This Ansible project automates the credential rotation process for OpenShift Container Platform (OCP) clusters using the Cloud Credential Operator (CCO) in mint mode on AWS.
The steps outlined in the documentation can be found here
- Overview
- Prerequisites
- Installation
- IAM Permissions
- Usage
- Security Considerations
- Troubleshooting
- Project Structure
- Contributing
- License
- Support
This automation handles the complete credential rotation workflow:
- Discovers the current IAM "root" identity by finding which IAM user owns the
aws_access_key_idin theaws-credssecret - Deletes the old IAM user entirely
- Creates the standardized
ocp-credential-manager-<GUID>IAM user with the proper CCO permissions - Generates new AWS access key for the
ocp-credential-manager-<GUID>IAM user - Updates the
aws-credssecret in thekube-systemnamespace with the new IAM access key - Deletes all secret components in OCP froom AWS
credentials_requeststo trigger CCO rotation - verifies that all component secrets are re-created (And consequently rotated)
- OpenShift cluster running on AWS
- Cloud Credential Operator (CCO) configured in
mintmode - Valid kubeconfig file with cluster-admin permissions
- AWS CLI configured with appropriate profile
- AWS profile with permissions to manage the CCO IAM user and perform credential rotation:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:ListUsers",
"iam:ListAccessKeys",
"iam:CreateUser",
"iam:DeleteUser",
"iam:CreateAccessKey",
"iam:DeleteAccessKey",
"iam:GetUser",
"iam:AttachUserPolicy",
"iam:PutUserPolicy"
],
"Resource": "*"
}
]
}Why these permissions are needed:
iam:ListUsers- To discover all IAM users and find the one associated with the current access keyiam:ListAccessKeys- To check access keys for each user during discoveryiam:CreateUser- To create the new standardized IAM useriam:DeleteUser- To delete the old IAM user (which may not follow the naming pattern)iam:CreateAccessKey- To generate new access keys for the IAM useriam:DeleteAccessKey- To clean up old access keysiam:GetUser- To verify user existence and get user detailsiam:AttachUserPolicy/iam:PutUserPolicy- To attach the CCO policy to the IAM user
- Python 3.8+
- Ansible 2.15+
- Required Python packages (installed automatically):
kubernetesboto3botocore
- Clone this repository:
git clone <repository-url>
cd creds_rotation_2.0- Create and activate a Python virtual environment:
python3 -m venv venv
source venv/bin/activate # On Linux/Mac
# or
venv\Scripts\activate # On Windows- Install Ansible:
pip install ansible- Install required Ansible collections:
ansible-galaxy collection install -r requirements.ymlThe playbook uses the following collections:
amazon.aws- Official AWS collection for IAM operationskubernetes.core- Kubernetes/OpenShift cluster interactions
The ocp-credential-manager-<GUID> IAM user will have the following permissions for CCO operations according to the official documentation:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"iam:CreateAccessKey",
"iam:CreateUser",
"iam:DeleteAccessKey",
"iam:DeleteUser",
"iam:DeleteUserPolicy",
"iam:GetUser",
"iam:GetUserPolicy",
"iam:ListAccessKeys",
"iam:PutUserPolicy",
"iam:TagUser",
"iam:SimulatePrincipalPolicy"
],
"Resource": "*"
}
]
}The CCO IAM policy is defined in group_vars/all.yml and can be customized if needed:
# IAM Policy Configuration
cco_iam_policy_name: "CCOCredentialRotationPolicy"
cco_iam_policy_document:
Version: "2012-10-17"
Statement:
- Effect: "Allow"
Action:
- "iam:CreateAccessKey"
- "iam:CreateUser"
# ... other permissions
Resource: "*"To modify the policy:
- Edit
group_vars/all.yml - Update the
cco_iam_policy_documentsection - The changes will be applied on the next playbook run
The playbook can be run with default values or with custom parameters:
# Using defaults (aws_profile="default", kubeconfig_path="~/.kube/config")
ansible-playbook main.yml
# Or with custom values
ansible-playbook main.yml \
-e "kubeconfig_path=/path/to/your/kubeconfig" \
-e "aws_profile=your-aws-profile"# Using defaults
ansible-playbook main.yml
# Using custom AWS profile but default kubeconfig location
ansible-playbook main.yml -e "aws_profile=ocp-admin"
# Using custom values for both
ansible-playbook main.yml \
-e "kubeconfig_path=/home/user/.kube/config" \
-e "aws_profile=ocp-admin"Use tags to run only specific parts of the playbook:
# Only AWS operations
ansible-playbook main.yml -e "..." --tags aws
# Only Kubernetes operations
ansible-playbook main.yml -e "..." --tags kubernetes
# Only cleanup
ansible-playbook main.yml -e "..." --tags cleanup- All sensitive credentials are handled securely with
no_log: true - Credentials are never stored in plain text files
- Old access keys are automatically deleted after successful rotation
- Use secure storage for kubeconfig files
-
"IAM user not found"
- Ensure the OpenShift cluster is properly configured with CCO in mint mode
- Verify the cluster infrastructure name matches the IAM user suffix
-
"aws-creds secret not found"
- Check that CCO is running and properly configured. The creation of this secret is handled by the CCO
- Verify the cluster is in mint mode (not STS/manual mode)
-
"Permission denied"
- Verify AWS profile has the required IAM permissions
- Check that kubeconfig has cluster-admin permissions
-
"Component secrets not recreated"
- This operation is handled by the CCO. Monitor CCO logs for errors
- Check CredentialsRequest resources for issues
Check the following logs for troubleshooting:
- CCO logs:
oc logs -n openshift-cloud-credential-operator deployment/cloud-credential-operator - Ansible verbose output: Add
-v,-vv, or-vvvto the playbook command
creds_rotation_2.0/
├── main.yml # Main playbook
├── requirements.yml # Ansible collections
├── group_vars/
│ └── all.yml # Common variables
├── roles/
│ ├── aws_cco_rotation/
│ │ └── tasks/
│ │ └── main.yml # AWS IAM operations
│ └── k8s_secrets/
│ └── tasks/
│ └── main.yml # Kubernetes secret management
└── README.md # This file
- Follow Ansible best practices
- Test changes in a non-production environment first
- Update documentation for any new features
- Ensure all sensitive operations use
no_log: true
This project is licensed under the GNU General Public License v2.0 - see below for details.
OpenShift Cloud Credential Operator (CCO) AWS Credential Rotation Automation
Copyright (C) 2024
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301, USA.
For the complete license text, visit: https://www.gnu.org/licenses/gpl-2.0.html
For issues and questions:
- Check the troubleshooting section above
- Review OpenShift CCO documentation
- Consult AWS IAM documentation