×

Delete a Red Hat OpenShift Service on AWS (ROSA) cluster using the rosa command-line.

Deleting a cluster

You can delete an Red Hat OpenShift Service on AWS cluster using the rosa CLI.

You can also use the rosa CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. The cluster deletion must complete before you remove the IAM resources, because the resources are used in the cluster deletion and clean-up processes.

If add-ons are installed, the deletion takes longer because add-ons are uninstalled before the cluster is deleted. The amount of time depends on the number and size of the add-ons.

Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.

Procedure
  1. Enter the following command to delete a cluster and watch the logs, replacing <cluster_name> with the name or ID of your cluster:

    $ rosa delete cluster --cluster=<cluster_name> --watch

    You must wait for the cluster deletion to complete before you remove the IAM roles, policies, and OIDC provider. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate.

  2. Delete the OIDC provider that the cluster Operators use to authenticate:

    $ rosa delete oidc-provider -c <cluster_id> --mode auto (1)
    1 Replace <cluster_id> with the ID of the cluster.

    You can use the -y option to automatically answer yes to the prompts.

  3. Delete the cluster-specific Operator IAM roles:

    $ rosa delete operator-roles -c <cluster_id> --mode auto (1)
    1 Replace <cluster_id> with the ID of the cluster.
  4. Delete the account-wide roles:

    $ rosa delete account-roles --prefix <prefix> --mode auto (1)
    1 You must include the --<prefix> argument. Replace <prefix> with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, ManagedOpenShift.

    Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.

  5. Use the AWS IAM Console to delete the account-wide inline and Operator policies. For detailed steps, see the Deleting the AWS resources by using the AWS IAM Console section.

Deleting the AWS resources by using the AWS IAM Console

After deleting a Red Hat OpenShift Service on AWS (ROSA) cluster, you can delete the AWS Security Token Service (STS) resources by using the AWS Identity and Access Management (IAM) Console.

Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.

Prerequisites
  • You have deleted your ROSA cluster. For more information, see the Deleting a cluster section.

    You must delete the cluster before you remove the IAM roles and policies. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators.

Procedure
  1. Log in to the AWS IAM Console.

  2. Delete the OpenID Connect (OIDC) provider that you created for Operator authentication in your cluster:

    1. Navigate to Access managementIdentity providers and click on the OIDC resource that you created to authenticate the cluster Operators.

    2. In the dialog page for the resource, select Delete to delete the OIDC provider.

  3. Delete the cluster-specific Operator IAM roles:

    The IAM role and policy names include the role prefix that is specified when the STS resources are created. The default prefix is ManagedOpenShift.

    1. Navigate to Access managementRoles and click on one of the cluster-specific Operator roles that you created for your cluster.

    2. In the dialog page for the resource, select Delete role to delete the role. Select Yes, delete to confirm the role deletion.

    3. Repeat this step to delete each of the cluster-specific Operator roles for the cluster.

  4. Delete the account-wide Operator policies that you created for ROSA deployments that use STS:

    1. Navigate to Access managementPolicies and click on one of the Operator policies.

    2. In the dialog page for the resource, select Delete policy to delete the policy. Select Delete to confirm the policy deletion.

    3. Repeat this step to delete each of the Operator policies.

  5. Delete the account-wide IAM roles and inline policies that you created for ROSA deployments that use STS:

    1. Navigate to Access managementRoles and click on one of the account-wide roles.

    2. In the dialog page for the resource, select Delete role to delete the role. Select Yes, delete to confirm the role deletion.

    3. Repeat this step to delete each of the account-wide roles for the cluster.