IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at and

Extending ROSA STS to include authentication with AWS Services

Authors: Connor Wooley
Last Editor: Dustin Scott
Published Date: 4 October 2021
Modified Date: 25 May 2023

In this example we will deploy the Amazon Ingress Controller that uses ALBs, and configure it to use STS authentication.


Configure STS

  1. Make sure your cluster has the pod identity webhook

    kubectl get pod-identity-webhook
  2. Download the IAM Policy for the AWS Load Balancer Hooks

  3. Create AWS Role with inline policy

    aws iam create-role \
      --role-name AWSLoadBalancerController --query Policy.Arn --output text
  4. Create AWS Policy and Service Account

    POLICY_ARN=$(aws iam create-policy --policy-name "AWSLoadBalancerControllerIAMPolicy" --policy-document file://iam_policy.json --query Policy.Arn --output text)
    echo $POLICY_ARN
  5. Create service account

    Note I had issues with the policy, and for now just gave this user admin creds. Need to revisit and figure out.

    SA_ARN=$(aws iam create-user --user-name aws-lb-controller --permissions-boundary=$POLICY_ARN --query User.Arn --output text)
  6. Create access key

    ACCESS_KEY=$(aws iam create-access-key --user-name aws-lb-controller)
  7. Attach policy to user

  8. Paste the AccessKeyId and SecretAccessKey into values.yaml

  9. tag your public subnet with ``

  10. Create a namespace for the controller

    kubectl create ns aws-load-balancer-controller
  1. Apply CRDs

    kubectl apply -k ""
  2. Add the helm repo and install the controller (install helm3 if not already)

    helm repo add eks
    helm install -n aws-load-balancer-controller \
      aws-load-balancer-controller eks/aws-load-balancer-controller \
      --values=./helm/values.yaml --create-namespace

Deploy Sample Application

oc new-project demo
oc new-app
kubectl -n demo patch service django-ex -p '{"spec":{"type":"NodePort"}}'
kubectl apply -f ingress.yaml