Cloud Experts Documentation

Accessing the ROSA HCP API Server from a Different AWS Account

Last edited
Published
Authors
Yuhki Hanada
Tags: AWS HCP ROSA

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

Introduction

You can create a ROSA HCP cluster in one AWS account and configure it to allow access from a different AWS account using the oc command. This guide walks you through the actual AWS setup.

pic1 Note: AWS environments vary, so consider this as one possible setup.

Prerequisites

A ROSA HCP cluster has been already deployed in AWS Account-A, and the following AWS resources are available. ROSA HCP 4.19.0 was used for this guide. pic2

Setup on AWS Account‑B

This section covers the steps in AWS Account-B pic3

Prepare necessary tools on Bastion-B

  1. On the EC2 bastion instance (bastion-B), install the required tools

  2. Verify the installation

    (Note: cluster connection is not yet possible.)

  3. Create an IAM Policy

    Create a policy file in json ( vpce-policy.json)

  4. Create an IAM Policy from the json file

Create an IAM Role

  1. Get your current IAMUser ARN

  2. Create a trust relationship file (trust-policy.json)

  3. Create an IAM Role

  4. Attach the IAM Policy to the IAM Role

Configure AWS CLI to Assume the IAM Role

  1. Add a new profile in ~/.aws/config to assume the IAM Role created in the previous step.

Setup on AWS Account‑A

Switch to AWS Account-A, where the ROSA cluster resides AWS Account A

Register the IAM Role with ROSA

  1. Run On Bastion-A (or any rosa-enabled host) to set some environmental variables.

  2. Get the VPC Endpoint Service Name for the ROSA hosted controlplane.

    ( Note: The service name is like com.amazonaws.vpce.<Your AWS region>.vpce-svc-....)

  3. Fetch the API URL for ROSA Cluster

    Expect something like: https://api.rosahcp.<id>.openshiftapps.com:443

Back to AWS Account‑B

Continue in Account-B aws account B

Create a VPC Endpoint

  1. Set some environment variables

  2. Make sure the variables are set

  3. Create a security group for the VPC Endpoint

  4. Allow inbound traffic from the subnet

    (Note: You can customize the rule depending your need. This is just an example.)

  5. Create an interface endpoint, using the myprofile role

    (Note: You run the command with --profile myprofile to assume the IAM Role you created in the previous step)

    If there are no errors, the VPC endpoint will be created. The request to connect the hosted control plane VPC service endpoint will be automatically accepted if the IAM role is configured correctly. aws account B

Create a Private DNS Zone in Route 53

  1. Fetch the VPC endpoint DNS name

  2. Extract the domain from the API URL

  3. Set the AWS region of the AWS account-B

  4. Make sure the variables are set before proceeding

  5. Create a Route 53 private hosted zone

  6. Create DNS records

    The DNS records for api.<DOMAIN> and oauth.<DOMAIN> are resovled to the VPC endpoint, and the traffic is routed to the Hosted Ccontrolplane managed by Red Hat SRE.

Verify Connection

  1. Test access from bastion-B to the hosted controlplane

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

GitHub Edit this page
Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now © 2023 Red Hat, Inc.