_role_arn: <role_arn> 
    1
    
          s3_bucket: <s3_bucket_name> 
    2
    
          storage_path: <storage_path> 
    3
    
          s3_region: <region> 
    4
    
          sts_user_access_key: <s3_user_access_key> 
    5
    
          sts_user_secret_key: <s3_user_secret_key> 
    6
    
    # ...
    Copy to Clipboard Toggle word wrap
    1
    The unique Amazon Resource Name (ARN) required when configuring AWS STS
    2
    The name of your s3 bucket.
    3
    The storage path for data. Usually /datastorage.
    4
    The Amazon Web Services region. Defaults to us-east-1.
    5
    The generated AWS S3 user access key required when configuring AWS STS.
    6
    The generated AWS S3 user secret key required when configuring AWS STS.
  2. Restart your Red Hat Quay deployment.

Verification

  1. Tag a sample image, for example, busybox, that will be pushed to the repository. For example:

    $ podman tag docker.io/library/busybox <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap
  2. Push the sample image by running the following command:

    $ podman push <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap
  3. Verify that the push was successful by navigating to the Organization that you pushed the image to in your Red Hat Quay registry Tags.
  4. Navigate to the Amazon Web Services (AWS) console and locate your s3 bucket.
  5. Click the name of your s3 bucket.
  6. On the Objects page, click datastorage/.
  7. On the datastorage/ page, the following resources should seen:

    • sha256/
    • uploads/

      These resources indicate that the push was successful, and that AWS STS is properly configured.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat