diff --git a/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc b/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc index 7fbc5ec0f0df..2b56620728cf 100644 --- a/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc +++ b/cli_reference/rosa_cli/rosa-manage-objects-cli.adoc @@ -24,4 +24,5 @@ include::modules/rosa-edit-objects.adoc[leveloffset=+1] include::modules/rosa-delete-objects.adoc[leveloffset=+1] include::modules/rosa-install-uninstall-addon.adoc[leveloffset=+1] include::modules/rosa-list-objects.adoc[leveloffset=+1] +include::modules/rosa-revoke-objects.adoc[leveloffset=+1] include::modules/rosa-upgrade-cluster-cli.adoc[leveloffset=+1] diff --git a/modules/rosa-create-objects.adoc b/modules/rosa-create-objects.adoc index 512ceadd4b33..7d2ab405fe03 100644 --- a/modules/rosa-create-objects.adoc +++ b/modules/rosa-create-objects.adoc @@ -99,6 +99,73 @@ Create a cluster administrator that can log in to a cluster named `mycluster`. $ rosa create admin --cluster=mycluster ---- +[id="rosa-create-break-glass-credential_{context}"] +== create break glass credential + +Create a break glass credential for a hosted control plane cluster with external authentication enabled. + +.Syntax +[source,terminal] +---- +$ rosa create break-glass-credential --cluster= [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster \| +|Required. The name or ID of the cluster to which the break glass credential will be added. + +|--expiration +|Optional: How long a break glass credential can be used before expiring. The expiration duration must be a minimum of 10 minutes and a maximum of 24 hours. If you do not enter a value, the expiration duration defaults to 24 hours. + +|--username +|Optional. The username for the break glass credential. If you do not enter a value, a random username is generated for you. +|=== + +.Optional arguments inherited from parent commands +[cols="30,70"] +|=== +|Option |Definition + +|--help +|Shows help for this command. + +|--debug +|Enables debug mode. + +|--interactive +|Enables interactive mode. + +|--profile +|Specifies an AWS profile (string) from your credentials file. + +|--region +|Specifies an AWS region, overriding the `AWS_REGION` environment variable. + +|--yes +|Automatically answers `yes` to confirm the operation. +|=== + +.Examples +Add a break glass credential to a cluster named `mycluster`. + +.Syntax +[source,terminal] +---- +$ rosa create break-glass-credential --cluster=mycluster +---- + +Add a break glass credential to a cluster named `mycluster` using the interactive mode. + +.Syntax +[source,terminal] +---- +$ rosa create break-glass-credential --cluster=mycluster -i +---- + [id="rosa-create-cluster-command_{context}"] == create cluster diff --git a/modules/rosa-hcp-sts-accessing-a-break-glass-cred-cli.adoc b/modules/rosa-hcp-sts-accessing-a-break-glass-cred-cli.adoc new file mode 100644 index 000000000000..5abde109de38 --- /dev/null +++ b/modules/rosa-hcp-sts-accessing-a-break-glass-cred-cli.adoc @@ -0,0 +1,86 @@ +// Module included in the following assemblies: +// +// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc +// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc + +:_mod-docs-content-type: PROCEDURE +[id="rosa-hcp-sts-accessing-a-break-glass-cred-cli_{context}"] += Accessing a {hcp-title} cluster by using a break glass credential + +Use the new `kubeconfig` from the break glass credential to gain temporary admin access to a {hcp-title} cluster. + +.Prerequisites + +* You have access to a {hcp-title} cluster with external authentication enabled. For more information, see _Creating a {hcp-title} cluster that uses external authentication providers_. +* You have installed the `oc` and the `kubectl` CLIs. +* You have configured the new `kubeconfig`. For more information, see _Creating a break glass credential for a {hcp-title} cluster_. + +.Procedure + +. Access the details for the cluster: ++ +[source,terminal] +---- +$ rosa describe break-glass-credential -c --kubeconfig > $KUBECONFIG +---- ++ +. List the nodes from the cluster: ++ +[source,terminal] +---- +$ oc get nodes +---- +.Example output ++ +[source,terminal] +---- +NAME STATUS ROLES AGE VERSION +ip-10-0-0-27.ec2.internal Ready worker 8m v1.28.7+f1b5f6c +ip-10-0-0-67.ec2.internal Ready worker 9m v1.28.7+f1b5f6c +---- +. Verify you have the correct credentials: ++ +[source,terminal] +---- +$ kubectl auth whoami +---- ++ +.Example output ++ +[source,terminal] +---- +ATTRIBUTE VALUE +Username system:customer-break-glass:test-user +Groups [system:masters system:authenticated] +---- +. Apply the `ClusterRoleBinding` for the groups defined in the external OIDC provider. The `ClusterRoleBinding` maps the `rosa-hcp-admins` group that is created in Microsoft Entra ID to a group in the {hcp-title} cluster. ++ +[source,terminal] +---- +$ oc apply -f - < -i <1> +---- +<1> Replace with the name of your cluster. ++ +This command starts an interactive CLI process: ++ +.Example output +[source,terminal] +---- +I: Enabling interactive mode +? Username (optional): <1> +? Expiration duration (optional): <2> +I: Successfully created a break glass credential for cluster 'ac-hcp-test'. +---- +<1> If left blank, the value in the `username` will have a randomly generated username value. +<2> The minimum validity of the break glass credential is 10 minutes, and the maximum validity is 24 hours. If left blank, the expiration duration value defaults to 24 hours. ++ +** To create a break glass credential for cluster called `mycluster` with specified values: ++ +[source,terminal] +---- +$ rosa create break-glass-credential -c mycluster --username test-username --expiration 1h +---- ++ +. List the break glass credential IDs, status, and associated users that are available for a cluster called `mycluster` by running the following command: ++ +[source,terminal] +---- +$ rosa list break-glass-credential -c mycluster +---- ++ +.Example output +[source,terminal] +---- +ID USERNAME STATUS +2a7jli9n4phe6c02ul7ti91djtv2o51d test-user issued +---- ++ +[NOTE] +==== +You can also view the credentials in a JSON output by adding the `-o json` argument to the command. +==== + +. To view the status of a break glass credential, run the following command, replacing with the break glass credential ID: ++ +[source,terminal] +---- +$ rosa describe break-glass-credential -c +---- ++ +.Example output +[source,terminal] +---- +ID: 2a7jli9n4phe6c02ul7ti91djtv2o51d +Username: test-user +Expire at: Dec 28 2026 10:23:05 EDT +Status: issued +---- ++ +The following is a list of possible `Status` field values: ++ +* `issued` The break glass credential has been issued and is ready to use. +* `expired` The break glass credential has expired and can no longer be used. +* `failed` The break glass credential has failed to create. In this case, you receive a service log detailing the failure. For more information about service logs, see _Accessing the service logs for Red Hat OpenShift Service on AWS clusters_. For steps to contact Red Hat Support for assistance, see _Getting support_. +* `awaiting_revocation` The break glass credential is currently being revoked, meaning it cannot be used. +* `revoked` The break glass credential has been revoked and can no longer be used. ++ +. To retrieve the `kubeconfig`, run the following commands: +** Create a `kubeconfigs` directory: ++ +[source,terminal] +---- +$ mkdir ~/kubeconfigs +---- ++ +** Export the newly generated `kubeconfig` file, replacing with the name of your cluster: ++ +[source,terminal] +---- +$ export CLUSTER_NAME= && export KUBECONFIG=~/kubeconfigs/break-glass-${CLUSTER_NAME}.kubeconfig +---- ++ +** View the `kubeconfig`: ++ +[source,terminal] +---- +$ rosa describe break-glass-credential -c mycluster --kubeconfig +---- +.Example output ++ +[source,terminal] +---- +apiVersion: v1 +clusters: +- cluster: + server: + name: cluster +contexts: +- context: + cluster: cluster + namespace: default + user: test-username + name: admin +current-context: admin +kind: Config +preferences: {} +users: +- name: test-user + user: + client-certificate-data: <1> + client-key-data: <2> +---- +<1> The client-certificate contains a certificate for the user signed by the Kubernetes certificate authorities (CA). +<2> The client-key contains the key that signed the client certificate. ++ +. Optional: To save the `kubeconfig`, run the following command : ++ +[source,terminal] +---- +$ rosa describe break-glass-credential -c mycluster --kubeconfig > $KUBECONFIG +---- + + + + + + + diff --git a/modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc new file mode 100644 index 000000000000..64241544c3c9 --- /dev/null +++ b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc @@ -0,0 +1,106 @@ +// Module included in the following assemblies: +// +// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc + +:_mod-docs-content-type: PROCEDURE +[id="rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli_{context}"] += Creating a {hcp-title} cluster that uses external authentication providers +:source-highlighter: pygments +:pygments-style: emacs +:icons: font + +Use the `--external-auth-providers-enabled` flag in the ROSA CLI to create a cluster that uses an external authentication service. + +[NOTE] +==== +When creating a {hcp-title} cluster, the default machine Classless Inter-Domain Routing (CIDR) is `10.0.0.0/16`. If this does not correspond to the CIDR range for your VPC subnets, add `--machine-cidr ` to the following commands. +==== + +.Procedure + +* If you used the `OIDC_ID`, `SUBNET_IDS`, and `OPERATOR_ROLES_PREFIX` variables to prepare your environment, you can continue to use those variables when creating your cluster. For example, run the following command: ++ +[source,terminal] +---- +$ rosa create cluster --hosted-cp --subnet-ids=$SUBNET_IDS \ + --oidc-config-id=$OIDC_ID --cluster-name= \ + --operator-roles-prefix=$OPERATOR_ROLES_PREFIX \ + --external-auth-providers-enabled +---- + +* If you did not set environmental variables, run the following command: ++ +[source,terminal] +---- +$ rosa create cluster --cluster-name= --sts --mode=auto \ + --hosted-cp --operator-roles-prefix \ + --oidc-config-id \ + --external-auth-providers-enabled \ + --subnet-ids=, +---- + +.Verification +* Verify that your external authentication is enabled in the cluster details by running the following command: ++ +[source,terminal] +---- +$ rosa describe cluster --cluster= +---- ++ +.Example output +-- +[source,terminal,highlight='50'] +---- +Name: rosa-ext-test +Display Name: rosa-ext-test +ID: +External ID: +Control Plane: ROSA Service Hosted +OpenShift Version: 4.15.3 +Channel Group: stable +DNS: +AWS Account: +AWS Billing Account: +API URL: +Console URL: +Region: us-east-1 +Availability: + - Control Plane: MultiAZ + - Data Plane: SingleAZ + +Nodes: + - Compute (desired): 2 + - Compute (current): 0 +Network: + - Type: OVNKubernetes + - Service CIDR: + - Machine CIDR: + - Pod CIDR: + - Host Prefix: /23 + - Subnets: +EC2 Metadata Http Tokens: optional +Role (STS) ARN: arn:aws:iam:::role/-HCP-ROSA-Installer-Role +Support Role ARN: arn:aws:iam:::role/-HCP-ROSA-Support-Role +Instance IAM Roles: + - Worker: arn:aws:iam:::role/-HCP-ROSA-Worker-Role +Operator IAM Roles: + - arn:aws:iam:::role/-openshift-cloud-network-config-controller-clo + - arn:aws:iam:::role/-kube-system-capa-controller-manager + - arn:aws:iam:::role/-kube-system-control-plane-operator + - arn:aws:iam:::role/-kube-system-kms-provider + - arn:aws:iam:::role/-kube-system-kube-controller-manager + - arn:aws:iam:::role/-openshift-image-registry-installer-cloud-cred + - arn:aws:iam:::role/-openshift-ingress-operator-cloud-credentials + - arn:aws:iam:::role/-openshift-cluster-csi-drivers-ebs-cloud-crede +Managed Policies: Yes +State: ready +Private: No +Created: Mar 29 2024 14:25:52 UTC +User Workload Monitoring: Enabled +Details Page: https:// +OIDC Endpoint URL: https:// (Managed) +Audit Log Forwarding: Disabled +External Authentication: Enabled <1> +---- +<1> The `External Authentication` flag is enabled, and you can now create an external authentication provider. +-- \ No newline at end of file diff --git a/modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli.adoc b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli.adoc new file mode 100644 index 000000000000..29978247b42d --- /dev/null +++ b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli.adoc @@ -0,0 +1,142 @@ +// Module included in the following assemblies: +// +// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc +:_mod-docs-content-type: PROCEDURE +[id="rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli_{context}"] += Creating an external authentication provider +:source-highlighter: pygments +:pygments-style: emacs +:icons: font + +After you have created a {hcp-title} cluster with the enabled option for external authentication providers, you must create a provider using the ROSA CLI. + +[NOTE] +==== +Similar to the `rosa create|delete|list idp[s]` command in the ROSA CLI, you cannot edit an existing identity provider that you created using `rosa create external-auth-provider`. Instead, you must delete the external authentication provider and create a new one. +==== + +The following table shows the possible CLI flags you can use when creating your external authentication provider: + +[cols="1,1", options="header"] +|=== + +|CLI Flag +|Description + +|`--cluster` +|The name or the ID of your cluster. + +|`--name` +|A name that is used to refer to the external authentication provider. + +|`--console-client-secret` +|This string is the client secret that is used to associate your account with the application. If you do not include the client secret, this command uses a public OIDC OAuthClient. + +|`--issuer-audiences` +|This is a comma-separated list of token audiences. + +|`--issuer-url` +|The URL of the token issuer. + +|`--claim-mapping-username-claim` +|The name of the claim that should be used to construct user names for the cluster identity. + +|`--claim-mapping-groups-claim` +|The name of the claim that should be used to construct group names for the cluster identity. + +|=== + +.Procedure + +* To use the interactive command interface, run the following commands: ++ +[source,terminal] +---- +$ rosa create external-auth-provider -c +---- ++ +.Example output +-- +[source,terminal] +---- +I: Enabling interactive mode +? Name: <1> +? Issuer audiences: <2> +? The serving url of the token issuer: <3> +? CA file path (optional): <4> +? Claim mapping username: <5> +? Claim mapping groups: <6> +? Claim validation rule (optional): <7> +? Console client id (optional): <8> +---- +<1> The name of your external authentication provider. This name should be a lower-case with numbers and dashes. +<2> The audience IDs that this authentication provider issues tokens for. +<3> The issuer's URL that serves the token. +<4> Optional: The certificate file to use when making requests. +<5> The name of the claim that is used to construct the user names for cluster identity, such as using `email`. +<6> The method with which to transform the ID token into a cluster identity, such as using `groups`. +<7> Optional: The rules that help validate token claims which authenticate your users. This field should be formatted as `:`. +<8> Optional: The application or client ID that your app registration uses for the console. +-- + +* You can include the required IDs to create your external authentication provider with the following command: ++ +[source,terminal] +---- +rosa create external-auth-provider --cluster= \ + --name= --issuer-url= \ + --issuer-audiences= \ + --claim-mapping-username-claim=email \ + --claim-mapping-groups-claim=groups \ + --console-client-id= \ + --console-client-secret= +---- ++ +.Example output ++ +[source,terminal] +---- +I: Successfully created an external authentication provider for cluster '' +---- + +.Verification + +* To verify your external authentication provider, run one of the following options: + +** List the external authentication configuration on a specified cluster with the following command: ++ +[source,terminal] +---- +$ rosa list external-auth-provider -c +---- ++ +.Example output ++ +The following example shows a configured Microsoft Entra ID external authentication provider: ++ +[source,terminal] +---- +NAME ISSUER URL +m-entra-id https://login.microsoftonline.com//v2.0 +---- + +** Display the external authentication configuration on a specified cluster by using the following command: ++ +[source,terminal] +---- +$ rosa describe external-auth-provider \ + -c --name +---- ++ +.Example output ++ +[source,terminal] +---- +ID: ms-entra-id +Cluster ID: +Issuer audiences: + - +Issuer Url: https://login.microsoftonline.com//v2.0 +Claim mappings group: groups +Claim mappings username: email +---- \ No newline at end of file diff --git a/modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-cli.adoc b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-cli.adoc new file mode 100644 index 000000000000..bac087b77518 --- /dev/null +++ b/modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-cli.adoc @@ -0,0 +1,55 @@ +// Module included in the following assemblies: +// +// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc +:_mod-docs-content-type: PROCEDURE +[id="rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-cli_{context}"] += Deleting an external authentication provider +:source-highlighter: pygments +:pygments-style: emacs +:icons: font + +Delete external authentication providers by using the ROSA CLI. + +.Procedure + +. Display your external authentication provider on your cluster by running the following command: ++ +[source,terminal] +---- +$ rosa list external-auth-provider -c +---- ++ +.Example output +[source,terminal] +---- +NAME ISSUER URL +entra-test https://login.microsoftonline.com//v2.0 +---- + +. Delete the external authentication provider by running the following command: ++ +[source,terminal] +---- +$ rosa delete external-auth-provider -c +---- ++ +.Example output +[source,terminal] +---- +? Are you sure you want to delete external authentication provider entra-test on cluster rosa-ext-test? Yes +I: Successfully deleted external authentication provider 'entra-test' from cluster 'rosa-ext-test' +---- + +.Verification +. Query for any external authentication providers on your cluster by running the following command: ++ +[source,terminal] +---- +$ rosa list external-auth-provider -c +---- ++ +.Example output +[source,terminal] +---- +E: there are no external authentication providers for this cluster +---- \ No newline at end of file diff --git a/modules/rosa-hcp-sts-revoking-a-break-glass-cred-cli.adoc b/modules/rosa-hcp-sts-revoking-a-break-glass-cred-cli.adoc new file mode 100644 index 000000000000..e02b281d9f1a --- /dev/null +++ b/modules/rosa-hcp-sts-revoking-a-break-glass-cred-cli.adoc @@ -0,0 +1,77 @@ +// Module included in the following assemblies: +// +// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc +// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc + +:_mod-docs-content-type: PROCEDURE +[id="rosa-hcp-sts-revoking-a-break-glass-cred-cli_{context}"] += Revoking a break glass credential for a {hcp-title} cluster + +You can revoke access to any break glass credentials that you have provisioned at any time by using the `revoke break-glass-credentials` command. + +.Prerequisites + +* You have created a break glass credential. +* You are the cluster owner. + +.Procedure + +* Revoke the break glass credentials for a {hcp-title} cluster by running the following command. ++ +[IMPORTANT] +==== +Running this command will revoke access for all break glass credentials related to the cluster. +==== ++ +[source,terminal] +---- +$ rosa revoke break-glass-credentials -c <1> +---- +<1> Replace with the name of your cluster. ++ +.Example output + +[source,terminal] +---- +? Are you sure you want to revoke all the break glass credentials on cluster 'my-cluster'?: Yes +I: Successfully requested revocation for all break glass credentials from cluster 'my-cluster' +---- + +.Verification + +* The revocation process can take several minutes. You can verify that the break glass credentials for your clusters have been revoked by running one of the following commands: +** List all break glass credentials and check the status of each: ++ +[source,terminal] +---- +$ rosa list break-glass-credential -c +---- ++ +.Example output ++ +[source,terminal] +---- +ID USERNAME STATUS +2330dbs0n8m3chkkr25gkkcd8pnj3lk2 test-user awaiting_revocation +---- ++ +** You can also verify the status by checking the individual credential: ++ +[source,terminal] +---- +$ rosa describe break-glass-credential -c +---- ++ +.Example output ++ +[source,terminal] +---- +ID: 2330dbs0n8m3chkkr25gkkcd8pnj3lk2 +Username: test-user +Expire at: Dec 28 2026 10:23:05 EDT +Status: issued +Revoked at: Dec 27 2026 15:30:33 EDT +---- + + + diff --git a/modules/rosa-list-objects.adoc b/modules/rosa-list-objects.adoc index f2bf65e8a3c8..6afab1e1baf5 100644 --- a/modules/rosa-list-objects.adoc +++ b/modules/rosa-list-objects.adoc @@ -42,6 +42,51 @@ $ rosa list addons --cluster= | |Specifies an AWS profile (string) from your credentials file. |=== + +[id="rosa-list-break-glass-credential_{context}"] +== List break glass credentials + +List all of the break glass credentials for a cluster. + +.Syntax +[source,terminal] +---- +$ rosa list break-glass-credential [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster \| +|Required. The name or ID of the cluster to which the break glass credentials have been added. +|=== + +.Optional arguments inherited from parent commands +[cols="30,70"] +|=== +|Option |Definition + +|--help +|Shows help for this command. + +|--debug +|Enables debug mode. + +|--profile +|Specifies an AWS profile (string) from your credentials file. +|=== + +.Example + +List all of the break glass credentials for a cluster named `mycluster`. + +[source,terminal] +---- +$ rosa list break-glass-credential --cluster=mycluster +---- + [id="rosa-list-clusters_{context}"] == list clusters @@ -523,6 +568,44 @@ Describe an add-on named `dbaas-operator`. ---- $ rosa describe addon dbaas-operator ---- +[id="rosa-describe-break-glass-credential_{context}"] +== describe break glass credential + +Shows the details for a break glass credential for a specific cluster. + +.Syntax +[source,terminal] +---- +$ rosa describe break-glass-credential --id= --cluster=| [arguments] +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: The name or ID (string) of the cluster. +|--id +|Required: The ID (string) of the break glass credential. +|--kubeconfig +|Optional: Retrieves the kubeconfig from the break glass credential. +|=== + +.Optional arguments inherited from parent commands +[cols="30,70"] +|=== +|Option |Definition + +|--help +|Shows help for this command. + +|--debug +|Enables debug mode. + +|--profile +|Specifies an AWS profile (string) from your credentials file. +|=== [id="rosa-describe-cluster_{context}"] == describe cluster diff --git a/modules/rosa-revoke-objects.adoc b/modules/rosa-revoke-objects.adoc new file mode 100644 index 000000000000..50148fdf3586 --- /dev/null +++ b/modules/rosa-revoke-objects.adoc @@ -0,0 +1,55 @@ +// Module included in the following assemblies: +// +// * rosa_cli/rosa-manage-objects-cli.adoc + +:_mod-docs-content-type: PROCEDURE +[id="rosa-revoke-objects_{context}"] += Revoke objects + +This section describes the `revoke` commands for clusters and resources. + +[id="rosa-revoke-break-glass-credential_{context}"] +== revoke-break-glass-credential + +Revokes all break glass credentials from a specified hosted control plane cluster with external authentication enabled. + +.Syntax +[source,terminal] +---- +$ rosa revoke break-glass-credential --cluster= | +---- + +.Arguments +[cols="30,70"] +|=== +|Option |Definition + +|--cluster +|Required: The name or ID (string) of the cluster from which the break glass credentials will be deleted. +|=== + +.Optional arguments inherited from parent commands +[cols="30,70"] +|=== +|Option |Definition + +|--help +|Shows help for this command. + +|--debug +|Enables debug mode. + +|--profile +|Specifies an AWS profile (string) from your credentials file. + +|--yes +|Automatically answers `yes` to confirm the operation. +|=== + +.Example +Revoke the break glass credentials from a cluster named `mycluster`. + +[source,terminal] +---- +$ rosa revoke break-glass-credential --cluster=mycluster +---- diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc index 528a80304d73..35be22c3f6ba 100644 --- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc +++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc @@ -37,19 +37,38 @@ To create a {hcp-title} cluster, you must have completed the following steps: * Created an xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-byo-oidc_rosa-hcp-sts-creating-a-cluster-quickly[OIDC configuration] * Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-operator-config_rosa-hcp-sts-creating-a-cluster-quickly[Operator roles] -// Step 1 Prepare HCP cluster with --external-auth-providers-enabled -include::modules/rosa-hcp-sts-creating-a-cluster-ext-auth-cluster-cli.adoc[leveloffset=+1] +// Step 1 Prepare HCP cluster with --external-auth-providers-enabled +include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli.adoc[leveloffset=+1] //Step 2 Create/list/delete external_provider to HCP cluster that external_auth_config is not enable -include::modules/rosa-hcp-sts-creating-a-cluster-ext-auth-provider-cli.adoc[leveloffset=+1] +include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-cli.adoc[leveloffset=+1] [role="_additional-resources"] -.Additional resources +[id="additional-resources_rosa-sts-creating-a-cluster-external-auth-cluster-cli"] +== Additional resources * For more information about configuring Entra ID for your IDP, see link:https://learn.microsoft.com/en-us/entra/fundamentals/whatis[What is Microsoft Entra ID?] in the Azure documentation or the xref:../cloud_experts_tutorials/cloud-experts-entra-id-idp.adoc#cloud-experts-entra-id-idp[Configuring Microsoft Entra ID (formerly Azure Active Directory) as an identity provider] tutorial section of the documentation. -* For information on the similar `idps` tool in the ROSA CLI, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-create-idp_rosa-managing-objects-cli[`create idp`]. -* For more information on options in the ROSA CLI, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-create-external-auth-provider_rosa-managing-objects-cli[`create external-auth-provider`], xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-list-external-auth-provider_rosa-managing-objects-cli[`list external-auth-provider`], and xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-delete-external-auth-provider_rosa-managing-objects-cli[`delete external-auth-provider`]. +* For information about the similar `idps` tool in the ROSA CLI, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-create-idp_rosa-managing-objects-cli[`create idp`]. +* For more information about options in the ROSA CLI, see xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-create-external-auth-provider_rosa-managing-objects-cli[`create external-auth-provider`], xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-list-external-auth-provider_rosa-managing-objects-cli[`list external-auth-provider`], and xref:../cli_reference/rosa_cli/rosa-manage-objects-cli.adoc#rosa-delete-external-auth-provider_rosa-managing-objects-cli[`delete external-auth-provider`]. + +// Step 3: Create, list, and revoke a break glass credential +include::modules/rosa-hcp-sts-creating-a-break-glass-cred-cli.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_rosa-sts-creating-a-break-glass-cred-cli"] +== Additional resources +* For more information about creating a {hcp-title} cluster with external authentication enabled, see xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc#rosa-hcp-sts-creating-a-cluster-external-auth-cluster-cli_rosa-hcp-sts-creating-a-cluster-ext-auth[Creating a ROSA with HCP cluster that uses external authentication providers]. +* For more information about CLI configurations, see xref:../cli_reference/openshift_cli/managing-cli-profiles.adoc#managing-cli-profiles[Managing CLI profiles]. + +include::modules/rosa-hcp-sts-accessing-a-break-glass-cred-cli.adoc[leveloffset=+1] + +[role="_additional-resources"] +[id="additional-resources_rosa-sts-accessing-a-break-glass-cred-cli"] +== Additional resources +* For more information about cluster role binding, see xref:../authentication/using-rbac.adoc#rbac-overview[Using RBAC to define and apply permissions]. + +include::modules/rosa-hcp-sts-revoking-a-break-glass-cred-cli.adoc[leveloffset=+1] -//Step 3 delete external_provider to HCP cluster that external_auth_config is not enable -include::modules/rosa-hcp-sts-creating-a-cluster-ext-auth-provider-delete-cli.adoc[leveloffset=+1] +//Step 4 delete external_provider to HCP cluster that external_auth_config is not enable +include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-cli.adoc[leveloffset=+1] [role="_additional-resources"] [id="additional-resources_rosa-sts-creating-a-cluster-ext-auth"]