Cloud Experts Documentation

Creating a ROSA cluster in AWS GovCloud

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

This guide outlines the procedure for creating a ROSA cluster in AWS GovCloud. There are some key differences between the ROSA offerings in AWS GovCloud and AWS Commercial. They’re outlined in detail in the AWS documentation hereexternal link (opens in new tab) , but a few requirements in GovCloud that are worth highlighting:

  • Only ROSA Classic is supported (not Hosted Control Plane)
  • STS mode is required
  • PrivateLink is required
  • FIPS mode is required


Create VPC and Subnets

In this guide, we’ll use Terraform to create a VPC to house our cluster, and we’ll opt for a Single-AZ configuration for simplicity. We’ll also create an EC2 jumphost to aid in accessing our cluster once it comes up. Before running it, you’ll need to ensure your AWS CLI is authenticated to a government region in AWS (us-gov-west-1 or us-gov-east-1).

Clone the terraform git repository and cd into it:

git clone
cd rosa-govcloud-quickstart

Create an SSH key pair to use for a jumphost:

ssh-keygen -f jumphost-key -q -N ""

Initialize and apply resources with terraform:

terraform init
terraform apply

Terraform will output a pre-wired command to create your ROSA cluster. We’re not ready to run it just yet, but it should look something like this:

rosa create cluster --cluster-name rosa-gc-demo --mode auto --sts \
  --machine-cidr --service-cidr \
  --pod-cidr --host-prefix 23 --yes \
  --private-link --subnet-ids subnet-03b5943cfb7921b85

Login to the FedRAMP Hybrid Cloud Console

ROSA GovCloud is a FedRAMP High Serviceexternal link (opens in new tab) , so we cannot leverage the OpenShift Cluster Manager hosted at since it does not reside within the FedRAMP boundary. Instead, we’ll utilize the FedRAMP Hybrid Cloud Console hosted at https://console.openshiftusgov.comexternal link (opens in new tab) , which requires a separate account from your usual Red Hat login. If you already have an account, login to the console and proceed with the guide. If you don’t, either contact your organization’s administrator to ask for an invite, or otherwise create a new account using our sign-up form at .

Deploy ROSA

Authenticate with your ROSA CLI using the login command obtained hereexternal link (opens in new tab) . Then create your cluster using the prewired terraform command from a previous step. If you lost it, you can output it again by running:

terraform output next_steps

Test Connectivity

Set an environment variable for the cluster name you chose, e.g.:


Create a ROSA admin user and make note of the generated credentials:

rosa create admin -c $ROSA_CLUSTER_NAME

Then create a VPN tunnel to the jumphost our terraform created earlier using the pre-wired sshuttle command. It should look something like this:

sshuttle --ssh-cmd 'ssh -i jumphost-key' --dns -NHr ec2-user@

You should now be able to login to the console in your web browser with the credentials for your admin user and the URL:

rosa describe cluster -c $ROSA_CLUSTER_NAME -o json | jq -r .console.url


Delete the ROSA cluster and destroy terraform assets:

rosa delete cluster -c $ROSA_CLUSTER_NAME
terraform destroy

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter



Try, buy & sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.