After you set up your environment for STS with Red Hat OpenShift Service on AWS (ROSA), create IAM and OIDC access-based roles.

Creating IAM roles and policies for STS in ROSA

When using STS, set up IAM and OIDC access-based roles before creating your cluster.

Prerequisites
  • Review and complete the deployment prerequisites and policies.

  • Set up the environment for STS.

Installer access role and policy

This role is used to manage the installation and deletion of clusters that use STS.

Procedure
  1. Write the trust policy for the ManagedOpenShift-IAM-Role installer access role to the ManagedOpenShift_IAM_Role.json file.

    Command to write the trust policy
    $ cat << EOM > ManagedOpenShift_IAM_Role.json
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer"
              ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    EOM
  2. Create the ManagedOpenShift-IAM-Role role with the trust policy using the AWS CLI.

    $ aws iam create-role --role-name ManagedOpenShift-IAM-Role --assume-role-policy-document file://ManagedOpenShift_IAM_Role.json

    If relying on a permissions boundary ARN, use the following aws iam create-role command instead of the previous command.

    $ aws iam create-role \
        --role-name ManagedOpenShift-IAM-Role \
        --assume-role-policy-document file://ManagedOpenShift_IAM_Role.json \
        --permissions-boundary ${permissions_boundary_arn}
  3. To create the permissions policy document, write the ManagedOpenShift-IAM-Role-Policy inline policy to the ManagedOpenShift_IAM_Role_Policy.json file.

    Command to create the permissions policy document
    $ cat << EOM > ManagedOpenShift_IAM_Role_Policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                     "autoscaling:DescribeAutoScalingGroups",
                     "ec2:AllocateAddress",
                     "ec2:AssociateAddress",
                     "ec2:AssociateDhcpOptions",
                     "ec2:AssociateRouteTable",
                     "ec2:AttachInternetGateway",
                     "ec2:AttachNetworkInterface",
                     "ec2:AuthorizeSecurityGroupEgress",
                     "ec2:AuthorizeSecurityGroupIngress",
                     "ec2:CopyImage",
                     "ec2:CreateDhcpOptions",
                     "ec2:CreateInternetGateway",
                     "ec2:CreateNatGateway",
                     "ec2:CreateNetworkInterface",
                     "ec2:CreateRoute",
                     "ec2:CreateRouteTable",
                     "ec2:CreateSecurityGroup",
                     "ec2:CreateSubnet",
                     "ec2:CreateTags",
                     "ec2:CreateVolume",
                     "ec2:CreateVpc",
                     "ec2:CreateVpcEndpoint",
                     "ec2:DeleteDhcpOptions",
                     "ec2:DeleteInternetGateway",
                     "ec2:DeleteNatGateway",
                     "ec2:DeleteNetworkInterface",
                     "ec2:DeleteRoute",
                     "ec2:DeleteRouteTable",
                     "ec2:DeleteSecurityGroup",
                     "ec2:DeleteSnapshot",
                     "ec2:DeleteSubnet",
                     "ec2:DeleteTags",
                     "ec2:DeleteVolume",
                     "ec2:DeleteVpc",
                     "ec2:DeleteVpcEndpoints",
                     "ec2:DeregisterImage",
                     "ec2:DescribeAccountAttributes",
                     "ec2:DescribeAddresses",
                     "ec2:DescribeAvailabilityZones",
                     "ec2:DescribeDhcpOptions",
                     "ec2:DescribeImages",
                     "ec2:DescribeInstanceAttribute",
                     "ec2:DescribeInstanceCreditSpecifications",
                     "ec2:DescribeInstances",
                     "ec2:DescribeInstanceStatus",
                     "ec2:DescribeInstanceTypes",
                     "ec2:DescribeInternetGateways",
                     "ec2:DescribeKeyPairs",
                     "ec2:DescribeNatGateways",
                     "ec2:DescribeNetworkAcls",
                     "ec2:DescribeNetworkInterfaces",
                     "ec2:DescribePrefixLists",
                     "ec2:DescribeRegions",
                     "ec2:DescribeReservedInstancesOfferings",
                     "ec2:DescribeRouteTables",
                     "ec2:DescribeSecurityGroups",
                     "ec2:DescribeSubnets",
                     "ec2:DescribeTags",
                     "ec2:DescribeVolumes",
                     "ec2:DescribeVpcAttribute",
                     "ec2:DescribeVpcClassicLink",
                     "ec2:DescribeVpcClassicLinkDnsSupport",
                     "ec2:DescribeVpcEndpoints",
                     "ec2:DescribeVpcs",
                     "ec2:DetachInternetGateway",
                     "ec2:DisassociateRouteTable",
                     "ec2:GetEbsDefaultKmsKeyId",
                     "ec2:ModifyInstanceAttribute",
                     "ec2:ModifyNetworkInterfaceAttribute",
                     "ec2:ModifySubnetAttribute",
                     "ec2:ModifyVpcAttribute",
                     "ec2:ReleaseAddress",
                     "ec2:ReplaceRouteTableAssociation",
                     "ec2:RevokeSecurityGroupEgress",
                     "ec2:RevokeSecurityGroupIngress",
                     "ec2:RunInstances",
                     "ec2:TerminateInstances",
                     "elasticloadbalancing:AddTags",
                     "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                     "elasticloadbalancing:AttachLoadBalancerToSubnets",
                     "elasticloadbalancing:ConfigureHealthCheck",
                     "elasticloadbalancing:CreateListener",
                     "elasticloadbalancing:CreateLoadBalancer",
                     "elasticloadbalancing:CreateLoadBalancerListeners",
                     "elasticloadbalancing:CreateTargetGroup",
                     "elasticloadbalancing:DeleteLoadBalancer",
                     "elasticloadbalancing:DeleteTargetGroup",
                     "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                     "elasticloadbalancing:DeregisterTargets",
                     "elasticloadbalancing:DescribeInstanceHealth",
                     "elasticloadbalancing:DescribeListeners",
                     "elasticloadbalancing:DescribeLoadBalancerAttributes",
                     "elasticloadbalancing:DescribeLoadBalancers",
                     "elasticloadbalancing:DescribeTags",
                     "elasticloadbalancing:DescribeTargetGroupAttributes",
                     "elasticloadbalancing:DescribeTargetGroups",
                     "elasticloadbalancing:DescribeTargetHealth",
                     "elasticloadbalancing:ModifyLoadBalancerAttributes",
                     "elasticloadbalancing:ModifyTargetGroup",
                     "elasticloadbalancing:ModifyTargetGroupAttributes",
                     "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                     "elasticloadbalancing:RegisterTargets",
                     "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                     "iam:AddRoleToInstanceProfile",
                     "iam:CreateInstanceProfile",
                     "iam:DeleteInstanceProfile",
                     "iam:GetInstanceProfile",
                     "iam:GetRole",
                     "iam:GetRolePolicy",
                     "iam:GetUser",
                     "iam:ListAttachedRolePolicies",
                     "iam:ListInstanceProfiles",
                     "iam:ListInstanceProfilesForRole",
                     "iam:ListRolePolicies",
                     "iam:ListRoles",
                     "iam:ListUserPolicies",
                     "iam:ListUsers",
                     "iam:PassRole",
                     "iam:RemoveRoleFromInstanceProfile",
                     "iam:SimulatePrincipalPolicy",
                     "iam:TagRole",
                     "iam:UntagRole",
                     "route53:ChangeResourceRecordSets",
                     "route53:ChangeTagsForResource",
                     "route53:CreateHostedZone",
                     "route53:DeleteHostedZone",
                     "route53:GetChange",
                     "route53:GetHostedZone",
                     "route53:ListHostedZones",
                     "route53:ListHostedZonesByName",
                     "route53:ListResourceRecordSets",
                     "route53:ListTagsForResource",
                     "route53:UpdateHostedZoneComment",
                     "s3:CreateBucket",
                     "s3:DeleteBucket",
                     "s3:DeleteObject",
                     "s3:GetAccelerateConfiguration",
                     "s3:GetBucketAcl",
                     "s3:GetBucketCORS",
                     "s3:GetBucketLocation",
                     "s3:GetBucketLogging",
                     "s3:GetBucketObjectLockConfiguration",
                     "s3:GetBucketRequestPayment",
                     "s3:GetBucketTagging",
                     "s3:GetBucketVersioning",
                     "s3:GetBucketWebsite",
                     "s3:GetEncryptionConfiguration",
                     "s3:GetLifecycleConfiguration",
                     "s3:GetObject",
                     "s3:GetObjectAcl",
                     "s3:GetObjectTagging",
                     "s3:GetObjectVersion",
                     "s3:GetReplicationConfiguration",
                     "s3:ListBucket",
                     "s3:ListBucketVersions",
                     "s3:PutBucketAcl",
                     "s3:PutBucketTagging",
                     "s3:PutEncryptionConfiguration",
                     "s3:PutObject",
                     "s3:PutObjectAcl",
                     "s3:PutObjectTagging",
                     "sts:AssumeRole",
                     "sts:AssumeRoleWithWebIdentity",
                     "sts:GetCallerIdentity",
                     "tag:GetResources",
                     "tag:UntagResources"
                ],
                "Resource": "*"
            }
        ]
    }
    EOM
  4. Attach the inline policy in the ManagedOpenShift_IAM_Role_Policy.json file to the ManagedOpenShift-IAM-Role instance profile role.

    $ aws iam put-role-policy --role-name ManagedOpenShift-IAM-Role --policy-name ManagedOpenShift-IAM-Role-Policy --policy-document file://ManagedOpenShift_IAM_Role_Policy.json

Control plane node instance profile role

Procedure
  1. Write the trust policy for the ManagedOpenShift-ControlPlane-Role control plane node instance profile role to the ManagedOpenShift_ControlPlane_Role.json file.

    Command to write the trust policy
    $ cat << EOM > ManagedOpenShift_ControlPlane_Role.json
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    EOM
  2. Create the ManagedOpenShift-ControlPlane-Role role with the trust policy using the AWS CLI.

    $ aws iam create-role --role-name ManagedOpenShift-ControlPlane-Role --assume-role-policy-document file://ManagedOpenShift_ControlPlane_Role.json

    If relying on a permissions boundary ARN, use the following aws iam create-role command instead of the previous command.

    $ aws iam create-role \
        --role-name ManagedOpenShift-ControlPlane-Role \
        --assume-role-policy-document file://ManagedOpenShift_ControlPlane_Role.json \
        --permissions-boundary ${permissions_boundary_arn}
  3. To create the permissions policy document, write the ManagedOpenShift-ControlPlane-Role-Policy inline policy to the ManagedOpenShift_ControlPlane_Role_Policy.json file.

    Command to create the permissions policy document
    $ cat << EOM > ManagedOpenShift_ControlPlane_Role_Policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:AttachVolume",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:CreateSecurityGroup",
                    "ec2:CreateTags",
                    "ec2:CreateVolume",
                    "ec2:DeleteSecurityGroup",
                    "ec2:DeleteVolume",
                    "ec2:Describe*",
                    "ec2:DetachVolume",
                    "ec2:ModifyInstanceAttribute",
                    "ec2:ModifyVolume",
                    "ec2:RevokeSecurityGroupIngress",
                    "elasticloadbalancing:AddTags",
                    "elasticloadbalancing:AttachLoadBalancerToSubnets",
                    "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                    "elasticloadbalancing:CreateListener",
                    "elasticloadbalancing:CreateLoadBalancer",
                    "elasticloadbalancing:CreateLoadBalancerPolicy",
                    "elasticloadbalancing:CreateLoadBalancerListeners",
                    "elasticloadbalancing:CreateTargetGroup",
                    "elasticloadbalancing:ConfigureHealthCheck",
                    "elasticloadbalancing:DeleteListener",
                    "elasticloadbalancing:DeleteLoadBalancer",
                    "elasticloadbalancing:DeleteLoadBalancerListeners",
                    "elasticloadbalancing:DeleteTargetGroup",
                    "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                    "elasticloadbalancing:DeregisterTargets",
                    "elasticloadbalancing:Describe*",
                    "elasticloadbalancing:DetachLoadBalancerFromSubnets",
                    "elasticloadbalancing:ModifyListener",
                    "elasticloadbalancing:ModifyLoadBalancerAttributes",
                    "elasticloadbalancing:ModifyTargetGroup",
                    "elasticloadbalancing:ModifyTargetGroupAttributes",
                    "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                    "elasticloadbalancing:RegisterTargets",
                    "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
                    "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                    "kms:DescribeKey"
                ],
                "Resource": "*"
            }
        ]
    }
    EOM
  4. Attach the inline policy in the ManagedOpenShift_ControlPlane_Role_Policy.json file to the ManagedOpenShift-ControlPlane-Role instance profile role.

    $ aws iam put-role-policy --role-name ManagedOpenShift-ControlPlane-Role --policy-name ManagedOpenShift-ControlPlane-Role-Policy --policy-document file://ManagedOpenShift_ControlPlane_Role_Policy.json

Worker node instance profile role

  1. Write the trust policy for the ManagedOpenShift-Worker-Role access instance profile role to the ManagedOpenShift_Worker_Role.json file.

    Command to write the trust policy
    $ cat <<EOM > ManagedOpenShift_Worker_Role.json
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
            "Service": "ec2.amazonaws.com"
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    EOM
  2. Create the ManagedOpenShift-Worker-Role role with the trust policy using the AWS CLI.

    $ aws iam create-role --role-name ManagedOpenShift-Worker-Role --assume-role-policy-document file://ManagedOpenShift_Worker_Role.json

    If relying on a permissions boundary ARN, use the following aws iam create-role command instead of the previous command.

    $ aws iam create-role \
        --role-name ManagedOpenShift-Worker-Role \
        --assume-role-policy-document file://ManagedOpenShift_Worker_Role.json \
        --permissions-boundary ${permissions_boundary_arn}
  3. Write the ManagedOpenShift-Worker-Role-Policy policy to the ManagedOpenShift_Worker_Role_Policy.json file to create the permissions policy document.

    Command to create the permissions policy document
    $ cat << EOM > ManagedOpenShift_Worker_Role_Policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeRegions"
                ],
                "Resource": "*"
            }
        ]
    }
    EOM
  4. Attach the ManagedOpenShift_Worker_Role_Policy.json file to the ManagedOpenShift-Worker-Role instance profile role.

    $ aws iam put-role-policy --role-name ManagedOpenShift-Worker-Role --policy-name ManagedOpenShift-Worker-Role-Policy --policy-document file://ManagedOpenShift_Worker_Role_Policy.json

STS support role

The STS support role is designed to give Red Hat site reliability engineering (SRE) read-only access to support a given cluster and troubleshoot issues.

  1. Write the trust policy for the RH-Technical-Support-Access instance profile role to the RH_Support_Role.json file.

    Command to write the trust policy
    $ cat << EOM > RH_Support_Role.json
    {
      "Version": "2012-10-17",
      "Statement": [
        {
          "Effect": "Allow",
          "Principal": {
              "AWS": [
                  "arn:aws:iam::710019948333:role/RH-Technical-Support-Access"
              ]
          },
          "Action": "sts:AssumeRole"
        }
      ]
    }
    EOM
  2. Create the ManagedOpenShift-Support-Role role with the trust policy using the AWS CLI.

    $ aws iam create-role --role-name ManagedOpenShift-Support-Role --assume-role-policy-document file://RH_Support_Role.json

    If relying on a permissions boundary ARN, use the following aws iam create-role command instead of the previous command.

    $ aws iam create-role \
        --role-name ManagedOpenShift-Support-Role \
        --assume-role-policy-document file://RH_Support_Role.json \
        --permissions-boundary ${permissions_boundary_arn}
  3. Write the ManagedOpenShift-Support-Role policy to the RH_Support_Policy.json file to create the permissions policy document.

    Command to create the permissions policy document
    $ cat << EOM > RH_Support_Policy.json
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "cloudtrail:DescribeTrails",
                    "cloudtrail:LookupEvents",
                    "cloudwatch:GetMetricData",
                    "cloudwatch:GetMetricStatistics",
                    "cloudwatch:ListMetrics",
                    "ec2:CopySnapshot",
                    "ec2:CreateSnapshot",
                    "ec2:CreateSnapshots",
                    "ec2:DescribeAccountAttributes",
                    "ec2:DescribeAddresses",
                    "ec2:DescribeAddressesAttribute",
                    "ec2:DescribeAggregateIdFormat",
                    "ec2:DescribeAvailabilityZones",
                    "ec2:DescribeByoipCidrs",
                    "ec2:DescribeCapacityReservations",
                    "ec2:DescribeCarrierGateways",
                    "ec2:DescribeClassicLinkInstances",
                    "ec2:DescribeClientVpnAuthorizationRules",
                    "ec2:DescribeClientVpnConnections",
                    "ec2:DescribeClientVpnEndpoints",
                    "ec2:DescribeClientVpnRoutes",
                    "ec2:DescribeClientVpnTargetNetworks",
                    "ec2:DescribeCoipPools",
                    "ec2:DescribeCustomerGateways",
                    "ec2:DescribeDhcpOptions",
                    "ec2:DescribeEgressOnlyInternetGateways",
                    "ec2:DescribeIamInstanceProfileAssociations",
                    "ec2:DescribeIdFormat",
                    "ec2:DescribeIdentityIdFormat",
                    "ec2:DescribeImageAttribute",
                    "ec2:DescribeImages",
                    "ec2:DescribeInstanceAttribute",
                    "ec2:DescribeInstanceStatus",
                    "ec2:DescribeInstanceTypeOfferings",
                    "ec2:DescribeInstanceTypes",
                    "ec2:DescribeInstances",
                    "ec2:DescribeInternetGateways",
                    "ec2:DescribeIpv6Pools",
                    "ec2:DescribeKeyPairs",
                    "ec2:DescribeLaunchTemplates",
                    "ec2:DescribeLocalGatewayRouteTableVirtualInterfaceGroupAssociations",
                    "ec2:DescribeLocalGatewayRouteTableVpcAssociations",
                    "ec2:DescribeLocalGatewayRouteTables",
                    "ec2:DescribeLocalGatewayVirtualInterfaceGroups",
                    "ec2:DescribeLocalGatewayVirtualInterfaces",
                    "ec2:DescribeLocalGateways",
                    "ec2:DescribeNatGateways",
                    "ec2:DescribeNetworkAcls",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DescribePlacementGroups",
                    "ec2:DescribePrefixLists",
                    "ec2:DescribePrincipalIdFormat",
                    "ec2:DescribePublicIpv4Pools",
                    "ec2:DescribeRegions",
                    "ec2:DescribeReservedInstances",
                    "ec2:DescribeRouteTables",
                    "ec2:DescribeScheduledInstances",
                    "ec2:DescribeSecurityGroupReferences",
                    "ec2:DescribeSecurityGroups",
                    "ec2:DescribeSnapshotAttribute",
                    "ec2:DescribeSnapshots",
                    "ec2:DescribeSpotFleetInstances",
                    "ec2:DescribeStaleSecurityGroups",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeTags",
                    "ec2:DescribeTransitGatewayAttachments",
                    "ec2:DescribeTransitGatewayConnectPeers",
                    "ec2:DescribeTransitGatewayConnects",
                    "ec2:DescribeTransitGatewayMulticastDomains",
                    "ec2:DescribeTransitGatewayPeeringAttachments",
                    "ec2:DescribeTransitGatewayRouteTables",
                    "ec2:DescribeTransitGatewayVpcAttachments",
                    "ec2:DescribeTransitGateways",
                    "ec2:DescribeVolumeAttribute",
                    "ec2:DescribeVolumeStatus",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeVolumesModifications",
                    "ec2:DescribeVpcAttribute",
                    "ec2:DescribeVpcClassicLink",
                    "ec2:DescribeVpcClassicLinkDnsSupport",
                    "ec2:DescribeVpcEndpointConnectionNotifications",
                    "ec2:DescribeVpcEndpointConnections",
                    "ec2:DescribeVpcEndpointServiceConfigurations",
                    "ec2:DescribeVpcEndpointServicePermissions",
                    "ec2:DescribeVpcEndpointServices",
                    "ec2:DescribeVpcEndpoints",
                    "ec2:DescribeVpcPeeringConnections",
                    "ec2:DescribeVpcs",
                    "ec2:DescribeVpnConnections",
                    "ec2:DescribeVpnGateways",
                    "ec2:GetAssociatedIpv6PoolCidrs",
                    "ec2:GetTransitGatewayAttachmentPropagations",
                    "ec2:GetTransitGatewayMulticastDomainAssociations",
                    "ec2:GetTransitGatewayPrefixListReferences",
                    "ec2:GetTransitGatewayRouteTableAssociations",
                    "ec2:GetTransitGatewayRouteTablePropagations",
                    "ec2:RebootInstances",
                    "ec2:SearchLocalGatewayRoutes",
                    "ec2:SearchTransitGatewayMulticastGroups",
                    "ec2:SearchTransitGatewayRoutes",
                    "ec2:StartInstances",
                    "ec2:TerminateInstances",
                    "elasticloadbalancing:ConfigureHealthCheck",
                    "elasticloadbalancing:DescribeAccountLimits",
                    "elasticloadbalancing:DescribeInstanceHealth",
                    "elasticloadbalancing:DescribeListenerCertificates",
                    "elasticloadbalancing:DescribeListeners",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:DescribeLoadBalancerAttributes",
                    "elasticloadbalancing:DescribeLoadBalancerPolicies",
                    "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeLoadBalancers",
                    "elasticloadbalancing:DescribeRules",
                    "elasticloadbalancing:DescribeSSLPolicies",
                    "elasticloadbalancing:DescribeTags",
                    "elasticloadbalancing:DescribeTags",
                    "elasticloadbalancing:DescribeTargetGroupAttributes",
                    "elasticloadbalancing:DescribeTargetGroups",
                    "elasticloadbalancing:DescribeTargetHealth",
                    "route53:GetHostedZone",
                    "route53:GetHostedZoneCount",
                    "route53:ListHostedZones",
                    "route53:ListHostedZonesByName",
                    "route53:ListResourceRecordSets",
                    "s3:GetBucketTagging",
                    "s3:GetObjectAcl",
                    "s3:GetObjectTagging",
                    "s3:ListAllMyBuckets"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": "s3:ListBucket",
                "Resource": [
                    "arn:aws:s3:::managed-velero*",
                    "arn:aws:s3:::*image-registry*"
                ]
            }
        ]
    }
    EOM
  4. Create the ManagedOpenShift-Support-Access policy object in AWS using the AWS CLI.

    $ aws iam create-policy --policy-name ManagedOpenShift-Support-Access --policy-document file://RH_Support_Policy.json
  5. Attach the ManagedOpenShift-Support-Access policy to the ManagedOpenShift-Support-Role role:

    $ policy_arn=<output_of_policy_arn_from_above_command>
    aws iam attach-role-policy --role-name ManagedOpenShift-Support-Role --policy-arn $policy_arn
Install

After completing these steps, you are ready to create a cluster.

Next steps