This is a tool for allowing Openshift to install using STS based credentials

go get github.com/sjenning/sts-preflight
cd $GOPATH/src/github.com/sjenning/sts-preflight
go build .

Usage:
  sts-preflight [command]

Available Commands:
  assume      Get STS credentials using an OIDC token
  create      Creates STS infrastructure in AWS
  destroy     Removes STS infrastructure from AWS (not implemented yet)
  help        Help about any command
  token       Creates a token signed by the RSA private key and validated by the OIDC provider

./sts-preflight create --infra-name example --region us-west-1

This command

• creates an RSA keypair
• create a JKWS document with the public part of the keypair
• creates an OIDC discovery document
• creates s3 bucket with the discovery and JKWS documents in the specified region
• creates an OIDC provider in IAM whose issuer is the s3 bucket URL
• creates an installer Role with the OIDC provider as a Trusted Entity and attaches an Administrator policy

./sts-create token

This command creates a JWT signed by the RSA private key, created by sts-preflight create, and stores it in _output/token. This token is validated by the OIDC provider, which contains the matching key ID (kid) in the JWKS. The installer Role can then be assumed since the OIDC provider is a Trusted Entity for the Role.

After this step, one can source scripts/set-role-creds.sh to set AWS_ROLE_ARN and AWS_WEB_IDENTITY_TOKEN_FILE. Then one can execute aws CLI commands allowing the CLI to do the AssumeRoleWithWebIdentity and use the STS issued credentials (cached until expiration).

./sts-create assume

This command uses the OIDC token, created with sts-preflight token, to get STS to mint credentials sufficient to assume the role and outputs the export commands needed to use those credentials with anything that uses that standard AWS SDK environment variables to make AWS API requests.