Chapter 12. Configuring AWS STS for Red Hat Quay
Support for Amazon Web Services (AWS) Security Token Service (STS) is available for standalone Red Hat Quay deployments, Red Hat Quay on OpenShift Container Platform, and Red Hat OpenShift Service on AWS (ROSA). AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized.
Configuring AWS STS for OpenShift Container Platform or ROSA requires creating an AWS IAM user, creating an S3 role, and configuring your Red Hat Quay config.yaml
file to include the proper resources.
12.1. Configuring Red Hat Quay to use AWS STS Copy linkLink copied to clipboard!
Use the following procedure to edit your Red Hat Quay config.yaml
file to use AWS STS.
Procedure
Update your
config.yaml
file for Red Hat Quay to include the following information:Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- The unique Amazon Resource Name (ARN) required when configuring AWS STS
- 2
- The name of your s3 bucket.
- 3
- The storage path for data. Usually
/datastorage
. - 4
- The Amazon Web Services region. Defaults to
us-east-1
. - 5
- The generated AWS S3 user access key required when configuring AWS STS.
- 6
- The generated AWS S3 user secret key required when configuring AWS STS.
- Restart your Red Hat Quay deployment.
Verification
Tag a sample image, for example,
busybox
, that will be pushed to the repository. For example:podman tag docker.io/library/busybox <quay-server.example.com>/<organization_name>/busybox:test
$ podman tag docker.io/library/busybox <quay-server.example.com>/<organization_name>/busybox:test
Copy to Clipboard Copied! Toggle word wrap Toggle overflow Push the sample image by running the following command:
podman push <quay-server.example.com>/<organization_name>/busybox:test
$ podman push <quay-server.example.com>/<organization_name>/busybox:test
Copy to Clipboard Copied! Toggle word wrap Toggle overflow -
Verify that the push was successful by navigating to the Organization that you pushed the image to in your Red Hat Quay registry
Tags. - Navigate to the Amazon Web Services (AWS) console and locate your s3 bucket.
- Click the name of your s3 bucket.
- On the Objects page, click datastorage/.
On the datastorage/ page, the following resources should seen:
- sha256/
uploads/
These resources indicate that the push was successful, and that AWS STS is properly configured.