Red Hat OpenShift Service on AWS (ROSA) Quickstart

Follow this guide to quickly create a Red Hat OpenShift Service on AWS (ROSA) cluster using the ROSA command-line interface (CLI), grant user access, deploy your first application, and learn how to revoke user access and delete your cluster.

Prerequisites

• A Red Hat account.
• An AWS account.
• Install the latest AWS CLI and log in to your AWS account.
• Install the latest ROSA CLI .
• You must have the required service quotas set for Amazon EC2, Amazon VPC, Amazon EBS, and Elastic Load Balancing.

Refer to the prerequisite checklist for deploying for more information on permissions and quota requirements.

Enable the ROSA Service

To create a ROSA cluster, you must enable the ROSA service in the AWS ROSA console. The AWS ROSA console verifies if your AWS account has the necessary AWS Marketplace permissions, service quotas, and the Elastic Load Balancing (ELB) service-linked role named AWSServiceRoleForElasticLoadBalancing. If any of these prerequisites are missing, the console provides guidance on how to configure your account to meet them.

1. Navigate to the AWS Management Console’s ROSA landing page .
2. Select Get started.
3. On the “Verify ROSA prerequisites” page, select I agree to share my contact information with Red Hat.
4. Select Enable ROSA.

CLI Validation

1. Verify that the AWS CLI is successfully authenticated to your account:

   Example output:

2. Log in to the ROSA CLI with your Red Hat account:

   This command opens a new browser window to authenticate with the OpenShift Cluster Manager. Once your login is successful, you will receive a success message in your web browser and a confirmation in your terminal.

   Example terminal output:

Create the required IAM roles and OpenID Connect configuration

Before creating a ROSA with Hosted Control Planes (HCP) cluster, you must create the necessary IAM roles, policies, and the OpenID Connect (OIDC) configuration. For more information about IAM roles and policies for ROSA with HCP, see the AWS managed policies for ROSA .

This procedure uses the auto mode of the ROSA CLI to automatically create the IAM roles and OIDC configuration necessary for cluster creation.

Create account IAM roles

ROSA utilizes account-wide IAM roles to establish a centralized, reusable set of permissions required for Red Hat Site Reliability Engineering (SRE) technical support, cluster installation, and control plane and compute functionality.

1. Create the ROSA account roles:

   By default, account roles use the ManagedOpenShift prefix. If you prefer to change this, run the following command, replacing <account-roles-prefix> with your desired prefix: export ACCOUNT_ROLES_PREFIX=<account-roles-prefix>

Create the OIDC configuration

The AWS Security Token Service (STS) is an AWS service that grants temporary, limited-privilege credentials for accessing AWS resources. Unlike permanent IAM credentials that can last indefinitely, STS issues credentials that automatically expire after a set time, reducing the risk of unauthorized access. ROSA uses a Red Hat-managed OIDC configuration to establish a secure, identity-based trust relationship between your AWS account and the ROSA cluster.

1. Create the OIDC configuration:

   By default, ROSA creates a Red Hat-managed OIDC provider for federation. If you prefer to use a customer-hosted OIDC provider, please see the Red Hat documentation .

Create operator roles

Operator roles are used to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage, cloud ingress controllers, and external access to a cluster.

When you create operator roles, AWS Managed Policies are automatically attached to them. ROSA always uses the latest version of these managed policies, meaning you do not need to manage or schedule upgrades for them.

1. Create the operator roles:

   Replace <operator-roles-prefix> with your preferred prefix for the created AWS IAM roles.

Create the AWS VPC network

1. Using the ROSA CLI, the following command automates the deployment of a ROSA-compliant VPC and subnets via a managed CloudFormation template, eliminating the need for manual resource configuration:

   Define --param AvailabilityZoneCount=3 for a multi-AZ deployment.

2. When the command finishes, copy the public and private subnet IDs from the printed resource summary into a comma-separated variable:

Cluster Creation

1. Create a ROSA cluster using the configuration provided above:

   Replace <cluster-name> with your preferred cluster name.

2. Check the status of your cluster:

3. Once the cluster is ready, retrieve the console URL:

4. Use the console URL and the generated cluster-admin credentials to log into OpenShift via a web browser.

Delete the cluster

When you no longer need the environment, remove the cluster to stop incurring charges: