openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/hcp-aws-create-secret-s3.adoc
Laura Hinson 2a8133e80c Config custom API server cert for a hosted cluster
2025-08-13 13:53:59 +00:00

101 lines
3.2 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * hosted_control_planes/hcp-deploy/hcp-deploy-aws.adoc
:_mod-docs-content-type: PROCEDURE
[id="hcp-aws-create-secret-s3_{context}"]
= Creating the {aws-full} S3 bucket and S3 OIDC secret
Before you can create and manage hosted clusters on {aws-first}, you must create the S3 bucket and S3 OIDC secret.
.Procedure
. Create an S3 bucket that has public access to host OIDC discovery documents for your clusters by running the following commands:
+
[source,terminal]
----
$ aws s3api create-bucket --bucket <bucket_name> \// <1>
--create-bucket-configuration LocationConstraint=<region> \// <2>
--region <region> <2>
----
<1> Replace `<bucket_name>` with the name of the S3 bucket you are creating.
<2> To create the bucket in a region other than the `us-east-1` region, include this line and replace `<region>` with the region you want to use. To create a bucket in the `us-east-1` region, omit this line.
+
[source,terminal]
----
$ aws s3api delete-public-access-block --bucket <bucket_name> <1>
----
<1> Replace `<bucket_name>` with the name of the S3 bucket you are creating.
+
[source,terminal]
----
$ echo '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::<bucket_name>/*" <1>
}
]
}' | envsubst > policy.json
----
<1> Replace `<bucket_name>` with the name of the S3 bucket you are creating.
+
[source,terminal]
----
$ aws s3api put-bucket-policy --bucket <bucket_name> \// <1>
--policy file://policy.json
----
<1> Replace `<bucket_name>` with the name of the S3 bucket you are creating.
+
[NOTE]
====
If you are using a Mac computer, you must export the bucket name in order for the policy to work.
====
. Create an OIDC S3 secret named `hypershift-operator-oidc-provider-s3-credentials` for the HyperShift Operator.
. Save the secret in the `local-cluster` namespace.
. See the following table to verify that the secret contains the following fields:
+
.Required fields for the {aws-short} secret
[cols="2,2",options="header"]
|===
| Field name | Description
| `bucket`
| Contains an S3 bucket with public access to host OIDC discovery documents for your hosted clusters.
| `credentials`
| A reference to a file that contains the credentials of the `default` profile that can access the bucket. By default, HyperShift only uses the `default` profile to operate the `bucket`.
| `region`
| Specifies the region of the S3 bucket.
|===
. To create an {aws-short} secret, run the following command:
+
[source,terminal]
----
$ oc create secret generic <secret_name> \
--from-file=credentials=<path>/.aws/credentials \
--from-literal=bucket=<s3_bucket> \
--from-literal=region=<region> \
-n local-cluster
----
+
[NOTE]
====
Disaster recovery backup for the secret is not automatically enabled. To add the label that enables the `hypershift-operator-oidc-provider-s3-credentials` secret to be backed up for disaster recovery, run the following command:
[source,terminal]
----
$ oc label secret hypershift-operator-oidc-provider-s3-credentials \
-n local-cluster cluster.open-cluster-management.io/backup=true
----
====
View Git Blame Copy Permalink