Amazon Web Services (AWS) infrastructure access allows Customer Portal Organization Administrators and cluster owners to enable AWS Identity and Access Management (IAM) users to have federated access to the AWS Management Console for their OpenShift Dedicated cluster. Administrators can select between Network Management or Read-only access options.

Configuring AWS infrastructure access

Prerequisites
  • An AWS account with IAM permissions.

Creating an AWS account with IAM permissions

Before you can configure access to AWS infrastructure, you will need to set up IAM permissions in your AWS account.

Procedure
  1. Log in to your AWS account. If necessary, you can create a new AWS account by following AWS documentation.

  2. Create an IAM user with STS:AllowAssumeRole permissions within the AWS account.

    1. Open the IAM dashboard of the AWS Management Console.

    2. In the Policies section, click Create Policy.

    3. Select the JSON tab and replace the existing text with the following:

        {
          "Version": "2012-10-17",
          "Statement": [
              {
                  "Effect": "Allow",
                  "Action": "sts:AssumeRole",
                  "Resource": "*"
              }
          ]
        }
    4. Click Review Policy.

    5. Provide an appropriate name and description, then click Create Policy.

    6. In the Users section, click Add user.

    7. Provide an appropriate user name.

    8. Select AWS Management Console access and other roles as needed.

    9. Adjust the password requirements as necessary for your organization, then click Next: Policy.

    10. Click the Attach existing policies directly option.

    11. Search for and check the policy created in previous steps.

      It is not recommended to set a permissions boundary.

    12. Click Next: Tags, then click Next: Review. Confirm the configuration is correct.

    13. Click Create user, then click Close on the success page.

  3. Gather the IAM user’s Amazon Resource Name (ARN). The ARN will have the following format: arn:aws:iam::000111222333:user/username.

Granting the IAM role from the OpenShift Cluster Manager

Procedure
  1. Open the OpenShift Dedicated Cluster Manager in your browser and select the cluster you want to allow AWS infrastructure access.

  2. Select the Access control tab, and scroll to the AWS Infrastructure Access section.

  3. Paste the AWS IAM ARN and select Network Management or Read-only permissions, then click Grant role.

  4. Copy the AWS OSD Console URL to your clipboard.

  5. Sign in to your AWS account with your Account ID or alias, IAM user name, and password.

  6. In a new browser tab, paste the AWS OSD Console URL that will be used to route to the AWS Switch Role page.

  7. Your account number and role will be filled in already. Choose a display name if necessary, then click Switch Role. You will now see VPC under Recently visited services.