Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides the ability to configure short-lived access to the user interface and API calls.

You can configure this by exchanging OpenID Connect (OIDC) identity tokens for a RHACS-issued token.

We recommend this especially for Continuous Integration (CI) usage, where short-lived access is preferable over long-lived API tokens.

The following steps outline the high-level workflow on how to configure short-lived access to the user interface and API calls:

  1. Configuring RHACS to trust OIDC identity token issuers for exchanging short-lived RHACS-issued tokens.

  2. Exchanging an OIDC identity token for a short-lived RHACS-issued token by calling the API.

  • To prevent privilege escalation, when you create a new token, your role’s permissions limit the permission you can assign to that token. For example, if you only have read permission for the Integration resource, you cannot create a token with write permission.

  • If you want a custom role to create tokens for other users to use, you must assign the required permissions to that custom role.

  • Use short-lived tokens for machine-to-machine communication, such as CI/CD pipelines, scripts, and other automation. Also, use the roxctl central login command for human-to-machine communication, such as roxctl CLI or API access.

Configure short-lived access for an OIDC identity token issuer

Start configuring short-lived access for an OpenID Connect (OIDC) identity token issuer.

  1. In the RHACS portal, go to Platform ConfigurationIntegrations.

  2. Scroll to the Authentication Tokens category, and then click Machine access configuration.

  3. Click Create configuration.

  4. Select the configuration type, choosing one of the following:

    • Generic if you use an arbitrary OIDC identity token issuer.

    • GitHub Actions if you plan to access RHACS from GitHub Actions.

  5. Enter the OIDC identity token issuer.

  6. Enter the token lifetime for tokens issued by the configuration.

    The format for the token lifetime is XhYmZs and you cannot set it for longer than 24 hours.

  7. Add rules to the configuration:

    • The Key is the OIDC token’s claim to use.

    • The Value is the expected OIDC token claim value.

    • The Role is the role to assign to the token if the OIDC token claim and value exist.

      Rules are similar to Authentication Provider rules to assign roles based on claim values.

      As a general rule, Red Hat recommends to use unique, immutable claims within Rules. The general recommendation is to use the sub claim within the OIDC identity token. For more information about OIDC token claims, see the list of standard OIDC claims.

  8. Click Save.

Exchanging an identity token

  • You have a valid OpenID Connect (OIDC) token.

  • You added a Machine access configuration for the RHACS instance you want to access.

  1. Prepare the POST request’s JSON data:

        "idToken": "<id_token>"
  2. Send a POST request to the API /v1/auth/m2m/exchange.

  3. Wait for the API response:

        "accessToken": "<access_token>"
  4. Use the returned access token to access the RHACS instance.

If you are using GitHub Actions, you can use the stackrox/central-login GitHub Action.