Bug 1388468

Summary: AWS: Use short term tokens via roles instead of access tokens
Product: OpenShift Container Platform Reporter: Vladislav Walek <vwalek>
Component: RFEAssignee: Mo <mkhan>
Status: CLOSED DEFERRED QA Contact: Xiaoli Tian <xtian>
Severity: low Docs Contact:
Priority: unspecified    
Version: 3.3.0CC: aos-bugs, bchilds, jokerman, mbarrett, mfojtik, misalunk, mkhan, mmccomas, simon.gunzenreiner, ssorce, vwalek
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2018-03-12 13:54:36 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Vladislav Walek 2016-10-25 12:25:56 UTC 
Description of problem:

The OpenShift configuration for AWS requires for long term access tokens to be configured. Using long-term access tokens has a big drawback, because they don't time out, and might be abused.This will require us to re-new such access tokens.
Using access tokens should be considered an insecure approach, because of the long validity of a token. We would like OpenShift to work with AWS instances roles. OpenShift should use the AWS API to obtain and renew a short term access tokens, given that a node has a role that grants this.
To prevent abuse of AWS access tokens.


Version-Release number of selected component (if applicable):

OpenShift Container Platform 3.3


How reproducible:


Steps to Reproduce:
1.
2.
3.

Actual results:


Expected results:



Additional info:
Comment 2 Dan McPherson 2016-10-31 12:52:03 UTC 
*** Bug 1388939 has been marked as a duplicate of this bug. ***
Comment 5 Simo Sorce 2017-10-24 16:52:48 UTC 
Isn't this something storage people should be involved with ?
Comment 10 Simo Sorce 2018-01-17 22:06:32 UTC 
Bradely,
maybe you inderstand better than us what's the ask here.
Comment 12 Simon Gunzenreiner 2018-01-24 13:35:07 UTC 
Does this AWS documentation help to clarify what this is about? 

https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/iam-roles-for-amazon-ec2.html
Comment 14 Eric Rich 2018-03-12 13:54:36 UTC 
This bug has been identified as a dated (created more than 3 months ago) bug. 
This bug has been triaged (has a trello card linked to it), or reviewed by Engineering/PM and has been put into the product backlog, 
however this bug has not been slated for a currently planned release (3.9, 3.10 or 3.11), which cover our releases for the rest of the calendar year. 

As a result of this bugs age, state on the current roadmap and PM Score (being below 70), this bug is being Closed - Differed, 
as it is currently not part of the products immediate priorities.

Please see: https://docs.google.com/document/d/1zdqF4rB3ea8GmVIZ7qWCVYUaQ7-EexUrQEF0MTwdDkw/edit for more details.