$ aws sts get-caller-identity
After you meet the AWS prerequisites, set up your environment and install Red Hat OpenShift Service on AWS (ROSA).
Complete the following steps to set up your environment before creating your cluster using AWS security token Service (STS).
Review and complete the deployment prerequisites and policies.
Create a Red Hat account, if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.
Log in to the Amazon Web Services (AWS) account that you want to use.
It is recommended to use a dedicated AWS account to run production clusters. If you are using AWS Organizations, you can use an AWS account within your organization or create a new one.
If you are using AWS Organizations and you need to have a Service Control Policy (SCP) applied to the AWS account you plan to use, these policies must not be more restrictive than the roles and policies required by the cluster.
Enable the ROSA service in the AWS Console.
Install and configure the AWS CLI.
Specify the correct
aws_secret_access_key in the
.aws/credentials file. See AWS Configuration basics in the AWS documentation.
Set a default AWS region.
You can use the environment variable to set the default AWS region.
The ROSA service evaluates regions in the following priority order:
The region specified when running a
rosa command with the
The region set in the
AWS_DEFAULT_REGION environment variable. See Environment variables to configure the AWS CLI in the AWS documentation.
The default region set in your AWS configuration file. See Quick configuration with aws configure in the AWS documentation.
Optional: Configure your AWS CLI settings and credentials by using an AWS named profile.
rosa evaluates AWS named profiles in the following priority order:
The profile specified when running a
rosa command with the
The profile set in the
AWS_PROFILE environment variable. See Named profiles in the AWS documentation.
Verify the AWS CLI is installed and configured correctly by running the following command to query the AWS API:
$ aws sts get-caller-identity
rosa, the Red Hat OpenShift Service on AWS command-line interface (CLI) version 1.0.8 or greater.
Download the latest release of the
rosa CLI for your operating system.
Optional: Rename the file you downloaded to
rosa and make the file executable. This documentation uses
rosa to refer to the executable file.
$ chmod +x rosa
rosa to your path.
$ mv rosa /usr/local/bin/rosa
Enter the following command to verify your installation:
Command line tool for ROSA. Usage: rosa [command] Available Commands: completion Generates bash completion scripts create Create a resource from stdin delete Delete a specific resource describe Show details of a specific resource edit Edit a specific resource help Help about any command init Applies templates to support Managed OpenShift on AWS clusters list List all resources of a specific type login Log in to your Red Hat account logout Log out logs Show logs of a specific resource verify Verify resources are configured correctly for cluster install version Prints the version of the tool Flags: --debug Enable debug mode. -h, --help help for rosa -v, --v Level log level for V logs Use "rosa [command] --help" for more information about a command.
Optional: You can run the
rosa completion command to generate a bash completion file.
$ rosa completion > /etc/bash_completion.d/rosa
Add this file to the correct location for your operating system. For example, on a Linux machine, run the following command to enable
rosa bash completion:
$ source /etc/bash_completion.d/rosa
Download and install the OpenShift cloud credential operator tool.
These steps require Go version 1.15 or greater installed on your machine. See Go Downloads for more information.
$ git clone https://github.com/openshift/cloud-credential-operator.git $ cd cloud-credential-operator/cmd/ccoctl $ go build . $ mv ccoctl /usr/local/bin/ccoctl
Log in to your Red Hat account with the
Enter the following command.
$ rosa login
<my_offline_access_token> with your token.
To login to your Red Hat account, get an offline access token at https://cloud.redhat.com/openshift/token/rosa ? Copy the token and paste it here: <my-offline-access-token>
I: Logged in as '<rh-rosa-user>' on 'https://api.openshift.com'
Verify that your AWS account has the necessary quota to deploy an Red Hat OpenShift Service on AWS cluster.
$ rosa verify quota [--region=<region>]
I: Validating AWS quota... I: AWS quota ok
Sometimes your AWS quota varies by region. If you receive any errors, try a different region.
If you need to increase your quota, go to your AWS console, and request a quota increase for the service that failed.
After both the permissions and quota checks pass, proceed to the next step.
Prepare your AWS account for cluster deployment:
Run the following command to verify your Red Hat and AWS credentials are setup correctly. Check that your AWS Account ID, Default Region and ARN match what you expect. You can safely ignore the rows beginning with OCM for now (OCM stands for OpenShift Cluster Manager).
$ rosa whoami
AWS Account ID: 000000000000 AWS Default Region: us-east-1 AWS ARN: arn:aws:iam::000000000000:user/hello OCM API: https://api.openshift.com OCM Account ID: 1DzGIdIhqEWyt8UUXQhSoWaaaaa OCM Account Name: Your Name OCM Account Username: firstname.lastname@example.org OCM Account Email: email@example.com OCM Organization ID: 1HopHfA2hcmhup5gCr2uH5aaaaa OCM Organization Name: Red Hat OCM Organization External ID: 0000000
Install the OpenShift CLI (
oc), version 4.7.9 or greater, from the ROSA (
Enter this command to download the latest version of the
$ rosa download openshift-client
After downloading the
oc CLI, unzip it and add it to your path.
Enter this command to verify that the
oc CLI is installed correctly:
$ rosa verify openshift-client
Optional: If you use a permissions boundary policy, gather the permissions boundary policy Amazon resource name (ARN) from your AWS account.
Set the permissions boundary ARN as an environment variable:
$ export permissions_boundary_arn=<ARN from AWS account>
You can bring your own virtual private cloud (VPC) or let the installer create a VPC for you.
Optional: If you are using your own Virtual Private Cloud (VPC) Gather subnet IDs for the VPC you will be installing into, and export them into a comma-separated list.
$ export subnet_ids=<subnet-0abcdefg,subnet-000111222333>
Set the rest of the static environment variables.
$ export version=<4.7.11_or_greater> \ name=<cluster name> \ aws_account_id=<AWS Account ID> \ region=<region> \ AWS_PAGER="" # for v2 of the aws cli, unless you want commands to show you the output in `less` by default
After completing these steps, you are ready to set up IAM and OIDC access-based roles.