Getting started with Red Hat OpenShift Service on AWS (ROSA)

Learn how to get started on Red Hat® OpenShift® Service on AWS, including how to use AWS Security Token Service (STS) to deploy a cluster.

Learn how to get started on Red Hat® OpenShift® Service on AWS, including how to use AWS Security Token Service (STS) to deploy a cluster.

Granting admin rights to users in ROSA

5 mins

Cluster-admin rights are not automatically granted to users that you add to the cluster. If there are users that you want to grant this level of privilege to, you will need to manually add cluster-admin rights to each user.

What will you learn?

  • How to grant cluster admin rights to other users

What do you need before starting?

Grant cluster-admin rights

Let's start off with granting cluster-admin rights to ourselves using the GitHub username we created for the cluster in the Set up an IdP resource. There are two ways to do this; either from the Red Hat® OpenShift® on AWS command line interface (CLI) or the OpenShift Cluster Manager (OCM) web user interface (UI).

  1. Via rosa CLI
    1. Assuming you are the user who created the cluster, you can grant cluster-admin to a user (or our GitHub user) by running:

      rosa grant user cluster-admin --user <idp_user_name> --cluster=<cluster-name>

    2. Verify that we were added as a cluster-admin by running:

      rosa list users --cluster=<cluster-name>

      You should see your GitHub ID of the user listed.

        $ rosa list users --cluster=my-rosa-cluster
      
      ID           GROUPS
      
      rosa-user    cluster-admin

       

    3. Logout and log back into the cluster to see a new perspective with the “Administrator Panel”. (You might need to try an Incognito/Private window).
      Screenshot of the OpenShift Cluster Manager user interface with a red outline around the Administrator menu in the left sidebar
    4. You can also test this by running the following command. Only a cluster-admin user can run this without errors:

      oc get all -n openshift-apiserver

    1. Via OCM UI
      1. Log into OCM from https://console.redhat.com/openshift
      2. Select your cluster.
      3. Click on the “Access Control” tab.
      4. Towards the bottom in the “Cluster Administrative Users” section click on “Add User.”
        Screenshot of the Cluster Administrative Users section in the OpenShift Cluster Manager user interface with a red outline around the “Add user” button
      5. On the pop-up screen enter the person's user ID (in our example the GitHub ID).
      6. Select whether you want to grant them cluster-admin or dedicated-admin.
        Screenshot of the form fields for adding a cluster user on OpenShift Cluster Manager with red outlines around the “cluster-admins” Group option and the “Add user” button

Granting dedicated-admin

ROSA has the option to set a “dedicated-admin” role, which means to create an  admin user that can complete most administrative tasks but is slightly limited to prevent anything damaging. It is best practice to use dedicated-admin when elevated privileges are needed. You can read more about it here.

  1. Enter the following command to promote your user to a dedicated-admin:

    rosa grant user dedicated-admin --user <idp_user_name> --cluster=<cluster-name>

  1. Enter the following command to verify that your user now has dedicated-admin access

    oc get groups dedicated-admins

  1. You can also grant dedicated-admin rights via the OCM UI as described in the cluster-admin section, but just select the “dedicated-admins” radio button instead.

You are now ready to access your cluster.

This learning path is for operations teams or system administrators

Developers may want to check out developers.redhat.com.

Get started on developers.redhat.com