Red Hat Summit Red Hat Summit지원콘솔개발자평가판 시작연락처

이 콘텐츠는 선택한 언어로 제공되지 않습니다.

Chapter 10. Configuring AWS STS for Red Hat Quay

Support for Amazon Web Services (AWS) Security Token Service (STS) is available for standalone Red Hat Quay deployments, Red Hat Quay on OpenShift Container Platform, and Red Hat OpenShift Service on AWS (ROSA). AWS STS is a web service for requesting temporary, limited-privilege credentials for AWS Identity and Access Management (IAM) users and for users that you authenticate, or federated users. This feature is useful for clusters using Amazon S3 as an object storage, allowing Red Hat Quay to use STS protocols to authenticate with Amazon S3, which can enhance the overall security of the cluster and help to ensure that access to sensitive data is properly authenticated and authorized.

Configuring AWS STS for OpenShift Container Platform or ROSA requires creating an AWS IAM user, creating an S3 role, and configuring your Red Hat Quay config.yaml file to include the proper resources.

10.1. Creating an IAM user
링크 복사

Use the following procedure to create an Identity and Access Management (IAM) user.

Procedure

  1. Log in to the Amazon Web Services (AWS) console and navigate to the Identity and Access Management (IAM) console.
  2. In the navigation pane, under Access management click Users.

  3. Click Create User and enter the following information:

    1. Enter a valid username, for example, quay-user.
    2. For Permissions options, click Add user to group.
  4. On the review and create page, click Create user. You are redirected to the Users page.
  5. Click the username, for example, quay-user.
  6. Copy the ARN of the user, for example, arn:aws:iam::123456:user/quay-user.
  7. On the same page, click the Security credentials tab.
  8. Navigate to Access keys.
  9. Click Create access key.
  10. On the Access key best practices & alternatives page, click Command Line Interface (CLI), then, check the confirmation box. Then click Next.
  11. Optional. On the Set description tag - optional page, enter a description.
  12. Click Create access key.

  13. Copy and store the access key and the secret access key.

    Important

    This is the only time that the secret access key can be viewed or downloaded. You cannot recover it later. However, you can create a new access key any time.

  14. Click Done.

10.2. Creating an S3 role
링크 복사

Use the following procedure to create an S3 role for AWS STS.

Prerequisites

  • You have created an IAM user and stored the access key and the secret access key. .Procedure

    1. Navigate to the IAM dashboard.
    2. In the navigation pane, click Roles under Access management.
    3. Click Create role Custom Trust Policy.

    4. Under the Principal configuration field, add your AWS ARN information. For example: 

      {
    "Version": "2012-10-17",
    "Statement": [
   	 {
   		 "Sid": "Statement1",
   		 "Effect": "Allow",
   		 "Principal": {
   		 	"AWS": "arn:aws:iam::123456:user/quay-user"
   		 },
   		 "Action": "sts:AssumeRole"
   	 }
    ]
}
      Copy to Clipboard Toggle word wrap
    5. Click Next.
    6. On the Add permissions page, type AmazonS3FullAccess in the search box. Check the box to add that policy to the S3 role, then click Next.

    7. On the Name, review, and create page, enter the following information:

      1. Enter a role name, for example, example-role.
      2. Optional. Add a description.
    8. Click the Create role button. You are navigated to the Roles page. Under Role name, the newly created S3 should be available.

10.3. Configuring Red Hat Quay on OpenShift Container Platform to use AWS STS
링크 복사

Use the following procedure to edit your Red Hat Quay on OpenShift Container Platform config.yaml file to use AWS STS.

Note

You can also edit and re-deploy your Red Hat Quay on OpenShift Container Platform config.yaml file directly instead of using the OpenShift Container Platform UI.

Prerequisites

  • You have configured a Role ARN.
  • You have generated a User Access Key.
  • You have generated a User Secret Key.

Procedure

  1. On the Home page of your OpenShift Container Platform deployment, click Operators Installed Operators.
  2. Click Red Hat Quay.
  3. Click Quay Registry and then the name of your Red Hat Quay registry.
  4. Under Config Bundle Secret, click the name of your registry configuration bundle, for example, quay-registry-config-bundle-qet56.
  5. On the configuration bundle page, click Actions to reveal a drop-down menu. Then click Edit Secret.

  6. Update your the DISTRIBUTED_STORAGE_CONFIG fields of your config.yaml file with the following information: 

    # ...
DISTRIBUTED_STORAGE_CONFIG:
   default:
    - STSS3Storage
    - sts_role_arn: <role_arn>
    1 
    
      s3_bucket: <s3_bucket_name>
    2 
    
      storage_path: <storage_path>
    3 
    
      s3_region: <region>
    4 
    
      sts_user_access_key: <s3_user_access_key>
    5 
    
      sts_user_secret_key: <s3_user_secret_key>
    6 
    
# ...
    Copy to Clipboard Toggle word wrap
    1
    The unique Amazon Resource Name (ARN) required when configuring AWS STS
    2
    The name of your s3 bucket.
    3
    The storage path for data. Usually /datastorage.
    4
    The Amazon Web Services region. Defaults to us-east-1.
    5
    The generated AWS S3 user access key required when configuring AWS STS.
    6
    The generated AWS S3 user secret key required when configuring AWS STS.
  7. Click Save.

Verification

  1. Tag a sample image, for example, busybox, that will be pushed to the repository. For example: 

    $ podman tag docker.io/library/busybox <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap

  2. Push the sample image by running the following command: 

    $ podman push <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap
  3. Verify that the push was successful by navigating to the Organization that you pushed the image to in your Red Hat Quay registry Tags.
  4. Navigate to the Amazon Web Services (AWS) console and locate your s3 bucket.
  5. Click the name of your s3 bucket.
  6. On the Objects page, click datastorage/.

  7. On the datastorage/ page, the following resources should seen:

    • sha256/

    • uploads/

      These resources indicate that the push was successful, and that AWS STS is properly configured.

10.4. Configuring Red Hat Quay on Red Hat OpenShift Service on AWS to use AWS STS
링크 복사

Use the following procedure to configure Red Hat Quay to use AWS STS on Red Hat OpenShift Service on AWS platforms.

Prerequisites

  • You have created an IAM user.
  • You have created an s3 Role ARN.
  • You have created a Custom Trust Policy that uses the Role ARN.

Procedure

  1. Get the serviceAccountIssuer resource by entering the following command: 

    $ oc get authentication.config.openshift.io cluster -o json | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///"
    Copy to Clipboard Toggle word wrap

    Example output

    oidc.op1.openshiftapps.com/123456
    Copy to Clipboard Toggle word wrap

  2. On the Identity and Access Management (IAM) console of the Amazon Web Services (AWS) console:

    1. Click Roles.
    2. Click the name of the Role to be used with AWS STS, for example, example-role.

    3. Click the Trust relationships tab, which shows the JSON policy created during "Creating an S3 role". Update the JSON policy as follows: 

      {
	"Version": "2012-10-17",
	"Statement": [
    	{
        	"Sid": "Statement1",
        	"Effect": "Allow",
        	"Principal": {
            	"Federated": "arn:aws:iam::123456:oidc-provider/oidc.op1.openshiftapps.com/123456"
      1 
      
        	},
        	"Action": "sts:AssumeRoleWithWebIdentity",
      2 
      
        	"Condition": {
            	"StringEquals": {
                	"oidc.op1.openshiftapps.com/123456:sub": "system:serviceaccount:quay:registry-quay-app"
      3 
      
            	}
        	}
    	}
	]
}
      Copy to Clipboard Toggle word wrap
      1
      Updates the Principal parameter of the JSON policy to Federated:<your_user_ARN>:<serviceAccountIssuer_domain_path>
      2
      Updates the Action parameter of the JSON policy to sts:AssumeRoleWithWebIdentity.
      3
      Updates the Condition parameter of the JSON policy to StringEquals”: “<serviceAccountIssuer>:sub”: “system:serviceAccount:<quay_namespace>:<quay_registry_using_serviceAccount>
    4. Verify that your User ARN is configured correct, then click Next.
    5. On the Add permissions page, select AmazonS3FullAccess, then click Next.
    6. On the Name, review, and create page, provide your role a name, a description, verify your configuration, add any optional tags. Then, click Create Role.

  3. On the Roles page, click the new role and store the Role ARN resource. For example: 

    arn:aws:iam::123456:role/test_s3_access
    Copy to Clipboard Toggle word wrap

  4. On the Red Hat Quay web console:

    1. Click Operators Installed Operators.
    2. Click Red Hat Quay.
    3. Click Quay Registry and then the name of your Red Hat Quay registry.
    4. Under Config Bundle Secret, click the name of your registry configuration bundle, for example, quay-registry-config-bundle-12345.
    5. On the configuration bundle page, click Actions to reveal a drop-down menu. Then click Edit Secret.

    6. Update your the DISTRIBUTED_STORAGE_CONFIG fields of your config.yaml file with the following information: 

      # ...
DISTRIBUTED_STORAGE_CONFIG:
   default:
    - STSS3Storage
      s3_bucket: <s3_bucket_name>
      1 
      
      storage_path: <storage_path>
      2 
      
      s3_region: <region>
      3 
      
# ...
      Copy to Clipboard Toggle word wrap
      1
      The name of your s3 bucket.
      2
      The storage path for data. Usually /datastorage.
      3
      The Amazon Web Services region. Defaults to us-east-1.
  5. Click Save. Your QuayRegistry custom resource (CR) automatically restarts.

  6. Annotate the Service Account (SA) that executes pods with the EKS configuration values. For example: 

    $ oc annotate sa registry-quay-app "eks.amazonaws.com/role-arn"="arn:aws:iam::123456:role/test_s3_access" "eks.amazonaws.com/audience"="sts.amazonaws.com" "eks.amazonaws.com/sts-regional-endpoints"="true"
    Copy to Clipboard Toggle word wrap

Verification

  1. Tag a sample image, for example, busybox, that will be pushed to the repository. For example: 

    $ podman tag docker.io/library/busybox <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap

  2. Push the sample image by running the following command: 

    $ podman push <quay-server.example.com>/<organization_name>/busybox:test
    Copy to Clipboard Toggle word wrap
  3. Verify that the push was successful by navigating to the Organization that you pushed the image to in your Red Hat Quay registry Tags.
  4. Navigate to the Amazon Web Services (AWS) console and locate your s3 bucket.
  5. Click the name of your s3 bucket.
  6. On the Objects page, click datastorage/.

  7. On the datastorage/ page, the following resources should seen:

    • sha256/

    • uploads/

      These resources indicate that the push was successful, and that AWS STS is properly configured.

맨 위로 이동
Red Hat logoGithubredditYoutubeTwitter

자세한 정보

평가판, 구매 및 판매

커뮤니티

Red Hat 문서 정보

Red Hat을 사용하는 고객은 신뢰할 수 있는 콘텐츠가 포함된 제품과 서비스를 통해 혁신하고 목표를 달성할 수 있습니다. 최신 업데이트를 확인하세요.

보다 포괄적 수용을 위한 오픈 소스 용어 교체

Red Hat은 코드, 문서, 웹 속성에서 문제가 있는 언어를 교체하기 위해 최선을 다하고 있습니다. 자세한 내용은 다음을 참조하세요.Red Hat 블로그.

Red Hat 소개

Red Hat은 기업이 핵심 데이터 센터에서 네트워크 에지에 이르기까지 플랫폼과 환경 전반에서 더 쉽게 작업할 수 있도록 강화된 솔루션을 제공합니다.

Theme

© 2025 Red Hat