Home GitHub

IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at docs.openshift.com and access.redhat.com.

Deploying 3scale API Management to ROSA and OSD

Michael McNeill

26 January 2022

This document will take you through deploying 3scale in any OSD or ROSA cluster. Review the official documentation here for more information or how to further customize or use 3scale.


Prepare AWS Account

  1. Set environment variables (ensuring you update the variables appropriately!)

    export S3_BUCKET=<your-bucket-name-here>
    export REGION=us-east-1
    export S3_IAM_USER_NAME=<your-s3-user-name-here>
    export S3_IAM_POLICY_NAME=<your-s3-policy-name-here>
    export AWS_PAGER=""
    export PROJECT_NAME=<your-project-name-here>
    export WILDCARD_DOMAIN=<your-wildcard-domain-here>

    For my example, I’ll be using the following variables:

     export S3_BUCKET=mobb-3scale-bucket
     export REGION=us-east-1
     export S3_IAM_USER_NAME=mobb-3scale-user
     export S3_IAM_POLICY_NAME=3scale-s3-access
     export AWS_PAGER=""
     export PROJECT_NAME=3scale-example
     export WILDCARD_DOMAIN=3scale.example.com
  2. Create an S3 bucket

    aws s3 mb s3://$S3_BUCKET
  3. Apply the proper S3 bucket CORS configuration

    aws s3api put-bucket-cors --bucket $S3_BUCKET --cors-configuration \
     "CORSRules": [{
         "AllowedMethods": [
         "AllowedOrigins": [
  4. Create an IAM policy for access to the S3 bucket

    POLICY_ARN=$(aws iam create-policy --policy-name "$S3_IAM_POLICY_NAME" \
    --output text --query "Policy.Arn" \
    --policy-document \
     "Version": "2012-10-17",
     "Statement": [
             "Effect": "Allow",
             "Action": "s3:ListAllMyBuckets",
             "Resource": "arn:aws:s3:::*"
             "Effect": "Allow",
             "Action": "s3:*",
             "Resource": [
  5. Create an IAM user to access the S3 bucket

    aws iam create-user --user-name $S3_IAM_USER_NAME
  6. Generate an access key for the newly created S3 user

    ACCESS_CREDS=$(aws iam create-access-key --user-name $S3_IAM_USER_NAME \
    --output text --query "AccessKey.[AccessKeyId, SecretAccessKey]")
  7. Apply the IAM policy to the newly created S3 user

    aws iam attach-user-policy --user-name $S3_IAM_USER_NAME \
    --policy-arn $POLICY_ARN

Install the 3Scale API Management Operator

  1. Create a new project to install 3Scale API Management into.

    oc new-project $PROJECT_NAME
  2. Inside of the OpenShift Web Console, navigate to Operators -> OperatorHub.

  3. Search for “3scale” and select the “Red Hat Integration - 3scale” Operator.


  4. Click “Install” and select the project you wish to install the operator into.

    For this example, I’m deploying into the “3scale-example” project that I have just created.

    Operator Installation Flow

  5. Once the 3Scale operator successfully installs, return to your terminal.

Deploy 3Scale API Management

  1. Create a secret that contains the Amazon S3 configuration.

    echo << EOF | oc apply -f -
    apiVersion: v1
    kind: Secret
      creationTimestamp: null
      name: aws-auth
      AWS_ACCESS_KEY_ID: "$(echo $ACCESS_CREDS | cut -f 1)"
      AWS_SECRET_ACCESS_KEY: "$(echo $ACCESS_CREDS | cut -f 2)"
    type: Opaque
  2. Create an APIManager custom resource

    cat << EOF | oc apply -f -
    echo 'apiVersion: apps.3scale.net/v1alpha1
    kind: APIManager
      name: example-apimanager
      wildcardDomain: '$WILDCARD_DOMAIN'
          name: aws-auth
  3. Once the APIManager instance becomes available, you can login to the 3Scale Admin (located at https://3scale-admin.$WILDCARD_DOMAIN) using the credentials from the below commands:

    oc get secret system-seed -o jsonpath={.data.ADMIN_USER} | base64 -d
    oc get secret system-seed -o jsonpath={.data.ADMIN_PASSWORD} | base64 -d
  4. Congratulations! You’ve successfully deployed 3Scale API Management to ROSA/OSD.