openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli.adoc
EricPonvelle b4623ecb5d OSDOCS-15910: Pruning HCP Cluster Installation
2025-09-04 19:48:52 +00:00

101 lines
3.5 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
:_mod-docs-content-type: PROCEDURE
[id="rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli_{context}"]
= Creating an external authentication provider
:source-highlighter: pygments
:pygments-style: emacs
:icons: font
After you have created a {product-title} cluster with the enabled option for external authentication providers, you must create a provider using the ROSA CLI.
[NOTE]
====
Similar to the `rosa create|delete|list idp[s]` command in the ROSA CLI, you cannot edit an existing identity provider that you created using `rosa create external-auth-provider`. Instead, you must delete the external authentication provider and create a new one.
====
The following table shows the possible CLI flags you can use when creating your external authentication provider:
[cols="1,1", options="header"]
|===
|CLI Flag
|Description
|`--cluster`
|The name or the ID of your cluster.
|`--name`
|A name that is used to refer to the external authentication provider.
|`--console-client-secret`
|This string is the client secret that is used to associate your account with the application. If you do not include the client secret, this command uses a public OIDC OAuthClient.
|`--issuer-audiences`
|This is a comma-separated list of token audiences.
|`--issuer-url`
|The URL of the token issuer.
|`--claim-mapping-username-claim`
|The name of the claim that should be used to construct user names for the cluster identity.
|`--claim-mapping-groups-claim`
|The name of the claim that should be used to construct group names for the cluster identity.
|===
.Procedure
* To use the interactive command-line interface, run the following command:
+
.Example input
[source,terminal]
----
$ rosa create external-auth-provider -c <cluster_name>
----
+
.Example output
--
[source,terminal]
----
I: Enabling interactive mode
? Name: <1>
? Issuer audiences: <2>
? The serving url of the token issuer: <3>
? CA file path (optional): <4>
? Claim mapping username: <5>
? Claim mapping groups: <6>
? Claim validation rule (optional): <7>
? Console client id (optional): <8>
----
<1> The name of your external authentication provider. This name should be a lower-case with numbers and dashes.
<2> The audience IDs that this authentication provider issues tokens for.
<3> The issuer's URL that serves the token.
<4> Optional: The certificate file to use when making requests.
<5> The name of the claim that is used to construct the user names for cluster identity, such as using `email`.
<6> The method with which to transform the ID token into a cluster identity, such as using `groups`.
<7> Optional: The rules that help validate token claims which authenticate your users. This field should be formatted as `:<required_value>`.
<8> Optional: The application or client ID that your app registration uses for the console.
--
* You can include the required IDs to create your external authentication provider with the following command:
+
[source,terminal]
----
rosa create external-auth-provider --cluster=<cluster_id> \
--name=<provider_name> --issuer-url=<issuing_url> \
--issuer-audiences=<audience_id> \
--claim-mapping-username-claim=email \
--claim-mapping-groups-claim=groups \
--console-client-id=<client_id_for_app_registration> \
--console-client-secret=<client_secret>
----
+
.Example output
+
[source,terminal]
----
I: Successfully created an external authentication provider for cluster 'ext-auth-test'
----
View Git Blame Copy Permalink