After you set up your environment and install Red Hat OpenShift Service on AWS (ROSA), create a cluster.

Creating your cluster using STS

You can create a Red Hat OpenShift Service on AWS cluster with AWS security token service (STS) using the ROSA CLI (rosa).


You have completed the installation prerequisites.

AWS Shared VPCs are not currently supported for ROSA installations.


When creating your cluster, use the following default options to configure your networking IP ranges. For more information when using manual mode, use rosa create cluster --help | grep cidr. In interactive mode, you are prompted for the settings.

  • Machine CIDR:

  • Service CIDR:

  • Pod CIDR:

    1. You can create a cluster by specifying the specifying the custom settings shown below or by using the interactive mode. To view other options when creating a cluster, enter rosa create cluster --help.

      Creating a cluster can take up to 40 minutes.

      Multiple availability zones (Multi-AZ) are recommended for production workloads. The default is a single availability zone. Use --help for an example of how to set this option manually or use interactive mode to be prompted for this setting.

      • To create a cluster with STS using custom settings:

        $ rosa create cluster \
          --cluster-name ${name} \
          --region ${region} \
          --version ${version} \
          --role-arn arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-IAM-Role \
          --support-role-arn arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-Support-Role \
          --master-iam-role arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-ControlPlane-Role \
          --worker-iam-role arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-Worker-Role \
          --operator-iam-roles aws-cloud-credentials,openshift-machine-api,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials \
          --operator-iam-roles cloud-credential-operator-iam-ro-creds,openshift-cloud-credential-operator,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede \
          --operator-iam-roles installer-cloud-credentials,openshift-image-registry,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-image-registry-installer-cloud-creden \
          --operator-iam-roles cloud-credentials,openshift-ingress-operator,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-ingress-operator-cloud-credentials \
          --operator-iam-roles ebs-cloud-credentials,openshift-cluster-csi-drivers,arn:aws:iam::${aws_account_id}:role/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent
        Example output
        I: Creating cluster with identifier '<cluster_id>' and name '<cluster_name>'
        I: To view list of clusters and their status, run `rosa list clusters`
        I: Cluster '<cluster_name>' has been created.
        I: Once the cluster is 'Ready' you will need to add an Identity Provider and define the list of cluster administrators. See `rosa create idp --help` and `rosa create user --help` for more information.
        I: To determine when your cluster is Ready, run `rosa describe cluster <cluster_name>`.
      • To create a cluster with STS using interactive prompts:

        $ rosa create cluster --interactive
    2. To check the status of your cluster and retrieve your cluster ID, enter the next command. The 'State' field changes from 'pending' to 'installing' to 'ready':

      $ rosa describe cluster --cluster=${name}
      Example output
      Name:                       <cluster_name>
      ID:                         <cluster_id>
      External ID:                <external_id>
      OpenShift Version:          <version>
      Channel Group:              stable
      DNS:                        *
      AWS Account:                123456789012
      API URL:                    https://api.<cluster_name>
      Console URL:                https://console-openshift-console.apps.<cluster_name>
      Region:                     <region>
      Multi-AZ:                   false
       - Master:                  3
       - Infra:                   2
       - Compute:                 2
       - Service CIDR:  
       - Machine CIDR:  
       - Pod CIDR:      
       - Host Prefix:             /23
      State:                      pending (Waiting for OIDC configuration)
      Private:                    No
      Created:                    Jun 10 2021 15:47:56 UTC
      Details Page:     <subscription_id>
      OIDC Endpoint URL:<cluster_id>

      If installation fails or the State field does not change to ready after 40 minutes, check the installation troubleshooting documentation for more details.

    3. Set the environment variable for the cluster_id from the previous output:

      $ export cluster_id=<cluster_id>

      Before proceeding, wait for the State output from rosa describe cluster to change to pending (Waiting for OIDC configuration).

    4. Complete the setup of the OIDC access-based IAM roles.

      1. Create the OIDC provider:

        $ thumbprint=$(openssl s_client \
          -servername${cluster_id} \
          -showcerts \
          -connect </dev/null 2>&1|
          openssl x509 \
          -fingerprint \
          -noout |
          tail -n1 |
          sed 's/SHA1 Fingerprint=//' |
          sed 's/://g'
        $ aws iam create-open-id-connect-provider \
          --url${cluster_id} \
          --client-id-list openshift \
          --thumbprint-list ${thumbprint}

        If the certificate changes, you will need to update the thumbprint.

      2. Generate permissions for OIDC-access-based roles Extract credential requests from the desired Red Hat OpenShift Service on AWS version:

        $ mkdir -p credrequests
        $ oc adm release extract${version:0:3}.0-x86_64 \
            --credentials-requests \
            --cloud=aws \
            --to credrequests
        $ cat credrequests/0000*.yaml > credrequests/${version:0:3}.yaml
        $ rm -f credrequests/0000*.yaml

        This action requires the OpenShift CLI (oc), version 4.7.9 or greater. You can download the latest oc version from the ROSA (rosa) CLI.

        $ rosa download openshift-client

        After downloading the oc CLI, unzip it and add it to your path.

      3. Create the IAM roles:

        $ mkdir -p iam_assets
        $ cd iam_assets
        $ ccoctl aws create-iam-roles \
          --credentials-requests-dir ../credrequests/ \
          --identity-provider-arn arn:aws:iam::${aws_account_id}:oidc-provider/${cluster_id} \
          --name ManagedOpenShift \
          --region ${region} \
        $ for role in `find . -name "*-role.json"`
          policy=$(sed -e 's/05-/06-/' -e 's/role/policy/' <<< ${role})
          role_name=$(grep --color=never -o "RoleName\":\"(\w|-)*" ${policy} | sed "s/RoleName\":\"//")
          aws iam create-role --cli-input-json file://${role}
          sed -i.bak 's/,"RoleName":".*"//' ${policy}
          policy_arn=$(aws iam create-policy --output json --cli-input-json file://$policy | grep Arn | awk '{print $2}' | awk -F '"' '{print $2}')
          aws iam attach-role-policy --role-name $role_name --policy-arn $policy_arn
          rm ${policy}
          mv ${policy}.bak ${policy}
          sleep 5 # Prevents AWS Rate limiting

        If relying on a permissions boundary ARN, use the following aws iam create-role command in the previous loop

        $ aws iam create-role \
            --cli-input-json file://${role} \
            --permissions-boundary ${permissions_boundary_arn}
    5. To track the progress of your cluster creation, enter this command to watch the OpenShift installer logs:

      $ rosa logs install --cluster=${name} --watch

Additional resources