// Module included in the following assemblies:
//
// * authentication/managing_cloud_provider_credentials/cco-short-term-creds.adoc

:_mod-docs-content-type: REFERENCE
[id="cco-short-term-creds-auth-flows_{context}"]
= Provider authentication details

The authentication flow for this authentication method has similarities across the supported cloud providers.

[id="cco-short-term-creds-auth-flow-aws_{context}"]
== AWS Security Token Service

In manual mode with STS, the individual {product-title} cluster components use the AWS Security Token Service (STS) to assign components IAM roles that provide short-term, limited-privilege security credentials. These credentials are associated with IAM roles that are specific to each component that makes AWS API calls.

.AWS Security Token Service authentication flow
image::347_OpenShift_credentials_with_STS_updates_0623_AWS.png[Detailed authentication flow between AWS and the cluster when using AWS STS]

[id="cco-short-term-creds-auth-flow-gcp_{context}"]
== GCP Workload Identity

In manual mode with GCP Workload Identity, the individual {product-title} cluster components use the GCP workload identity provider to allow components to impersonate GCP service accounts using short-term, limited-privilege credentials.

.GCP Workload Identity authentication flow
image::347_OpenShift_credentials_with_STS_updates_0623_GCP.png[Detailed authentication flow between GCP and the cluster when using GCP Workload Identity]

////
[id="cco-short-term-creds-auth-flow-azure_{context}"]
== Azure AD Workload Identity

//todo: work with dev and diagrams team to get a diagram for Azure
.Azure AD Workload Identity authentication flow
image::Azure_diagram.png[Detailed authentication flow between Azure and the cluster when using Azure AD Workload Identity]
////

[id="cco-short-term-creds-auth-flow-refresh_{context}"]
== Automated credential refreshing

Requests for new and refreshed credentials are automated by using an appropriately configured OpenID Connect (OIDC) identity provider combined with provider-specific service accounts or roles. {product-title} signs Kubernetes service account tokens that are trusted by the cloud provider. These tokens can be mounted into a pod and used for authentication. By default, tokens are refreshed after one hour.