Requirements for using Red Hat OpenShift Service on AWS (ROSA)

1. Review the prerequisites before getting started.
2. You will need the following pieces of information from your AWS account:
   1. AWS IAM User
   2. AWS Access Key ID
   3. AWS Secret Access Key
3. If you do not have a Red Hat account, create one here. Accept the required terms and conditions. Then check your email for a verification link.

1. Install the AWS CLI as per your operating system.

1. Enable your AWS account to use ROSA to use ROSA by clicking on the orange “Get started” button on the right. It will direct users to a new page.
   1. 
2. Once in the new page, click the checkbox to agree to terms and then click the “Enable ROSA” button. 

1. Install the ROSA CLI as per your operating system.
2. Download and extract the relevant file for your operating system
   1. ex: tar -xvf rosa-linux.tar.gz
3. Save it to a location within your "PATH".
   1. ex: sudo mv rosa /usr/local/bin/rosa
4. Run rosa version to make sure it works and that it returns the version number.

There are a few ways to install the OpenShift (oc) CLI:

1. If you have the rosa CLI installed, the simplest way is to run rosa download oc. Once downloaded, untar (or unzip) the file and move the executables into a directory in your PATH.
2. Or, you can download and install the latest oc.
3. Or, if you already have an OpenShift cluster you can access the command line tools page by clicking on the Question mark > Command Line Tools. Then download the relevant tool for your operating system.

View of Red Hat console page with question mark icon clicked and menu highlighted to show ‘command line tools’ download option.

If you've just installed the AWS CLI, or simply want to make sure it is using the correct AWS account, follow these steps in a terminal:

1. Enter aws configure in the terminal.
2. Enter the AWS Access Key ID and press enter.
3. Enter the AWS Secret Access Key and press enter.
4. Enter the default region you want to deploy into.
5. Enter the output format you want (“table” or “json”). For this guide you can choose “table” as it is easier to read but either is fine.

It should look like the following as an example:

$ aws configure
AWS Access Key ID: AKIA0000000000000000
AWS Secret Access Key: NGvmP0000000000000000000000000
Default region name: us-east-1
Default output format: table

Verify that the configuration is correct.

1. Run the following command to query the AWS API:
   aws sts get-caller-identity
2. You should see a table (or JSON if that’s what you set it to above) like the one below. Verify that the account information is correct.

$ aws sts get-caller-identity
------------------------------------------------------------------------------
|                                GetCallerIdentity                           |
+--------------+----------------------------------------+--------------------+
|    Account   |                   Arn                  |        UserId      |
+--------------+----------------------------------------+--------------------+
|  000000000000|  arn:aws:iam::00000000000:user/myuser  |  AIDA00000000000000|
+--------------+----------------------------------------+--------------------

Make sure that the service role for ELB already exists, otherwise the cluster deployment could fail. As such, run the following to check for the role and create it if it is missing.

aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing" || aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"

If you received the following error during cluster creation, then the above command should correct it.

Error: Error creating network Load Balancer: AccessDenied: User: arn:aws:sts::970xxxxxxxxx:assumed-role/ManagedOpenShift-Installer-Role/163xxxxxxxxxxxxxxxx is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::970xxxxxxxxx:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing"

1. Enter rosa login in a terminal.
2. It will prompt you to open a web browser and go to https://console.redhat.com/openshift/token/rosa
3. Log in with your Red Hat account credentials.
4. Click the "Load token" button.
5. Copy the token and paste it back into the CLI prompt and press enter. Alternatively, you can just copy the full rosa login --token=abc... command and paste that in the terminal.

Where to find your API token

Verify that all the credentials set up are correct.

1. Run:
   rosa whoami
   
   You should see an output like below:

   AWS Account ID:               000000000000
   AWS Default Region:           us-east-2
   AWS ARN:                      arn:aws:iam::000000000000:user/myuser
   OCM API:                      https://api.openshift.com
   OCM Account ID:               1DzGIdIhqEWy000000000000000
   OCM Account Name:             Your Name
   OCM Account Username:         you@domain.com
   OCM Account Email:            you@domain.com
   OCM Organization ID:          1HopHfA20000000000000000000
   OCM Organization Name:        Red Hat
   OCM Organization External ID: 0000000

2. Please check all information for accuracy before proceeding.

Verify that your AWS account has ample quota in the region you will be deploying your cluster to.

1. Run:
   rosa verify quota
   
   It should return a response like:

   I: Validating AWS quota...
   I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html

See this documentation for more details regarding quotas.

Verify that the oc CLI is installed correctly with:

rosa verify openshift-client

We have now successfully set up our account and environment and are ready to deploy our cluster using AWS’s Security Token Service (STS), a method for granting short-lived, dynamic credentials to your users.

• Troubleshoot with Red Hat support
• Troubleshoot with AWS support