Cloud Experts Documentation

Deploying ROSA in STS mode

This content is authored by Red Hat experts, but has not yet been tested on every supported configuration.

Tip The official documentation for installing a ROSA cluster in STS mode can be found here .

Quick Introduction by Ryan Niksch (AWS) and Shaozen Ding (Red Hat) on YouTubeexternal link (opens in new tab)

STS allows us to deploy ROSA without needing a ROSA admin account, instead it uses roles and policies with Amazon STS (secure token service) to gain access to the AWS resources needed to install and operate the cluster.

This is a summary of the official docs that can be used as a line by line install guide and later used as a basis for automation in your favorite automation toolexternal link (opens in new tab) .


If this is your first time deploying ROSA you need to do some preparation as described here .

Once completing those steps you can continue below.

Deploy ROSA cluster

  1. set some environment variables

    export ROSA_CLUSTER_NAME=mycluster
    export AWS_ACCOUNT_ID=`aws sts get-caller-identity \
      --query Account --output text`
    export REGION=us-east-2
    export AWS_PAGER=""
  2. Make you your ROSA CLI version is correct (v1.2.25 or higher)

    rosa version
  3. Run the rosa cli to create your cluster

    Note there are many configurable installation options that you can view using rosa create cluster -h. The following will create a cluster with all of the default options.

    rosa create cluster --sts --cluster-name ${ROSA_CLUSTER_NAME} \
      --region ${REGION} --mode auto --yes
  4. Watch the install logs

    rosa logs install -c $ROSA_CLUSTER_NAME --watch --tail 10

Validate the cluster

Once the cluster has finished installing we can validate we can access it

  1. Create an Admin user

    rosa create admin -c $ROSA_CLUSTER_NAME
  2. Wait a few moments and run the oc login command it provides. If it fails, or if you get a warning about TLS certificates, wait a few minutes and try again.

  3. Run oc whoami --show-console, browse to the provided URL and log in using the credentials provided above.


  1. Delete the ROSA cluster

    rosa delete cluster -c $ROSA_CLUSTER_NAME
  2. Clean up the STS roles

    Once the cluster has been deleted we can delete the STS roles.

    Tip You can get the correct commands with the ID filled in from the output of the previous step.

    rosa delete operator-roles -c <id> --yes --mode auto
    rosa delete oidc-provider -c <id>  --yes --mode auto

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter



Try, buy & sell


About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2023 Red Hat, Inc.