Cloud Experts Documentation

AWS Cognito and IAM Identity Center for ROSA Cluster Access

Last edited
Published
Authors
cwooley-rh
Tags: IDP ROSA

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

EKS allows humans to assume IAM roles and pass those credentials directly to kubectl via the AWS IAM Authenticator. ROSA does not have that path natively — it uses OpenShift OAuth, which requires an OIDC identity provider as the bridge.

This guide demonstrates the AWS-native pattern for ROSA human identity using IAM Identity Center and Cognito as an OIDC bridge to ROSA OAuth. The end result provides the same outcome as EKS IAM assumed roles: users are managed in AWS identity tooling, cluster access maps to OpenShift RBAC, and no separate user directory is required outside of AWS.

Two approaches are provided:

Approach Use Case
Cognito Only Teams not yet using Identity Center, or quick proof of concept
Identity Center + Cognito Closest equivalent to EKS IAM assumed roles; full AWS SSO

Prerequisites

Environment Variables

Set the following variables for use throughout this guide. Customize the values to match your environment.

Get your cluster domain for the callback URL:

Approach 1: Cognito as Standalone OIDC IdP for ROSA

Use this approach if you want AWS-managed users without Identity Center, or as a stepping stone before wiring in Identity Center.

1. Create a Cognito User Pool

Capture the User Pool ID from the output:

2. Configure a Cognito App Client

Capture the client credentials:

The callback URL format is `https://oauth-openshift.apps./oauth2callback/` where `` matches the `--name` used when creating the IdP in step 4.

3. Set a Cognito Domain

Cognito requires a domain to serve the OIDC endpoints and hosted login UI:

Set the OIDC issuer URL:

Verify the OIDC discovery endpoint is reachable:

4. Configure the OpenID IdP in ROSA

Verify the IdP was registered:

The `--name` value (`cognito` here) must match the `` in the callback URL registered in step 2. If you used a different name, update the callback URL in the Cognito App Client to match.

5. Create Cognito Users

The user will be prompted to change their password on first login.

6. Grant cluster-admin in OpenShift

First, get the current cluster admin credentials (if using HTPasswd):

Grant cluster-admin to the Cognito user:

7. Test Login via oc and Console

Get the console URL:

Browser login:

  1. Open the OpenShift Console URL
  2. Select “Log in with cognito”
  3. Sign in with Cognito user credentials (you will be prompted to change the temporary password)
  4. Use “Copy login command” for the oc token

oc login:

8. Remove HTPasswd IdP (Optional)

Once Cognito login is confirmed working, you can remove the HTPasswd IdP:

Ensure you have verified Cognito login and have granted cluster-admin to at least one Cognito user before removing the HTPasswd IdP.

Approach 2: IAM Identity Center + Cognito for ROSA

Use this approach if your organization already uses IAM Identity Center for AWS access and you want the same identity system to control ROSA cluster access.

Architecture:

1. Create Cognito User Pool, App Client, and Domain

Follow Approach 1, Steps 1-3 to create the User Pool, App Client, and domain. Ensure you have these values ready:

2. Create a SAML Application in IAM Identity Center

IAM Identity Center speaks SAML to Cognito (not OIDC directly). Cognito then exposes OIDC to ROSA.

Option A: Using AWS CLI (creates application, console required for SAML config)

Capture the Application ARN from the output:

Option B: Using AWS Console (recommended for full SAML configuration)

In the IAM Identity Center console:

  1. Go to ApplicationsAdd applicationAdd custom SAML 2.0 application
  2. Set Application name: rosa-cognito
  3. Click Next
  4. Under Application properties:
    • Application start URL: (leave empty)
    • Relay state: (leave empty)
  5. Under Application metadata:
    • If you choose to manually type your metadata values:
      • Application ACS URL: https://<cognito-domain>.auth.<region>.amazoncognito.com/saml2/idpresponse
        • Use your actual values: https://${COGNITO_DOMAIN}.auth.${AWS_REGION}.amazoncognito.com/saml2/idpresponse
      • Application SAML audience: urn:amazon:cognito:sp:<USER_POOL_ID>
        • Use your actual value: urn:amazon:cognito:sp:${USER_POOL_ID}
  6. Under Attribute mappings, add:
    • Subject: ${user:email} with format emailAddress
    • Additional attribute: email${user:email} with format basic
  7. Click Submit
  8. On the application details page, go to the Actions menu → Edit attribute mappings
  9. Verify the email attribute mapping uses the claim name: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress

Get the SAML Metadata URL:

After creating the application, you need the IAM Identity Center SAML metadata URL:

  1. In the application details page, scroll to IAM Identity Center metadata
  2. Copy the IAM Identity Center SAML metadata file URL
  3. Save this URL for Step 3
The SAML metadata URL will be in the format: `https://portal.sso..amazonaws.com/saml/metadata/`

Export the metadata URL:

3. Configure Identity Center as SAML IdP in Cognito

Replace <IAM-Identity-Center-SAML-metadata-URL> with the metadata URL from the previous step:

The attribute mapping connects the SAML claim from IAM Identity Center to the Cognito email attribute. Adjust the claim name if your Identity Center uses a different attribute for email.

4. Update the Cognito App Client to Allow Identity Center Login

5. Assign Users/Groups in IAM Identity Center

In the IAM Identity Center console:

  1. Go to Applicationsrosa-cognito
  2. Under Assigned users and groups, assign the users or groups who should have ROSA cluster access
  3. Users can now federate through Identity Center → Cognito → ROSA
This is the closest analog to EKS: you manage cluster access by assigning users to the application in Identity Center, the same place you manage their AWS account access.

6. Configure the OpenID IdP in ROSA

7. Grant cluster-admin to Identity Center Users

For group-based access (if Cognito passes group claims):

8. Test Login

  1. Open the OpenShift Console URL
  2. Select “Log in with cognito”
  3. You will see both a Cognito native login AND an “IdentityCenter” option
  4. Select IdentityCenter, which redirects to IAM Identity Center SSO
  5. Sign in with corporate credentials
  6. On success, you are redirected back to OpenShift as your Identity Center user
  7. Use “Copy login command” for the oc token

9. Remove HTPasswd (Optional)

Once Identity Center login is confirmed working:

Ensure you have verified Identity Center login and have granted cluster-admin to at least one Identity Center user before removing the HTPasswd IdP.

EKS vs ROSA Identity Flow Comparison

Step EKS (IAM Assumed Roles) ROSA (Cognito + Identity Center)
Identity source IAM roles / Identity Center IAM Identity Center
Auth mechanism AWS IAM Authenticator OpenID Connect (Cognito)
CLI credential aws eks get-token oc login --token (from console)
User management IAM / Identity Center Identity Center → Cognito (federated)
Access control aws-auth ConfigMap / Access Entries OpenShift RBAC (ClusterRoleBinding)
AWS-native? Yes, natively Yes, via Cognito OIDC bridge
Extra hop vs EKS? No Yes (Cognito as bridge)

Troubleshooting

Symptom Check
Login redirect fails Verify callback URL in Cognito App Client matches --name in rosa create idp
“Invalid client” error Confirm CLIENT_ID and CLIENT_SECRET match the Cognito App Client exactly
User authenticated but no access Confirm oc adm policy add-cluster-role-to-user was run with the correct email
Identity Center users not seeing SAML login option Confirm user/group is assigned to the rosa-cognito app in Identity Center
SAML attribute mapping wrong Check claim name in Approach 2, Step 3 matches what Identity Center sends in SAML assertion
OIDC discovery endpoint 404 Confirm Cognito domain was created and USER_POOL_ID is correct

Cleanup

Remove all resources created by this guide in reverse order:

For Approach 2, also remove the SAML application from IAM Identity Center:

Using AWS CLI:

Or using AWS Console:

  1. Go to IAM Identity CenterApplications
  2. Select rosa-cognito
  3. Delete the application
Back to top

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2026 Red Hat