How to create a cluster in Red Hat OpenShift Service on AWS with STS

Learn how to set up accounts and clusters with Red Hat® OpenShift® Service on AWS (ROSA) using AWS Security Token Service (STS) to help build container-based applications faster.

Please note, this is the deployment method that Red Hat recommends. For non-STS ROSA deployment, visit this page.

Learn how to set up accounts and clusters with Red Hat® OpenShift® Service on AWS (ROSA) using AWS Security Token Service (STS) to help build container-based applications faster.

Please note, this is the deployment method that Red Hat recommends. For non-STS ROSA deployment, visit this page.

Creating a cluster using Red Hat OpenShift Service on AWS (ROSA) with STS

60 mins

In this section, you’ll use the Red Hat OpenShift Service on AWS CLI (rosa) with the default options to create an OpenShift cluster that uses the AWS Security Token Service (STS).

What will you learn?

  • Creating a cluster with STS using the default options
  • Creating a cluster with STS using customizations
     

What do you need before starting?

Create a cluster with STS using the default options

You can create an OpenShift cluster that uses the AWS Security Token Service (STS) through the Red Hat OpenShift Service on AWS CLI (rosa).

Additionally, you can use auto mode to create the required AWS Identity and Access Management (IAM) resources using the current AWS account.

auto mode is used to create the account-wide IAM roles and policies. This includes Operator policies and the OpenID Connect (OIDC) identity provider.

  1. First, create the required account-wide roles and policies, including the Operator policies.
  2. Next, you can create a cluster with STS using the defaults. When you use the defaults, the latest stable OpenShift version is installed.
  3. Check the status of your cluster.
    • It should take 40 minutes for installation and for the State field to change to ready.
    • You can track the progress of the cluster creation by watching the OpenShift installer logs.

Create a cluster with STS using customizations

You can also customize your installation when using AWS STS to create a cluster. 

When you run rosa create cluster --interactive when creating a cluster, you will see prompts that let you customize your deployment.

There are two rosa CLI modes for deploying a cluster with STS: manual and auto modes.

Only public and AWS PrivateLink clusters are supported with STS. Regular private clusters (non-PrivateLink) are not available for use with STS.

  1. Create the required account-wide roles and policies, including the Operator policies. Use manual mode to assign roles manually, otherwise, use auto mode
  2. (Optional) If you are using your own AWS KMS key to encrypt the control plane data volumes and the persistent volumes (PVs) for your applications, add the ARN for the account-wide installer role to your KMS key policy.
  3. Create a cluster with STS using custom installation options.
  4. Create the cluster-specific Operator IAM roles. Use manual mode to assign roles manually, otherwise, use auto mode
  5. Create the OpenID Connect (OIDC) provider that the cluster Operators use to authenticate.
  6. Check the status of your cluster.
    1. It should take 40 minutes for installation and for the State field to change to ready.
    2. You can track the progress of the cluster creation by watching the OpenShift installer logs.

Good work! Once you’ve created your cluster, you’re ready to access it in the next resource.
 

This learning path is for operations teams or system administrators

Developers may want to check out Foundations of OpenShift on developers.redhat.com.

Get started on developers.redhat.com