Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 12. Configuring AWS STS for Red Hat Quay


Support for Amazon Web Services (AWS) Security Token Service (STS) is available for standalone Red Hat Quay deployments, Red Hat Quay on OpenShift Container Platform, and Red Hat OpenShift Service on AWS (ROSA). AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized.

Configuring AWS STS for OpenShift Container Platform or ROSA requires creating an AWS IAM user, creating an S3 role, and configuring your Red Hat Quay config.yaml file to include the proper resources.

Use the following procedures to configure AWS STS for Red Hat Quay.

12.1. Configuring Red Hat Quay to use AWS STS

Use the following procedure to edit your Red Hat Quay config.yaml file to use AWS STS.

Procedure

  1. Update your config.yaml file for Red Hat Quay to include the following information:

    # ...
    DISTRIBUTED_STORAGE_CONFIG:
       default:
        - STSS3Storage
        - sts_role_arn: <role_arn> 
    1
    
          s3_bucket: <s3_bucket_name> 
    2
    
          storage_path: <storage_path> 
    3
    
          s3_region: <region> 
    4
    
          sts_user_access_key: <s3_user_access_key> 
    5
    
          sts_user_secret_key: <s3_user_secret_key> 
    6
    
    # ...
    Copy to Clipboard Toggle word wrap
    1
    The unique Amazon Resource Name (ARN) required when configuring AWS STS
    2
    The name of your s3 bucket.
    3
    The storage path for data. Usually /datastorage.
    4
    The Amazon Web Services region. Defaults to us-east-1.
    5
    The generated AWS S3 user access key required when configuring AWS STS.
    6
    The generated AWS S3 user secret key required when configuring AWS STS.
  2. Restart your Red Hat Quay deployment.

Verification

  1. Tag a sample image, for example, busybox, that will be pushed to the repository. For example:

    $ podman tag docker.io/library/busybox <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap
  2. Push the sample image by running the following command:

    $ podman push <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap
  3. Verify that the push was successful by navigating to the Organization that you pushed the image to in your Red Hat Quay registry Tags.
  4. Navigate to the Amazon Web Services (AWS) console and locate your s3 bucket.
  5. Click the name of your s3 bucket.
  6. On the Objects page, click datastorage/.
  7. On the datastorage/ page, the following resources should seen:

    • sha256/
    • uploads/

      These resources indicate that the push was successful, and that AWS STS is properly configured.

Retour au début
Red Hat logoGithubredditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance. Découvrez nos récentes mises à jour.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez le Blog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

Theme

© 2025 Red Hat