Use the Red Hat OpenShift Service on AWS CLI (rosa) with the default options to quickly create an OpenShift cluster that uses the AWS Security Token Service (STS).

Creating a ROSA cluster with STS using the default options

Through the Red Hat OpenShift Service on AWS CLI (rosa), you can quickly create an OpenShift cluster that uses the AWS Security Token Service (STS).

Additionally, you can use auto mode to immediately create the required AWS Identity and Access Management (IAM) resources using the current AWS account. auto mode is used in the following procedure to immediately create the account-wide IAM roles and policies, including the Operator policies, as well as the OpenID Connect (OIDC) identity provider.

Only public and AWS PrivateLink clusters are supported with STS. Regular private clusters (non-PrivateLink) are not available for use with STS.

AWS Shared VPCs are not currently supported for ROSA installations.

  • You have completed the AWS prerequisites for ROSA with STS.

  • You have available AWS service quotas.

  • You have enabled the ROSA service in the AWS Console.

  • You have installed and configured the latest AWS, ROSA, and oc CLIs on your installation host.

  1. Create the required account-wide roles and policies, including the Operator policies:

    $ rosa create account-roles --mode auto

    You can optionally specify an OpenShift minor release, for example 4.8, by using the --version option. The latest stable version is assumed if the option is not included. The account-wide roles and policies are specific to an OpenShift minor release version and are backward compatible.

    When using auto mode, you can optionally specify the -y argument to bypass the interactive prompts and automatically confirm operations.

  2. Create a cluster with STS using the defaults. When you use the defaults, the latest stable OpenShift version is installed:

    $ rosa create cluster --cluster-name <cluster_name> --sts (1)
    1 Replace <cluster_name> with the name of your cluster.

    You must complete the following steps to create the Operator IAM roles and the OpenID Connect (OIDC) provider to move the state of the cluster to ready.

  3. Create the cluster-specific Operator IAM roles:

    $ rosa create operator-roles --mode auto --cluster <cluster_name|cluster_id>
  4. Create the OIDC provider that the cluster Operators use to authenticate:

    $ rosa create oidc-provider --mode auto --cluster <cluster_name|cluster_id>
  5. Check the status of your cluster:

    $ rosa describe cluster --cluster <cluster_name|cluster_id>

    The following State field changes are listed in the output as the cluster installation progresses:

    • waiting (Waiting for OIDC configuration)

    • pending (Preparing account)

    • installing (DNS setup in progress)

    • installing

    • ready

      If installation fails or the State field does not change to ready after about 40 minutes, check the installation troubleshooting documentation for more details.

  6. Track the progress of the cluster creation by watching the OpenShift installer logs:

    $ rosa logs install --cluster <cluster_name|cluster_id> --watch (1)
    1 Specify the --watch flag to watch for new log messages as the installation progresses. This argument is optional.

Additional resources