Delete a Red Hat OpenShift Service on AWS (ROSA) cluster using the rosa command-line.

Deleting a cluster

You can delete an Red Hat OpenShift Service on AWS cluster using the rosa CLI.

If add-ons are installed, the deletion takes longer because add-ons are uninstalled before the cluster is deleted. The amount of time depends on the number and size of the add-ons.

Procedure
  1. Enter the following command to delete a cluster and watch the logs, replacing <cluster_name> with the name or ID of your cluster:

    $ rosa delete cluster --cluster=<cluster_name> --watch

Deleting the AWS resources by using the CLI

After deleting a Red Hat OpenShift Service on AWS (ROSA) cluster, you can delete the AWS Security Token Service (STS) resources by using the CLI.

Account-wide Identity Access Management (IAM) roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.

Prerequisites
  • You have installed and configured the latest AWS CLI on your installation host.

  • You have deleted your ROSA cluster. For more information, see the Deleting a cluster section.

    You must delete the cluster before you remove the IAM roles and policies. The account-wide roles and policies are required to delete the resources created by the installer. The Operator roles and policies are required to clean-up the resources created by the OpenShift Operators.

Procedure
  1. Delete the OpenID Connect (OIDC) provider that you created for Operator authentication in your cluster:

    $ aws iam delete-open-id-connect-provider --open-id-connect-provider-arn <oidc_provider_arn> (1)
    1 Replace <oidc_provider_arn> with the Amazon Resource Name (ARN) of the OpenID Connect (OIDC) resource that you created to authenticate the cluster Operators. You can run $ aws iam list-open-id-connect-providers to list the OIDC providers in your account.
  2. Delete the cluster-specific Operator IAM roles:

    1. List the account-wide Operator policy that is attached to one of the cluster-specific IAM roles:

      $ aws iam list-attached-role-policies --role-name <operator_role_name> (1)
      1 Replace <operator_role_name> with the name of a cluster-specific Operator role that you created for the cluster. Specify the role name and not the full ARN. You can run $ aws iam list-roles to list the roles in your account.

      The IAM role and policy names include the role prefix that is specified when the STS resources are created. The default prefix is ManagedOpenShift.

    2. Detach the policy from role:

      $ aws iam detach-role-policy --role-name <operator_role_name> --policy-arn <operator_policy_arn> (1)
      1 Replace <operator_policy_arn> with the ARN of the attached Operator policy.
    3. Delete the role:

      $ aws iam delete-role --role-name <operator_role_name>
    4. Repeat the steps to delete each of the cluster-specific Operator roles for the cluster.

  3. Delete the account-wide Operator policies that you created for ROSA deployments that use STS. The following command deletes a single policy:

    $ aws iam delete-policy --policy-arn <operator_policy_arn>  (1)
    1 Replace <operator_policy_arn> with the ARN of one of the Operator policies. You can list the policies in your account by running $ aws iam list-policies.

    Repeat this step to delete each of the Operator policies.

  4. Delete the account-wide IAM roles and inline policies that you created for ROSA deployments that use STS:

    1. List the inline policy for one of the account-wide IAM roles:

      $ aws iam list-role-policies --role-name <account_wide_role_name> (1)
      1 Replace <account_wide_role_name> with the name of one of the account-wide IAM roles. Specify the role name and not the full ARN. You can run $ aws iam list-roles to list the roles in your account.
    2. Delete the inline policy:

      $ aws iam delete-role-policy --role-name <account_wide_role_name> --policy-name <inline_role_policy_name>(1)
      1 Replace <inline_role_policy_name> with the policy name that is included in the output of the preceding command.
    3. Delete the role:

      $ aws iam delete-role --role-name <account_wide_role_name>
    4. Repeat the steps to delete each of the account-wide roles.

Deleting the AWS resources by using the AWS IAM Console

After deleting a Red Hat OpenShift Service on AWS (ROSA) cluster, you can delete the AWS Security Token Service (STS) resources by using the AWS Identity and Access Management (IAM) Console.

Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.

Prerequisites
  • You have deleted your ROSA cluster. For more information, see the Deleting a cluster section.

    You must delete the cluster before you remove the IAM roles and policies. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators.

Procedure
  1. Log in to the AWS IAM Console.

  2. Delete the OpenID Connect (OIDC) provider that you created for Operator authentication in your cluster:

    1. Navigate to Access managementIdentity providers and click on the OIDC resource that you created to authenticate the cluster Operators.

    2. In the dialog page for the resource, select Delete to delete the OIDC provider.

  3. Delete the cluster-specific Operator IAM roles:

    The IAM role and policy names include the role prefix that is specified when the STS resources are created. The default prefix is ManagedOpenShift.

    1. Navigate to Access managementRoles and click on one of the cluster-specific Operator roles that you created for your cluster.

    2. In the dialog page for the resource, select Delete role to delete the role. Select Yes, delete to confirm the role deletion.

    3. Repeat this step to delete each of the cluster-specific Operator roles for the cluster.

  4. Delete the account-wide Operator policies that you created for ROSA deployments that use STS:

    1. Navigate to Access managementPolicies and click on one of the Operator policies.

    2. In the dialog page for the resource, select Delete policy to delete the policy. Select Delete to confirm the policy deletion.

    3. Repeat this step to delete each of the Operator policies.

  5. Delete the account-wide IAM roles and inline policies that you created for ROSA deployments that use STS:

    1. Navigate to Access managementRoles and click on one of the account-wide roles.

    2. In the dialog page for the resource, select Delete role to delete the role. Select Yes, delete to confirm the role deletion.

    3. Repeat this step to delete each of the account-wide roles for the cluster.