This is a cache of https://docs.openshift.com/container-platform/4.15/authentication/managing_cloud_provider_credentials/cco-mode-manual.html. It is a snapshot of the page at 2024-11-26T12:03:15.615+0000.
Manual mode with long-term credentials for components - Managing cloud provider credentials | Authentication and authorization | OpenShift Container Platform 4.15
×

Manual mode is supported for Alibaba Cloud, Amazon Web Services (AWS), global Microsoft Azure, Microsoft Azure Stack Hub, Google Cloud Platform (GCP), IBM Cloud®, and Nutanix.

User-managed credentials

In manual mode, a user manages cloud credentials instead of the Cloud Credential Operator (CCO). To use this mode, you must examine the CredentialsRequest CRs in the release image for the version of OpenShift Container Platform that you are running or installing, create corresponding credentials in the underlying cloud provider, and create Kubernetes secrets in the correct namespaces to satisfy all CredentialsRequest CRs for the cluster’s cloud provider. Some platforms use the CCO utility (ccoctl) to facilitate this process during installation and updates.

Using manual mode with long-term credentials allows each cluster component to have only the permissions it requires, without storing an administrator-level credential in the cluster. This mode also does not require connectivity to services such as the AWS public IAM endpoint. However, you must manually reconcile permissions with new release images for every upgrade.

For information about configuring your cloud provider to use manual mode, see the manual credentials management options for your cloud provider.

An AWS, global Azure, or GCP cluster that uses manual mode might be configured to use short-term credentials for different components. For more information, see Manual mode with short-term credentials for components.