openshift-docs/modules/rosa-sts-byo-oidc.adoc

// Module included in the following assemblies:
//
// * rosa_architecture/rosa-oidc-overview.adoc
// * rosa_architecture/rosa-sts-about-iam-resources.adoc
// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
// * rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc
// * rosa_planning/rosa-hcp-prepare-iam-resources.adoc

ifeval::["{context}" == "rosa-hcp-cluster-no-cni"]
:hcp:
endif::[]

:_mod-docs-content-type: PROCEDURE
[id="rosa-sts-byo-oidc_{context}"]
= Creating an OpenID Connect configuration

When creating a
ifdef::openshift-rosa-hcp[]
{rosa-short}
endif::openshift-rosa-hcp[]
ifdef::openshift-rosa[]
ifdef::hcp[]
{rosa-short}
endif::hcp[]
ifndef::hcp[]
{rosa-classic-short}
endif::hcp[]
endif::openshift-rosa[]
cluster, you can create the OpenID Connect (OIDC) configuration prior to creating your cluster. This configuration is registered to be used with OpenShift Cluster Manager.

.Prerequisites

ifdef::openshift-rosa-hcp[]
* You have completed the AWS prerequisites for {rosa-short}.
endif::openshift-rosa-hcp[]
ifdef::openshift-rosa[]
* You have completed the AWS prerequisites for
ifdef::hcp[]
{rosa-short}.
endif::hcp[]
ifndef::hcp[]
{rosa-classic-short}.
endif::hcp[]
endif::openshift-rosa[]
* You have installed and configured the latest ROSA CLI, `rosa`, on your installation host.

.Procedure

. To create your OIDC configuration alongside the AWS resources, run the following command:
+
[source,terminal]
----
$ rosa create oidc-config --mode=auto --yes
----
+
This command returns the following information.
+
.Example output
+
[source,terminal]
----
? Would you like to create a Managed (Red Hat hosted) OIDC Configuration Yes
I: Setting up managed OIDC configuration
I: To create Operator Roles for this OIDC Configuration, run the following command and remember to replace <user-defined> with a prefix of your choice:
	rosa create operator-roles --prefix <user-defined> --oidc-config-id 13cdr6b
If you are going to create a Hosted Control Plane cluster please include '--hosted-cp'
I: Creating OIDC provider using 'arn:aws:iam::4540112244:user/userName'
? Create the OIDC provider? Yes
I: Created OIDC provider with ARN 'arn:aws:iam::4540112244:oidc-provider/dvbwgdztaeq9o.cloudfront.net/13cdr6b'
----
+
When creating your cluster, you must supply the OIDC config ID. The CLI output provides this value for `--mode auto`, otherwise you must determine these values based on `aws` CLI output for `--mode manual`.

. Optional: you can save the OIDC configuration ID as a variable to use later. Run the following command to save the variable:
+
--
[source,terminal]
----
$ export OIDC_ID=<oidc_config_id><1>
----
<1> In the example output above, the OIDC configuration ID is 13cdr6b.
--

** View the value of the variable by running the following command:
+
[source,terminal]
----
$ echo $OIDC_ID
----
+
.Example output
+
[source,terminal]
----
13cdr6b
----

.Verification

* You can list the possible OIDC configurations available for your clusters that are associated with your user organization. Run the following command:
+
[source,terminal]
----
$ rosa list oidc-config
----
+
.Example output
+
[source,terminal]
----
ID                                MANAGED  ISSUER URL                                                             SECRET ARN
2330dbs0n8m3chkkr25gkkcd8pnj3lk2  true     https://dvbwgdztaeq9o.cloudfront.net/2330dbs0n8m3chkkr25gkkcd8pnj3lk2
233hvnrjoqu14jltk6lhbhf2tj11f8un  false    https://oidc-r7u1.s3.us-east-1.amazonaws.com                           aws:secretsmanager:us-east-1:242819244:secret:rosa-private-key-oidc-r7u1-tM3MDN
----

ifeval::["{context}" == "rosa-hcp-cluster-no-cni"]
:!hcp:
endif::[]