This is a cache of https://docs.openshift.com/acs/4.5/operating/manage-user-access/configure-short-lived-access.html. It is a snapshot of the page at 2024-11-23T18:06:48.983+0000.
Configuring short-lived access - Managing <strong>user</strong> access | Operating | Red Hat Advanced Cluster Security for Kubernetes 4.5
×

Red Hat Advanced Cluster Security for Kubernetes (RHACS) provides the ability to configure short-lived access to the user interface and API calls.

You can configure this by exchanging OpenID Connect (OIDC) identity tokens for a RHACS-issued token.

We recommend this especially for Continuous Integration (CI) usage, where short-lived access is preferable over long-lived API tokens.

The following steps outline the high-level workflow on how to configure short-lived access to the user interface and API calls:

  1. Configuring RHACS to trust OIDC identity token issuers for exchanging short-lived RHACS-issued tokens.

  2. Exchanging an OIDC identity token for a short-lived RHACS-issued token by calling the API.

Configure short-lived access for an OIDC identity token issuer

Start configuring short-lived access for an OpenID Connect (OIDC) identity token issuer.

Procedure
  1. In the RHACS portal, go to Platform ConfigurationIntegrations.

  2. Scroll to the Authentication Tokens category, and then click Machine access configuration.

  3. Click Create configuration.

  4. Select the configuration type, choosing one of the following:

    • Generic if you use an arbitrary OIDC identity token issuer.

    • GitHub Actions if you plan to access RHACS from GitHub Actions.

  5. Enter the OIDC identity token issuer.

  6. Enter the token lifetime for tokens issued by the configuration.

    The format for the token lifetime is XhYmZs and cannot be set longer than 24 hours.

  7. Add rules to the configuration:

    • The Key is the OIDC token’s claim to use.

    • The Value is the expected OIDC token claim value.

    • The Role is the role to assign to the token if the OIDC token claim and value exist.

      Rules are similar to Authentication Provider rules to assign roles based on claim values.

      As a general rule, Red Hat recommends to use unique, immutable claims within Rules. The general recommendation is to use the sub claim within the OIDC identity token. For more information about OIDC token claims, see the list of standard OIDC claims.

  8. Click Save.

Exchanging an identity token

Prerequisites
  • You have a valid OpenID Connect (OIDC) token.

  • You added a Machine access configuration for the RHACS instance you want to access.

Procedure
  1. Prepare the POST request’s JSON data:

    {
        "idToken": "<id_token>"
    }
  2. Send a POST request to the API /v1/auth/m2m/exchange.

  3. Wait for the API response:

    {
        "accessToken": "<access_token>"
    }
  4. Use the returned access token to access the RHACS instance.

If you are using GitHub Actions, you can use the stackrox/central-login GitHub Action.