You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: modules/rosa-configure.adoc
+29-22Lines changed: 29 additions & 22 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -12,26 +12,38 @@ Use the following commands to configure the {product-title} (ROSA) CLI, `rosa`.
12
12
== login
13
13
There are several methods you can use to log into your Red{nbsp}Hat account using the {product-title} (ROSA) CLI (`rosa`). These methods are described in detail below.
14
14
15
+
[id="rosa-login-sso_{context}"]
16
+
=== Authenticating the ROSA CLI with Red Hat single sign-on
17
+
18
+
You can log in to the ROSA CLI (`rosa`) with Red{nbsp}Hat single sign-on. Red{nbsp}Hat recommends using the `rosa` command line tool with Red{nbsp}Hat single sign-on, instead of using an offline authentication token.
19
+
20
+
An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account.
21
+
22
+
Alternatively, authenticating with the Red{nbsp}Hat single sign-on method automatically sends your `rosa` instance a refresh token that is valid for 10 hours. This unique, temporary authorization code enhances security and reduces the risk of unauthorized access.
23
+
15
24
[IMPORTANT]
16
25
====
17
-
An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. Alternatively, the Red{nbsp}Hat secure browser-based single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and is the Red{nbsp}Hat recommended method of authentication.
26
+
The method of authenticating using Red Hat single sign-on does not break any existing automations that rely on offline tokens. Red{nbsp}Hat recommends using link:https://console.redhat.com/iam/service-accounts[services accounts] for automation purposes. If you still need to use offline tokens for automation or other purposes, you can download the OpenShift Cluster Manager API token from the link:https://console.redhat.com/openshift/token[OpenShift Cluster Manager API Token] page.
18
27
====
19
28
20
-
// Furthermore, offline authentication tokens are usually stored on your device by your operating system, which means other apps on your machine can access a token if the token is not properly secured. These offline tokens are long-lived and cannot be revoked. Users must copy and paste them manually which creates a security risk. Because of these factors, Red{nbsp}Hat recommends using the single sign-on method when logging into your account with the ROSA CLI (`rosa`). This method is more secure than logging in with an offline token.
21
-
// ====
29
+
Use one of the following methods of authentication:
22
30
31
+
* If your system has a web browser, see the "Authenticating the ROSA CLI with a single sign-on authorization code" section to authenticate with Red Hat single sign-on.
23
32
24
-
[id="rosa-login-sso_{context}"]
25
-
=== login with single sign-on (SSO) authorization code
33
+
* If you are working with containers, remote hosts, or other environments without a web browser, see the "Authenticating the ROSA CLI with a single sign-on device code" section to authenticate with Red Hat single sign-on.
26
34
27
-
If your system supports a web-based browser, you can log in to the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on (SSO) authorization code.
35
+
* To authenticate the ROSA CLI using an offline token, see the "Authenticating the ROSA CLI with an offline token" section.
28
36
29
37
[NOTE]
30
38
====
31
39
Single sign-on authorization is supported with ROSA CLI (`rosa`) version 1.2.36 or later.
32
40
====
33
41
34
-
. To log into the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on authorization code, run the following command:
42
+
[id="rosa-login-sso_auth{context}"]
43
+
=== Authenticating the ROSA CLI with a single sign-on authorization code
44
+
45
+
46
+
* To log in to the ROSA CLI (`rosa`) with a Red{nbsp}Hat single sign-on authorization code, run the following command:
35
47
36
48
+
37
49
.Syntax
@@ -40,7 +52,7 @@ Single sign-on authorization is supported with ROSA CLI (`rosa`) version 1.2.36
40
52
$ rosa login --use-auth-code
41
53
----
42
54
+
43
-
Running this command will redirect you to the Red{nbsp}Hat SSO login. Log in with your Red{nbsp}Hat login or email.
55
+
Running this command redirects you to the Red{nbsp}Hat single sign-on login. Log in with your Red{nbsp}Hat login or email.
44
56
+
45
57
.Optional arguments inherited from parent commands
46
58
[cols="30,70"]
@@ -58,13 +70,13 @@ Running this command will redirect you to the Red{nbsp}Hat SSO login. Log in wit
58
70
To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.com] and run the `rosa logout` command in your terminal before attempting to login again.
59
71
60
72
[id="rosa-login-sso-device_{context}"]
61
-
=== login with a single sign-on device code
62
-
If you are working with containers, remote hosts, and other environments without a web browser, you can use a Red{nbsp}Hat single sign-on (SSO) device code for secure authentication. To do this, you must use a second device that has a web browser to approve the login.
73
+
=== Authenticating the ROSA CLI with a single sign-on device code
74
+
If you are working with containers, remote hosts, and other environments without a web browser, you can use a Red{nbsp}Hat single sign-on device code for secure authentication. To do this, you must use a second device that has a web browser to approve the login.
63
75
[NOTE]
64
76
====
65
77
Single sign-on authorization is supported with ROSA CLI (`rosa`) version 1.2.36 or later.
66
78
====
67
-
. To log in to ROSA CLI (`rosa`) with a Red Hat single sign-on device code, run the following command:
79
+
* To log in to the ROSA CLI (`rosa`) with a Red Hat single sign-on device code, run the following command:
68
80
69
81
+
70
82
.Syntax
@@ -92,27 +104,22 @@ To switch accounts, logout from link:https://sso.redhat.com[https://sso.redhat.c
92
104
93
105
94
106
[id="rosa-login-token_{context}"]
95
-
=== login with an offline token
107
+
=== Authenticating the ROSA CLI with an offline token
96
108
97
109
Log in to your Red{nbsp}Hat account, saving the credentials to the `rosa` configuration file.
98
110
111
+
[NOTE]
112
+
====
99
113
To use offline tokens for automation purposes, you can download the OpenShift Cluster Manager API token from the link:https://console.redhat.com/openshift/token/rosa[OpenShift Cluster Manager API Token] page.
100
-
101
114
To use service accounts for automation purposes, see the link:https://console.redhat.com/iam/service-accounts[Service Accounts] page.
115
+
====
102
116
103
-
[NOTE]
117
+
[IMPORTANT]
104
118
====
105
119
Red{nbsp}Hat recommends using service accounts for automation purposes.
106
120
====
107
121
108
-
// The ROSA CLI (`rosa`) looks for a token in the following priority order:
109
-
110
-
// . Command-line arguments
111
-
// . The `ROSA_TOKEN` environment variable
112
-
// . The `rosa` configuration file
113
-
// . Interactively from a command-line prompt
114
-
115
-
. To log in to ROSA CLI (`rosa`) with a Red{nbsp}Hat offline token, run the following command:
122
+
* To log in to ROSA CLI (`rosa`) with a Red{nbsp}Hat offline token, run the following command:
0 commit comments