Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 7. ROSA CLI

7.1. Getting started with the ROSA CLI
Copy link

7.1.1. About the ROSA CLI
Copy link

Use the ROSA command-line interface (CLI) (rosa) to create, update, manage, and delete Red Hat OpenShift Service on AWS classic architecture clusters and resources.

7.1.2. Setting up the ROSA CLI
Copy link

Use the following steps to install and configure the ROSA CLI (rosa) on your installation host.

Procedure

  1. Install and configure the latest AWS CLI (aws).

    1. Follow the AWS Command Line Interface documentation to install and configure the AWS CLI for your operating system.

      Specify your aws_access_key_id, aws_secret_access_key, and region in the .aws/credentials file. See AWS Configuration basics in the AWS documentation.

      Note

      You can optionally use the AWS_DEFAULT_REGION environment variable to set the default AWS region.

    2. Query the AWS API to verify if the AWS CLI is installed and configured correctly: 

      $ aws sts get-caller-identity  --output text
      Copy to Clipboard Toggle word wrap

      Example output

      <aws_account_id>    arn:aws:iam::<aws_account_id>:user/<username>  <aws_user_id>
      Copy to Clipboard Toggle word wrap

  2. Download the latest version of the ROSA CLI (rosa) for your operating system from the Downloads page on OpenShift Cluster Manager.

  3. Extract the rosa binary file from the downloaded archive. The following example extracts the binary from a Linux tar archive: 

    $ tar xvf rosa-linux.tar.gz
    Copy to Clipboard Toggle word wrap

  4. Add rosa to your path. In the following example, the /usr/local/bin directory is included in the path of the user: 

    $ sudo mv rosa /usr/local/bin/rosa
    Copy to Clipboard Toggle word wrap

  5. Verify if the ROSA CLI is installed correctly by querying the rosa version: 

    $ rosa version
    Copy to Clipboard Toggle word wrap

    Example output

    1.2.15
Your ROSA CLI is up to date.
    Copy to Clipboard Toggle word wrap

  6. Optional: Enable tab completion for the ROSA CLI. With tab completion enabled, you can press the Tab key twice to automatically complete subcommands and receive command suggestions:

    • To enable persistent tab completion for Bash on a Linux host:

      1. Generate a rosa tab completion configuration file for Bash and save it to your /etc/bash_completion.d/ directory: 

        # rosa completion bash > /etc/bash_completion.d/rosa
        Copy to Clipboard Toggle word wrap
      2. Open a new terminal to activate the configuration.

    • To enable persistent tab completion for Bash on a macOS host:

      1. Generate a rosa tab completion configuration file for Bash and save it to your /usr/local/etc/bash_completion.d/ directory: 

        $ rosa completion bash > /usr/local/etc/bash_completion.d/rosa
        Copy to Clipboard Toggle word wrap
      2. Open a new terminal to activate the configuration.

    • To enable persistent tab completion for Zsh:

      1. If tab completion is not enabled for your Zsh environment, enable it by running the following command: 

        $ echo "autoload -U compinit; compinit" >> ~/.zshrc
        Copy to Clipboard Toggle word wrap

      2. Generate a rosa tab completion configuration file for Zsh and save it to the first directory in your functions path: 

        $ rosa completion zsh > "${fpath[1]}/_rosa"
        Copy to Clipboard Toggle word wrap
      3. Open a new terminal to activate the configuration.

    • To enable persistent tab completion for fish:

      1. Generate a rosa tab completion configuration file for fish and save it to your ~/.config/fish/completions/ directory: 

        $ rosa completion fish > ~/.config/fish/completions/rosa.fish
        Copy to Clipboard Toggle word wrap
      2. Open a new terminal to activate the configuration.

    • To enable persistent tab completion for PowerShell:

      1. Generate a rosa tab completion configuration file for PowerShell and save it to a file named rosa.ps1: 

        PS> rosa completion powershell | Out-String | Invoke-Expression
        Copy to Clipboard Toggle word wrap
      2. Source the rosa.ps1 file from your PowerShell profile.
    Note

    For more information about configuring rosa tab completion, see the help menu by running the rosa completion --help command.

7.1.3. Configuring the ROSA CLI
Copy link

Use the following commands to configure the ROSA command-line interface (CLI) (rosa).

7.1.3.1. login
Copy link

There are several methods you can use to log in to your Red Hat account using the ROSA command-line interface (CLI) (rosa). These methods are described in detail below.

You can log in to the ROSA CLI (rosa) with Red Hat single sign-on. Red Hat recommends using the rosa command line tool with Red Hat single sign-on, instead of using an offline authentication token.

An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account.

Alternatively, authenticating with the Red Hat single sign-on method automatically sends your rosa instance a refresh token that is valid for 10 hours. This unique, temporary authorization code enhances security and reduces the risk of unauthorized access.

Important

The method of authenticating using Red Hat single sign-on does not break any existing automations that rely on offline tokens. Red Hat recommends using services accounts for automation purposes. If you still need to use offline tokens for automation or other purposes, you can download the OpenShift Cluster Manager API token from the OpenShift Cluster Manager API Token page.

Use one of the following methods of authentication:

  • If your system has a web browser, see the "Authenticating the ROSA CLI with a single sign-on authorization code" section to authenticate with Red Hat single sign-on.
  • If you are working with containers, remote hosts, or other environments without a web browser, see the "Authenticating the ROSA CLI with a single sign-on device code" section to authenticate with Red Hat single sign-on.
  • To authenticate the ROSA CLI using an offline token, see the "Authenticating the ROSA CLI with an offline token" section.
Note

Single sign-on authorization is supported with ROSA CLI (rosa) version 1.2.36 or later.

  • To log in to the ROSA CLI (rosa) with a Red Hat single sign-on authorization code, run the following command:

    Syntax

    $ rosa login --use-auth-code
    Copy to Clipboard Toggle word wrap

    Running this command redirects you to the Red Hat single sign-on login. Log in with your Red Hat login or email.

    Expand
    Table 7.1. Optional arguments inherited from parent commands
    OptionDefinition

    --help

    Shows help for this command.

    --debug

    Enables debug mode.

    To switch accounts, logout from https://sso.redhat.com and run the rosa logout command in your terminal before attempting to login again.

If you are working with containers, remote hosts, and other environments without a web browser, you can use a Red Hat single sign-on device code for secure authentication. To do this, you must use a second device that has a web browser to approve the login.

Note

Single sign-on authorization is supported with ROSA CLI (rosa) version 1.2.36 or later.

  • To log in to the ROSA CLI (rosa) with a Red Hat single sign-on device code, run the following command:

    Syntax

    $ rosa login --use-device-code
    Copy to Clipboard Toggle word wrap

    Running this command will redirect you to the Red Hat SSO login and provide a log in code.

    Expand
    Table 7.2. Optional arguments inherited from parent commands
    OptionDefinition

    --help

    Shows help for this command.

    --debug

    Enables debug mode.

    To switch accounts, logout from https://sso.redhat.com and run the rosa logout command in your terminal before attempting to login again.

Log in to your Red Hat account, saving the credentials to the rosa configuration file.

Note

To use offline tokens for automation purposes, you can download the OpenShift Cluster Manager API token from the OpenShift Cluster Manager API Token page. To use service accounts for automation purposes, see the Service Accounts page.

Important

Red Hat recommends using service accounts for automation purposes.

  • To log in to ROSA CLI (rosa) with a Red Hat offline token, run the following command:

    Syntax

    $ rosa login [arguments]
    Copy to Clipboard Toggle word wrap

    Expand
    Table 7.3. Arguments
    OptionDefinition

    --client-id

    The OpenID client identifier (string). Default: cloud-services

    --client-secret

    The OpenID client secret (string).

    --insecure

    Enables insecure communication with the server. This disables verification of TLS certificates and host names.

    --scope

    The OpenID scope (string). If this option is used, it replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default: openid

    --token

    Accesses or refreshes the token (string).

    --token-url

    The OpenID token URL (string). Default: https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token

    Expand
    Table 7.4. Optional arguments inherited from parent commands
    OptionDefinition

    --help

    Shows help for this command.

    --debug

    Enables debug mode.

    --profile

    Specifies an AWS profile (string) from your credentials file.

7.1.3.2. logout
Copy link

Log out of rosa. Logging out also removes the rosa configuration file.

Syntax

$ rosa logout [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.5. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.1.3.3. verify permissions
Copy link

Verify that the AWS permissions required to create a Red Hat OpenShift Service on AWS classic architecture cluster are configured correctly:

Syntax

$ rosa verify permissions [arguments]
Copy to Clipboard Toggle word wrap

Note

This command verifies permissions only for clusters that do not use the AWS Security Token Service (STS).

Expand
Table 7.6. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--region

The AWS region (string) in which to run the command. This value overrides the AWS_REGION environment variable.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Verify that the AWS permissions are configured correctly: 

$ rosa verify permissions
Copy to Clipboard Toggle word wrap

Verify that the AWS permissions are configured correctly in a specific region: 

$ rosa verify permissions --region=us-west-2
Copy to Clipboard Toggle word wrap

7.1.3.4. verify quota
Copy link

Verifies that AWS quotas are configured correctly for your default region.

Syntax

$ rosa verify quota [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.7. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--region

The AWS region (string) in which to run the command. This value overrides the AWS_REGION environment variable.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Verify that the AWS quotas are configured correctly for the default region: 

$ rosa verify quota
Copy to Clipboard Toggle word wrap

Verify that the AWS quotas are configured correctly in a specific region: 

$ rosa verify quota --region=us-west-2
Copy to Clipboard Toggle word wrap

7.1.3.5. download rosa
Copy link

Download the latest compatible version of the rosa CLI.

After you download rosa, extract the contents of the archive and add it to your path.

Syntax

$ rosa download rosa [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.8. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

7.1.3.6. download oc
Copy link

Download the latest compatible version of the OpenShift Container Platform CLI (oc).

After you download oc, you must extract the contents of the archive and add it to your path.

Syntax

$ rosa download oc [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.9. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

Example

Download oc client tools: 

$ rosa download oc
Copy to Clipboard Toggle word wrap

7.1.3.7. verify oc
Copy link

Verifies that the OpenShift Container Platform CLI (oc) is installed correctly.

Syntax

$ rosa verify oc [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.10. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

Example

Verify oc client tools: 

$ rosa verify oc
Copy to Clipboard Toggle word wrap

Use the init command to initialize Red Hat OpenShift Service on AWS classic architecture only if you are using non-STS.

7.1.4.1. init
Copy link

Perform a series of checks to verify that you are ready to deploy a Red Hat OpenShift Service on AWS classic architecture cluster.

The list of checks includes the following:

  • Checks to see that you have logged in (see login)
  • Checks that your AWS credentials are valid
  • Checks that your AWS permissions are valid (see verify permissions)
  • Checks that your AWS quota levels are high enough (see verify quota)
  • Runs a cluster simulation to ensure cluster creation will perform as expected
  • Checks that the osdCcsAdmin user has been created in your AWS account
  • Checks that the OpenShift Container Platform command-line tool is available on your system

Syntax

$ rosa init [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.11. Arguments
OptionDefinition

--region

The AWS region (string) in which to verify quota and permissions. This value overrides the AWS_REGION environment variable only when running the init command, but it does not change your AWS CLI configuration.

--delete

Deletes the stack template that is applied to your AWS account during the init command.

--client-id

The OpenID client identifier (string). Default: cloud-services

--client-secret

The OpenID client secret (string).

--insecure

Enables insecure communication with the server. This disables verification of TLS certificates and host names.

--scope

The OpenID scope (string). If this option is used, it completely replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default: openid

--token

Accesses or refreshes the token (string).

--token-url

The OpenID token URL (string). Default: https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token

Expand
Table 7.12. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Configure your AWS account to allow ROSA clusters: 

$ rosa init
Copy to Clipboard Toggle word wrap

Configure a new AWS account using pre-existing OpenShift Cluster Manager credentials: 

$ rosa init --token=$OFFLINE_ACCESS_TOKEN
Copy to Clipboard Toggle word wrap

7.1.5. Using a Bash script
Copy link

This is an example workflow of how to use a Bash script with the ROSA command-line interface (CLI) (rosa).

Prerequisites

Make sure that AWS credentials are available as one of the following options:

  • AWS profile
  • Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

Procedure

  1. Initialize rosa using a Red Hat OpenShift Cluster Manager offline token from Red Hat: 

    $ rosa init --token=<token>
    Copy to Clipboard Toggle word wrap

  2. Create the Red Hat OpenShift Service on AWS classic architecture cluster: 

    $ rosa create cluster --cluster-name=<cluster_name>
    Copy to Clipboard Toggle word wrap

  3. Add an identity provider (IDP): 

    $ rosa create idp --cluster=<cluster_name> --type=<identity_provider> [arguments]
    Copy to Clipboard Toggle word wrap

  4. Add a dedicated-admin user: 

    $ rosa grant user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>
    Copy to Clipboard Toggle word wrap

7.1.6. Updating the ROSA CLI
Copy link

Update to the latest compatible version of the ROSA CLI (rosa).

Procedure

  1. Confirm that a new version of the ROSA CLI (rosa) is available: 

    $ rosa version
    Copy to Clipboard Toggle word wrap

    Example output

    1.2.12
There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/
    Copy to Clipboard Toggle word wrap

  2. Download the latest compatible version of the ROSA CLI: 

    $ rosa download rosa
    Copy to Clipboard Toggle word wrap

    This command downloads an archive called rosa-*.tar.gz into the current directory. The exact name of the file depends on your operating system and system architecture.

  3. Extract the contents of the archive: 

    $ tar -xzf rosa-linux.tar.gz
    Copy to Clipboard Toggle word wrap

  4. Install the new version of the ROSA CLI by moving the extracted file into your path. In the following example, the /usr/local/bin directory is included in the path of the user: 

    $ sudo mv rosa /usr/local/bin/rosa
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the new version of the ROSA CLI is installed. 

    $ rosa version
    Copy to Clipboard Toggle word wrap

    Example output

    1.2.15
Your ROSA CLI is up to date.
    Copy to Clipboard Toggle word wrap

7.2. Managing objects with the ROSA CLI
Copy link

Managing objects with the ROSA command-line interface (CLI) (rosa), such as adding dedicated-admin users, managing clusters, and scheduling cluster upgrades.

Note

To access a cluster that is accessible only over an HTTP proxy server, you can set the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY variables. These environment variables are respected by the rosa CLI so that all communication with the cluster goes through the HTTP proxy.

7.2.1. Common commands and arguments
Copy link

These common commands and arguments are available for the ROSA command-line interface (CLI) (rosa).

7.2.1.1. debug
Copy link

Enables debug mode for the parent command to help with troubleshooting.

Example

$ rosa create cluster --cluster-name=<cluster_name> --debug
Copy to Clipboard Toggle word wrap

7.2.1.2. download
Copy link

Downloads the latest compatible version of the specified software to the current directory in an archive file. Extract the contents of the archive and add the contents to your path to use the software. To download the latest ROSA CLI, specify rosa. To download the latest OpenShift CLI, specify oc.

Example

$ rosa download <software>
Copy to Clipboard Toggle word wrap

7.2.1.3. help
Copy link

Displays general help information for the ROSA CLI (rosa) and a list of available commands. This option can also be used as an argument to display help information for a parent command, such as version or create.

Examples

Displays general help for the ROSA CLI. 

$ rosa --help
Copy to Clipboard Toggle word wrap

Displays general help for version. 

$ rosa version --help
Copy to Clipboard Toggle word wrap

7.2.1.4. interactive
Copy link

Enables interactive mode.

Example

$ rosa create cluster --cluster-name=<cluster_name> --interactive
Copy to Clipboard Toggle word wrap

7.2.1.5. profile
Copy link

Specifies an AWS profile from your credential file.

Example

$ rosa create cluster --cluster-name=<cluster_name> --profile=myAWSprofile
Copy to Clipboard Toggle word wrap

7.2.1.6. version
Copy link

Displays the rosa version and checks whether a newer version is available.

Example

$ rosa version [arguments]
Copy to Clipboard Toggle word wrap

Example output

Displayed when a newer version of the ROSA CLI is available. 

1.2.12
There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/
Copy to Clipboard Toggle word wrap

7.2.2. Parent commands
Copy link

The ROSA command-line interface (CLI) (rosa) uses parent commands with child commands to manage objects. The parent commands are create, edit, delete, list, and describe. Not all parent commands can be used with all child commands. For more information, see the specific reference topics that describes the child commands.

7.2.2.1. create
Copy link

Creates an object or resource when paired with a child command.

Example

$ rosa create cluster --cluster-name=mycluster
Copy to Clipboard Toggle word wrap

7.2.2.2. edit
Copy link

Edits options for an object, such as making a cluster private.

Example

$ rosa edit cluster --cluster=mycluster --private
Copy to Clipboard Toggle word wrap

7.2.2.3. delete
Copy link

Deletes an object or resource when paired with a child command.

Example

$ rosa delete ingress --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.2.4. list
Copy link

Lists clusters or resources for a specific cluster.

Example

$ rosa list users --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.2.5. describe
Copy link

Shows the details for a cluster.

Example

$ rosa describe cluster --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.3. Create objects
Copy link

This section describes the create commands for clusters and resources.

7.2.3.1. create account-roles
Copy link

Create the required account-wide role and policy resources for your cluster.

Syntax

$ rosa create account-roles [flags]
Copy to Clipboard Toggle word wrap

Expand
Table 7.13. Flags
OptionDefinition

--debug

Enable debug mode.

-i, --interactive

Enable interactive mode.

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be automatically applied using the current AWS account.
manual
Commands necessary to modify AWS resources will be output to be run manually.

--path string

The Amazon Resource Name (ARN) path for the account-wide roles and policies, including the Operator policies.

--permissions-boundary string

The ARN of the policy that is used to set the permissions boundary for the account roles.

--prefix string

User-defined prefix for all generated AWS resources. The default is ManagedOpenShift.

--profile string

Use a specific AWS profile from your credential file.

-y, --yes

Automatically answer yes to confirm operations.

7.2.3.2. create admin
Copy link

Create a cluster administrator with an automatically generated password that can log in to a cluster.

Syntax

$ rosa create admin --cluster=<cluster_name>|<cluster_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.14. Arguments
OptionDefinition

--cluster <cluster_name>|<cluster_id>

Required. The name or ID (string) of the cluster to add to the identity provider (IDP).

Expand
Table 7.15. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile string

Specifies an AWS profile from your credentials file.

Example

Create a cluster administrator that can log in to a cluster named mycluster. 

$ rosa create admin --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.3.3. create cluster
Copy link

Create a new cluster.

Syntax

$ rosa create cluster --cluster-name=<cluster_name> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.16. Arguments
OptionDefinition

--additional-compute-security-group-ids <sec_group_id>

The identifier of one or more additional security groups to use along with the default security groups that are used with the standard machine pool created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources.

--additional-infra-security-group-ids <sec_group_id>

The identifier of one or more additional security groups to use along with the default security groups that are used with the infra nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources.

--additional-control-plane-security-group-ids <sec_group_id>

The identifier of one or more additional security groups to use along with the default security groups that are used with the control plane nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources.

--cluster-name <cluster_name>

Required. The name of the cluster. When used with the create cluster command, this argument is used to set the cluster name and can hold up to 54 characters. The value for this argument must be unique within your organization.

--compute-machine-type <instance_type>

The instance type for compute nodes in the cluster. This determines the amount of memory and vCPU that is allocated to each compute node. For more information on valid instance types, see AWS Instance types in ROSA service definition.

--controlplane-iam-role <arn>

The ARN of the IAM role to attach to control plane instances.

--create-cluster-admin

Optional. As part of cluster creation, create a local administrator user (cluster-admin) for your cluster. This automatically configures an htpasswd identity provider for the cluster-admin user. Optionally, use the --cluster-admin-user and --cluster-admin-password options to specify the username and password for the administrator user. Omitting these options automatically generates the credentials and displays their values as terminal output.

--cluster-admin-user

Optional. Specifies the user name of the cluster administrator user created when used in conjunction with the --create-cluster-admin option.

--cluster-admin-password

Optional. Specifies the password of the cluster administrator user created when used in conjunction with the --create-cluster-admin option.

--disable-scp-checks

Indicates whether cloud permission checks are disabled when attempting to install a cluster.

--dry-run

Simulates creating the cluster.

--domain-prefix

Optional: When used with the create cluster command, this argument sets the subdomain for your cluster on *.openshiftapps.com. The value for this argument must be unique within your organization, cannot be longer than 15 characters, and cannot be changed after cluster creation. If the argument is not supplied, an autogenerated value is created that depends on the length of the cluster name. If the cluster name is fewer than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.

--ec2-metadata-http-tokens string

Configures the use of IMDSv2 for EC2 instances. Valid values are optional (default) or required.

--enable-autoscaling

Enables autoscaling of compute nodes. By default, autoscaling is set to 2 nodes. To set non-default node limits, use this argument with the --min-replicas and --max-replicas arguments.

--etcd-encryption

Enables encryption of ETCD key-values on Red Hat OpenShift Service on AWS (classical architecture) clusters.

--etcd-encryption-kms-arn

Enables encryption of ETCD storage using the customer-managed key managed in AWS Key Management Service.

--external-id <arn_string>

An optional unique identifier that might be required when you assume a role in another account.

--host-prefix <subnet>

The subnet prefix length to assign to each individual node, as an integer. For example, if host prefix is set to 23, then each node is assigned a /23 subnet out of the given CIDR.

--machine-cidr <address_block>

Block of IP addresses (ipNet) used by Red Hat OpenShift Service on AWS classic architecture while installing the cluster, for example, 10.0.0.0/16.

Important

OVN-Kubernetes, the default network provider in Red Hat OpenShift Service on AWS classic architecture 4.11 and later, uses the 100.64.0.0/16 IP address range internally. If your cluster uses OVN-Kubernetes, do not include the 100.64.0.0/16 IP address range in any other CIDR definitions in your cluster.

--max-replicas <number_of_nodes>

Specifies the maximum number of compute nodes when enabling autoscaling. Default: 2

--min-replicas <number_of_nodes>

Specifies the minimum number of compute nodes when enabling autoscaling. Default: 2

--multi-az

Deploys to multiple data centers.

--no-cni

Creates a cluster without a Container Network Interface (CNI) plugin. Customers can then bring their own CNI plugin and install it after cluster creation.

--operator-roles-prefix <string>

Prefix that are used for all IAM roles used by the operators needed in the OpenShift installer. A prefix is generated automatically if you do not specify one.

--pod-cidr <address_block>

Block of IP addresses (ipNet) from which pod IP addresses are allocated, for example, 10.128.0.0/14.

Important

OVN-Kubernetes, the default network provider in Red Hat OpenShift Service on AWS classic architecture 4.11 and later, uses the 100.64.0.0/16 IP address range internally. If your cluster uses OVN-Kubernetes, do not include the 100.64.0.0/16 IP address range in any other CIDR definitions in your cluster.

--private

Restricts primary API endpoint and application routes to direct, private connectivity.

--private-link

Specifies to use AWS PrivateLink to provide private connectivity between VPCs and services. The --subnet-ids argument is required when using --private-link.

--region <region_name>

The name of the AWS region where your worker pool will be located, for example, us-east-1. This argument overrides the AWS_REGION environment variable.

--replicas n

The number of worker nodes to provision per availability zone. Single-zone clusters require at least 2 nodes. Multi-zone clusters require at least 3 nodes. Default: 2 for single-zone clusters; 3 for multi-zone clusters.

--role-arn <arn>

The ARN of the installer role that OpenShift Cluster Manager uses to create the cluster. This is required if you have not already created account roles.

--service-cidr <address_block>

Block of IP addresses (ipNet) for services, for example, 172.30.0.0/16.

Important

OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the 100.64.0.0/16 IP address range internally. If your cluster uses OVN-Kubernetes, do not include the 100.64.0.0/16 IP address range in any other CIDR definitions in your cluster.

--sts | --non-sts

Specifies whether to use AWS Security Token Service (STS) or IAM credentials (non-STS) to deploy your cluster.

--subnet-ids <aws_subnet_id>

The AWS subnet IDs that are used when installing the cluster, for example, subnet-01abc234d5678ef9a. Subnet IDs must be in pairs with one private subnet ID and one public subnet ID per availability zone. Subnets are comma-delimited, for example, --subnet-ids=subnet-1,subnet-2. Leave the value empty for installer-provisioned subnet IDs.

When using --private-link, the --subnet-ids argument is required and only one private subnet is allowed per zone.

--support-role-arn string

The ARN of the role used by Red Hat Site Reliability Engineers (SREs) to enable access to the cluster account to provide support.

--tags

Tags that are used on resources created by Red Hat OpenShift Service on AWS classic architecture in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar".

Important

Red Hat OpenShift Service on AWS classic architecture only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited. Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed.

Red Hat OpenShift Service on AWS classic architecture does not support adding additional tags outside of Red Hat OpenShift Service on AWS classic architecture cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.

--version string

The version of Red Hat OpenShift Service on AWS classic architecture that will be used to install the cluster or cluster resources. For cluster use an X.Y.Z format, for example, 4.20.0. For account-role use an X.Y format, for example, 4.20.

--worker-iam-role string

The ARN of the IAM role that will be attached to compute instances.

--channel-group <channel_group_name>

Allows users to assign their cluster to a specific channel group. Options include stable and eus. For more information about channel groups, see Understanding update channels and releases.

Expand
Table 7.17. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Create a cluster named mycluster. 

$ rosa create cluster --cluster-name=mycluster
Copy to Clipboard Toggle word wrap

Create a cluster with a specific AWS region. 

$ rosa create cluster --cluster-name=mycluster --region=us-east-2
Copy to Clipboard Toggle word wrap

Create a cluster with autoscaling enabled on the default worker machine pool. 

$ rosa create cluster --cluster-name=mycluster -region=us-east-1 --enable-autoscaling --min-replicas=2 --max-replicas=5
Copy to Clipboard Toggle word wrap

7.2.3.4. create idp
Copy link

Add an identity provider (IDP) to define how users log in to a cluster.

Syntax

$ rosa create idp --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.18. Arguments
OptionDefinition

--cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster to which the IDP will be added.

--ca <path_to_file>

The path to the PEM-encoded certificate file to use when making requests to the server, for example, /usr/share/cert.pem.

--client-id

The client ID (string) from the registered application.

--client-secret

The client secret (string) from the registered application.

--mapping-method

Specifies how new identities (string) are mapped to users when they log in. Default: claim

--name

The name (string) for the identity provider.

--type

The type (string) of identity provider. Options: github, gitlab, google, ldap, openid

Expand
Table 7.19. GitHub arguments
OptionDefinition

--hostname

The optional domain (string) that are used with a hosted instance of GitHub Enterprise.

--organizations

Specifies the organizations for login access. Only users that are members of at least one of the listed organizations (string) are allowed to log in.

--teams

Specifies the teams for login access. Only users that are members of at least one of the listed teams (string) are allowed to log in. The format is <org>/<team>.

Expand
Table 7.20. GitLab arguments
OptionDefinition

--host-url

The host URL (string) of a GitLab provider. Default: https://gitlab.com

Expand
Table 7.21. Google arguments
OptionDefinition

--hosted-domain

Restricts users to a Google Apps domain (string).

Expand
Table 7.22. LDAP arguments
OptionDefinition

--bind-dn

The domain name (string) to bind with during the search phase.

--bind-password

The password (string) to bind with during the search phase.

--email-attributes

The list (string) of attributes whose values should be used as the email address.

--id-attributes

The list (string) of attributes whose values should be used as the user ID. Default: dn

--insecure

Does not make TLS connections to the server.

--name-attributes

The list (string) of attributes whose values should be used as the display name. Default: cn

--url

An RFC 2255 URL (string) which specifies the LDAP search parameters that are used.

--username-attributes

The list (string) of attributes whose values should be used as the preferred username. Default: uid

Expand
Table 7.23. OpenID arguments
OptionDefinition

--email-claims

The list (string) of claims that are used as the email address.

--extra-scopes

The list (string) of scopes to request, in addition to the openid scope, during the authorization token request.

--issuer-url

The URL (string) that the OpenID provider asserts as the issuer identifier. It must use the HTTPS scheme with no URL query parameters or fragment.

--name-claims

The list (string) of claims that are used as the display name.

--username-claims

The list (string) of claims that are used as the preferred username when provisioning a user.

--groups-claims

The list (string) of claims that are used as the groups names.

Expand
Table 7.24. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Add a GitHub identity provider to a cluster named mycluster. 

$ rosa create idp --type=github --cluster=mycluster
Copy to Clipboard Toggle word wrap

Add an identity provider following interactive prompts. 

$ rosa create idp --cluster=mycluster --interactive
Copy to Clipboard Toggle word wrap

7.2.3.5. create ingress
Copy link

Add an ingress endpoint to enable API access to the cluster.

Syntax

$ rosa create ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.25. Arguments
OptionDefinition

--cluster <cluster_name>|<cluster_id>

Required: The name or ID of the cluster to which the ingress will be added.

--label-match

The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers.

--private

Restricts application route to direct, private connectivity.

Expand
Table 7.26. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Add an internal ingress to a cluster named mycluster. 

$ rosa create ingress --private --cluster=mycluster
Copy to Clipboard Toggle word wrap

Add a public ingress to a cluster named mycluster. 

$ rosa create ingress --cluster=mycluster
Copy to Clipboard Toggle word wrap

Add an ingress with a route selector label match. 

$ rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz
Copy to Clipboard Toggle word wrap

7.2.3.6. create kubeletconfig
Copy link

Create a custom KubeletConfig object to allow custom configuration of nodes in a cluster.

Syntax

$ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
Copy to Clipboard Toggle word wrap

Expand
Table 7.27. Flags
OptionDefinition

--pod-pids-limit <number>

Required. The maximum number of PIDs for each node in the

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster in which to create the KubeletConfig object.

--name

Specifies a name for the KubeletConfig object.

-i, --interactive

Enable interactive mode.

-h, --help

Shows help for this command.

For more information about setting the PID limit for the cluster, see Configuring PID limits.

7.2.3.7. create machinepool
Copy link

Add a machine pool to an existing cluster.

Syntax

$ rosa create machinepool --cluster=<cluster_name> | <cluster_id> --replicas=<number> --name=<machinepool_name> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.28. Arguments
OptionDefinition

--additional-security-group-ids <sec_group_id>

The identifier of one or more additional security groups to use along with the default security groups for this machine pool. For more information on additional security groups, see the requirements for Security groups under Additional resources.

--cluster <cluster_name>|<cluster_id>

Required: The name or ID of the cluster to which the machine pool will be added.

--disk-size

Set the disk volume size for the machine pool, in Gib or TiB. The default is 300 GiB. For Red Hat OpenShift Service on AWS classic architecture clusters version 4.13 or earlier, the minimum disk size is 128 GiB, and the maximum is 1 TiB. For cluster version 4.14 and later, the minimum is 128 GiB, and the maximum is 16 TiB.

--enable-autoscaling

Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the --min-replicas and --max-replicas arguments. To disable autoscaling, use --enable-autoscaling=false with the --replicas argument.

--instance-type

The instance type (string) that should be used. Default: m5.xlarge

--labels

The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. This list overwrites any modifications made to node labels on an ongoing basis.

--max-replicas

Specifies the maximum number of compute nodes when enabling autoscaling.

--min-replicas

Specifies the minimum number of compute nodes when enabling autoscaling.

--name

Required: The name (string) for the machine pool.

--replicas

Required when autoscaling is not configured. The number (integer) of machines for this machine pool.

--tags

Apply user defined tags to all resources created by Red Hat OpenShift Service on AWS classic architecture in AWS. Tags are comma separated, for example: 'key value, foo bar'.

--taints

Taints for the machine pool. This string value should be formatted as a comma-separated list of key=value:ScheduleType. This list will overwrite any modifications made to Node taints on an ongoing basis.

--autorepair

AutoRepair setting for the machine pool represented as the boolean true or false.

Expand
Table 7.29. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Interactively add a machine pool to a cluster named mycluster. 

$ rosa create machinepool --cluster=mycluster --interactive
Copy to Clipboard Toggle word wrap

Add a machine pool that is named mp-1 to a cluster with autoscaling enabled. 

$ rosa create machinepool --cluster=mycluster --enable-autoscaling --min-replicas=2 --max-replicas=5 --name=mp-1
Copy to Clipboard Toggle word wrap

Add a machine pool that is named mp-1 with 3 replicas of m5.xlarge to a cluster. 

$ rosa create machinepool --cluster=mycluster --replicas=3 --instance-type=m5.xlarge --name=mp-1
Copy to Clipboard Toggle word wrap

Add a machine pool (mp-1) to a Red Hat OpenShift Service on AWS classic architecture cluster, configuring 6 replicas and the following upgrade behavior:

  • Allow up to 2 excess nodes to be provisioned during an upgrade.
  • Ensure that no more than 3 nodes are unavailable during an upgrade. 
$ rosa create machinepool --cluster=mycluster --replicas=6 --name=mp-1 --max-surge=2 --max-unavailable=3
Copy to Clipboard Toggle word wrap

Add a machine pool with labels to a cluster. 

$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --labels=foo=bar,bar=baz --name=mp-1
Copy to Clipboard Toggle word wrap

Add a machine pool with tags to a cluster. 

$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --tags='foo bar,bar baz' --name=mp-1
Copy to Clipboard Toggle word wrap

7.2.3.8. create ocm-role
Copy link

Create the required ocm-role resources for your cluster.

Syntax

$ rosa create ocm-role [flags]
Copy to Clipboard Toggle word wrap

Expand
Table 7.30. Flags
OptionDefinition

--admin

Enable admin capabilities for the role.

--debug

Enable debug mode.

-i, --interactive

Enable interactive mode.

-m, --mode string

How to perform the operation. Valid options are:

  • auto: Resource changes will be automatically applied using the current AWS account
  • manual: Commands necessary to modify AWS resources will be output to be run manually

--path string

The ARN path for the OCM role and policies.

--permissions-boundary string

The ARN of the policy that is used to set the permissions boundary for the OCM role.

--prefix string

User-defined prefix for all generated AWS resources. The default is ManagedOpenShift.

--profile string

Use a specific AWS profile from your credential file.

-y, --yes

Automatically answer yes to confirm operation.

For more information about the OCM role created with the rosa create ocm-role command, see Account-wide IAM role and policy reference.

7.2.3.9. create user-role
Copy link

Create the required user-role resources for your cluster.

Syntax

$ rosa create user-role [flags]
Copy to Clipboard Toggle word wrap

Expand
Table 7.31. Flags
OptionDefinition

--debug

Enable debug mode.

-i, --interactive

Enable interactive mode.

-m, --mode string

How to perform the operation. Valid options are:

  • auto: Resource changes will be automatically applied using the current AWS account
  • manual: Commands necessary to modify AWS resources will be output to be run manually

--path string

The ARN path for the user role and policies.

--permissions-boundary string

The ARN of the policy that is used to set the permissions boundary for the user role.

--prefix string

User-defined prefix for all generated AWS resources The default is ManagedOpenShift.

--profile string

Use a specific AWS profile from your credential file.

-y, --yes

Automatically answer yes to confirm operation.

For more information about the user role created with the rosa create user-role command, see Understanding AWS account association.

7.2.3.10. create iamserviceaccount
Copy link

Create an AWS Identity and Access Management (IAM) role that can be assumed by a Red Hat OpenShift Service on AWS classic architecture service account using OpenID Connect (OIDC) identity federation.

Syntax

$ rosa create iamserviceaccount --cluster=<cluster_name> | <cluster_id> --name=<service_account_name> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.32. Arguments
OptionDefinition

--cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster for which to create the IAM service account role.

--name <service_account_name>

Required. The name of the Red Hat OpenShift Service on AWS classic architecture service account. This flag can be used multiple times to create a role for multiple service accounts.

--namespace <namespace_name>

The Red Hat OpenShift Service on AWS classic architecture namespace for the service account. Default: default

--role-name <role_name>

The name of the IAM role to create. If not specified, a name will be auto-generated using the pattern {cluster-name}-{namespace}-{service-account-name}-role.

--attach-policy-arn <policy_arn>

The ARN of an IAM policy to attach to the role. This flag can be used multiple times to attach multiple policies.

--inline-policy <policy_document>

An inline policy document in JSON format or a file path prefixed with file:// (for example, file://policy.json).

--permissions-boundary <boundary_arn>

The ARN of an IAM policy to use as a permissions boundary for the role.

--path <iam_path>

The IAM path for the role. Default: /

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be automatically applied using the current AWS account.
manual
Commands necessary to modify AWS resources will be output to be run manually.
Expand
Table 7.33. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile string

Specifies an AWS profile from your credentials file.

--yes

Automatically answers yes to confirm the operation.

Examples

Create an IAM role for a service account named my-app in the default namespace with S3 read-only access. 

$ rosa create iamserviceaccount --cluster=mycluster --name=my-app --attach-policy-arn=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess
Copy to Clipboard Toggle word wrap

Create an IAM role with a custom name and multiple policies. 

$ rosa create iamserviceaccount --cluster=mycluster --name=my-app --namespace=production --role-name=my-custom-role --attach-policy-arn=arn:aws:iam::aws:policy/AmazonS3ReadOnlyAccess --attach-policy-arn=arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess
Copy to Clipboard Toggle word wrap

Create an IAM role with an inline policy from a file. 

$ rosa create iamserviceaccount --cluster=mycluster --name=my-app --inline-policy=file://my-policy.json
Copy to Clipboard Toggle word wrap

7.2.5. Edit objects
Copy link

This section describes the edit commands for clusters and resources.

7.2.5.1. edit cluster
Copy link

Allows edits to an existing cluster.

Syntax

$ rosa edit cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.34. Arguments

Option

Definition

--cluster

Required: The name or ID (string) of the cluster to edit.

--private

Restricts a primary API endpoint to direct, private connectivity.

--enable-delete-protection=true

Enables the delete protection feature.

--enable-delete-protection=false

Disables the delete protection feature.

--channel-group <channel_group_name>

Allows users to assign their cluster to a specific channel group. Options include stable and eus. For more information about channel groups, see Understanding update channels and releases.

Expand
Table 7.35. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Edit a cluster named mycluster to make it private. 

$ rosa edit cluster --cluster=mycluster --private
Copy to Clipboard Toggle word wrap

Edit all cluster options interactively on a cluster named mycluster. 

$ rosa edit cluster --cluster=mycluster --interactive
Copy to Clipboard Toggle word wrap

7.2.5.2. edit ingress
Copy link

Edits the default application router for a cluster.

Note

For information about editing non-default application routers, see Additional resources.

Syntax

$ rosa edit ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.36. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster to which the ingress will be added.

--cluster-routes-hostname

Components route hostname for OAuth, console, and download.

--cluster-routes-tls-secret-ref

Components route TLS secret reference for OAuth, console, and download.

--excluded-namespaces

Excluded namespaces for ingress. Format is a comma-separated list value1, value2…​. If no values are specified, all namespaces will be exposed.

--label-match

The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers.

--lb-type

Type of Load Balancer. Options are classic, nlb.

--namespace-ownership-policy

Namespace Ownership Policy for ingress. Options are Strict and InterNamespaceAllowed. Default is Strict.

--private

Restricts the application route to direct, private connectivity.

--route-selector

Route Selector for ingress. Format is a comma-separated list of key=value. If no label is specified, all routes will be exposed on both routers. For legacy ingress support these are inclusion labels, otherwise they are treated as exclusion label.

--wildcard-policy

Wildcard Policy for ingress. Options are WildcardsDisallowed and WildcardsAllowed. Default is WildcardsDisallowed.

Expand
Table 7.37. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Make an additional ingress with the ID a1b2 as a private connection on a cluster named mycluster. 

$ rosa edit ingress --private --cluster=mycluster a1b2
Copy to Clipboard Toggle word wrap

Update the router selectors for the additional ingress with the ID a1b2 on a cluster named mycluster. 

$ rosa edit ingress --label-match=foo=bar --cluster=mycluster a1b2
Copy to Clipboard Toggle word wrap

Update the default ingress using the sub-domain identifier apps on a cluster named mycluster. 

$ rosa edit ingress --private=false --cluster=mycluster apps
Copy to Clipboard Toggle word wrap

Update the load balancer type of the apps2 ingress. 

$ rosa edit ingress --lb-type=nlb --cluster=mycluster apps2
Copy to Clipboard Toggle word wrap

7.2.5.3. edit kubeletconfig
Copy link

Edit a custom KubeletConfig object in a

Syntax

$ rosa edit kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]
Copy to Clipboard Toggle word wrap

Expand
Table 7.38. Flags
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster for which the KubeletConfig object will be edited.

-i, --interactive

Enable interactive mode.

--pod-pids-limit <number>

Required. The maximum number of PIDs for each node in the

--name

Specifies a name for the KubeletConfig object.

-h, --help

Shows help for this command.

For more information about setting the PID limit for the cluster, see Configuring PID limits.

7.2.5.4. edit machinepool
Copy link

Allows edits to the machine pool in a cluster.

Syntax

$ rosa edit machinepool --cluster=<cluster_name_or_id> <machinepool_name> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.39. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster to edit on which the additional machine pool will be edited.

--enable-autoscaling

Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the --min-replicas and --max-replicas arguments. To disable autoscaling, use --enable-autoscaling=false with the --replicas argument.

--labels

The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. Editing this value only affects newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to node labels on an ongoing basis.

--max-replicas

Specifies the maximum number of compute nodes when enabling autoscaling.

--min-replicas

Specifies the minimum number of compute nodes when enabling autoscaling.

--replicas

Required when autoscaling is not configured. The number (integer) of machines for this machine pool.

--taints

Taints for the machine pool. This string value should be formatted as a comma-separated list of key=value:ScheduleType. Editing this value only affect newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to Node taints on an ongoing basis.

Expand
Table 7.40. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Set 4 replicas on a machine pool named mp1 on a cluster named mycluster. 

$ rosa edit machinepool --cluster=mycluster --replicas=4 mp1
Copy to Clipboard Toggle word wrap

Enable autoscaling on a machine pool named mp1 on a cluster named mycluster. 

$ rosa edit machinepool --cluster=mycluster --enable-autoscaling --min-replicas=3 --max-replicas=5 mp1
Copy to Clipboard Toggle word wrap

Disable autoscaling on a machine pool named mp1 on a cluster named mycluster. 

$ rosa edit machinepool --cluster=mycluster  --enable-autoscaling=false --replicas=3 mp1
Copy to Clipboard Toggle word wrap

Modify the autoscaling range on a machine pool named mp1 on a cluster named mycluster. 

$ rosa edit machinepool --max-replicas=9 --cluster=mycluster mp1
Copy to Clipboard Toggle word wrap

7.2.7. Delete objects
Copy link

This section describes the delete commands for clusters and resources.

7.2.7.1. delete account-roles
Copy link

Cleans up account roles from the current AWS account.

Syntax

$ rosa delete account-roles
Copy to Clipboard Toggle word wrap

Expand
Table 7.41. Arguments
OptionDefinition

--classic

Deletes classic account roles

--delete-hcp-shared-vpc-policies

Deletes the Hosted Control Plane shared vpc policies

--hosted-cp

Deletes Hosted Control Plane roles

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be applied automatically using the current AWS account.
manual
Outputs the necessary commands to modify AWS resources will be output to be run manually.

--prefix

Prefix of the account roles to be deleted.

Expand
Table 7.42. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes all AWS account roles with the prefix of mycluster. 

$ rosa delete account-roles -p mycluster
Copy to Clipboard Toggle word wrap

7.2.7.2. delete admin
Copy link

Deletes a cluster administrator from a specified cluster.

Syntax

$ rosa delete admin --cluster=<cluster_name> | <cluster_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.43. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that contains the identity provider (IDP) you want to delete.

Expand
Table 7.44. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes a cluster administrator from a cluster named mycluster. 

$ rosa delete admin --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.7.3. delete autoscaler
Copy link

Deletes autoscaler configuration for a given cluster.

Note

This action is only supported on Red Hat OpenShift Service on AWS classic architecture clusters with a self-hosted control plane. Clusters with hosted control planes do not support autoscaler.

Syntax

$ rosa delete autoscaler --cluster=<cluster_name>
Copy to Clipboard Toggle word wrap

Expand
Table 7.45. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that has an autoscaler you want to delete.

Expand
Table 7.46. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes the autoscaler on a cluster named mycluster. 

$ rosa delete autoscaler --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.7.4. delete cluster
Copy link

Deletes a cluster.

Syntax

$ rosa delete cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.47. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster to delete.

--watch

Watches the cluster uninstallation logs.

--best-effort

Skips steps in the cluster destruction chain that are known to cause the cluster deletion process to fail. You should use this option with care and it is recommended that you manually check your AWS account for any resources that might be left over after using --best-effort.

Expand
Table 7.48. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Deletes a cluster named mycluster. 

$ rosa delete cluster --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.7.5. delete external-auth-provider
Copy link

Deletes an external authentication provider from a cluster.

Syntax

$ rosa delete external-auth-provider <name_of_external_auth_provider> --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.49. Arguments
OptionDefinition

--cluster

Required. The name or ID string of the cluster the external auth provider will be deleted from.

Expand
Table 7.50. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes an identity provider named exauth-1 from a cluster named mycluster. 

$ rosa delete external-auth-provider exauth-1 --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.7.6. delete idp
Copy link

Deletes a specific identity provider (IDP) from a cluster.

Syntax

$ rosa delete idp --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.51. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster from which the IDP will be deleted.

Expand
Table 7.52. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes an identity provider named github from a cluster named mycluster. 

$ rosa delete idp github --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.7.7. delete ingress
Copy link

Deletes a non-default application router (ingress) from a cluster.

Syntax

$ rosa delete ingress --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.53. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster from which the ingress will be deleted.

Expand
Table 7.54. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Deletes an ingress with the ID a1b2 from a cluster named mycluster. 

$ rosa delete ingress --cluster=mycluster a1b2
Copy to Clipboard Toggle word wrap

Deletes a secondary ingress with the subdomain name apps2 from a cluster named mycluster. 

$ rosa delete ingress --cluster=mycluster apps2
Copy to Clipboard Toggle word wrap

7.2.7.8. delete kubeletconfig
Copy link

Deletes a custom KubeletConfig object from a cluster.

Syntax

$ rosa delete kubeletconfig --cluster=<cluster_name|cluster_id> [flags]
Copy to Clipboard Toggle word wrap

Expand
Table 7.55. Flags
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster for which you want to delete the KubeletConfig object.

--name

Specifies a name for the KubeletConfig object.

Expand
Table 7.56. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.7.9. delete machinepool
Copy link

Deletes a machine pool from a cluster.

Syntax

$ rosa delete machinepool --cluster=<cluster_name> | <cluster_id> <machine_pool_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.57. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the machine pool will be deleted from.

--machinepool string

Machine pool of the cluster to target.

Expand
Table 7.58. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes the machine pool with the ID mp-1 from a cluster named mycluster. 

$ rosa delete machinepool --cluster=mycluster mp-1
Copy to Clipboard Toggle word wrap

7.2.7.10. delete ocm-role
Copy link

Deletes OCM role from the current AWS organization.

Syntax

$ rosa delete ocm-role --role-arn <role_arn>
Copy to Clipboard Toggle word wrap

Expand
Table 7.59. Arguments
OptionDefinition

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be applied automatically using the current AWS account.
manual
Outputs the necessary commands to modify AWS resources will be output to be run manually.

--role-arn string

Required: The role ARN to delete from the user role from the AWS account

Expand
Table 7.60. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Deletes an ocm-role with arn:aws:iam::123456789012:role/xxx-OCM-Role-1223456778 arn. 

$ rosa delete ocm-role --role-arn arn:aws:iam::123456789012:role/xxx-OCM-Role-1223456778
Copy to Clipboard Toggle word wrap

7.2.7.11. delete oidc-config
Copy link

Deletes the OIDC config based on the registered OIDC Config ID.

Syntax

$ rosa delete oidc-config --oidc-config-id <oidc_config_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.61. Arguments
OptionDefinition

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be applied automatically using the current AWS account.
manual
Outputs the necessary commands to modify AWS resources will be output to be run manually.

--oidc-config-id string

Required: Registered ID for identification of OIDC config.

Expand
Table 7.62. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes an OIDC config with an ID of A1B2C3D4. 

$ rosa delete oidc-config --oidc-config-id A1B2C3D4
Copy to Clipboard Toggle word wrap

7.2.7.12. delete oidc-provider
Copy link

Deletes the OIDC provider of a deleted STS cluster.

Syntax

$ rosa delete oidc-provider --cluster=<cluster_name> | --oidc-config-id <oidc_config_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.63. Arguments
OptionDefinition

-c, --cluster string

Name or ID of the cluster.

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be applied automatically using the current AWS account.
manual
Outputs the necessary commands to modify AWS resources will be output to be run manually.

--oidc-config-id string

Required: Registered OIDC configuration ID to retrieve its issuer URL. Not to be used alongside --cluster flag.

Expand
Table 7.64. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

  • Deletes the OIDC provider using the OIDC config ID of A1B2C3D4. 

    $ rosa delete oidc-provider --oidc-config-id A1B2C3D4
    Copy to Clipboard Toggle word wrap

  • Deletes the OIDC provider using the cluster name of mycluster. 

    $ rosa delete oidc-provider --cluster=mycluster
    Copy to Clipboard Toggle word wrap

7.2.7.13. delete operator-roles
Copy link

Deletes the Operator roles of a deleted STS cluster.

Syntax

$ rosa delete oidc-provider --cluster=<cluster_name> | --oidc-config-id <oidc_config_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.65. Arguments
OptionDefinition

-c, --cluster string

Name or ID of the cluster.

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be applied automatically using the current AWS account.
manual
Outputs the necessary commands to modify AWS resources will be output to be run manually.

--prefix string

Operator role prefix. You must use this flag in case of reusable OIDC Config.

Expand
Table 7.66. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes the operator-roles on the cluster named mycluster. 

$ rosa delete operator-roles --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.7.14. delete tuning-configs
Copy link

Deletes a specified tuning configuration that is on a specified cluster.

Syntax

$ rosa delete tuning-config --cluster=<cluster_name> <tuning_config_name>
Copy to Clipboard Toggle word wrap

Expand
Table 7.67. Arguments
OptionDefinition

-c, --cluster string

Name or ID of the cluster.

Expand
Table 7.68. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes the tuning config named tuned1 from a cluster named mycluster. 

$ rosa delete tuning-config --cluster=mycluster tuned1
Copy to Clipboard Toggle word wrap

7.2.7.15. delete upgrade
Copy link

Cancels a scheduled cluster upgrade.

Syntax

$ rosa delete upgrade
Copy to Clipboard Toggle word wrap

Expand
Table 7.69. Arguments

Option

Definition

-c, --cluster string

Name or ID of the cluster.

--machinepool string

Machine pool of the cluster to target.

Expand
Table 7.70. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes the user role that has a prefix of rh-user and a user-role name of Auditor. 

$ rosa delete user-role --role-arn rh-user-User-Auditor-Role
Copy to Clipboard Toggle word wrap

7.2.7.16. delete user-role
Copy link

Deletes user role from the current AWS account.

Syntax

$ rosa delete user-role
Copy to Clipboard Toggle word wrap

Expand
Table 7.71. Arguments
OptionDefinition

-m, --mode string

How to perform the operation. Valid options are:

auto
Resource changes will be applied automatically using the current AWS account.
manual
Outputs the necessary commands to modify AWS resources will be output to be run manually.

--role-arn string

Required: The ARN of the user-role that you want to delete from the AWS account.

Expand
Table 7.72. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Deletes the user role that has a prefix of rh-user and a user-role name of Auditor. 

$ rosa delete user-role --role-arn rh-user-User-Auditor-Role
Copy to Clipboard Toggle word wrap

7.2.8. Install and uninstall add-ons
Copy link

This section describes how to install and uninstall Red Hat managed service add-ons to a cluster.

7.2.8.1. install addon
Copy link

Installs a managed service add-on on a cluster.

Syntax

$ rosa install addon --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.73. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster where the add-on will be installed.

Expand
Table 7.74. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Uses a specific AWS profile (string) from your credentials file.

--yes

Automatically answers yes to confirm the operation.

Example

Add the dbaas-operator add-on installation to a cluster named mycluster. 

$ rosa install addon --cluster=mycluster dbaas-operator
Copy to Clipboard Toggle word wrap

7.2.8.2. uninstall addon
Copy link

Uninstalls a managed service add-on from a cluster.

Syntax

$ rosa uninstall addon --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.75. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the add-on will be uninstalled from.

Expand
Table 7.76. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Uses a specific AWS profile (string) from your credentials file.

--yes

Automatically answers yes to confirm the operation.

Example

Remove the dbaas-operator add-on installation from a cluster named mycluster. 

$ rosa uninstall addon --cluster=mycluster dbaas-operator
Copy to Clipboard Toggle word wrap

7.2.9. List and describe objects
Copy link

This section describes the list and describe commands for clusters and resources.

7.2.9.1. describe access-request
Copy link

Shows detailed information about access requests.

Syntax

$ rosa describe describe access-request --id <access_request_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.77. Arguments
OptionDefinition

--id string

Required. The ID of your access request.

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.78. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Shows the details of the access request with an ID of A1B2C3D4 and produces the results in a .yaml output. 

$ rosa describe describe access-request --id A1B2C3D4 -output yaml
Copy to Clipboard Toggle word wrap

7.2.9.2. list access-request
Copy link

Lists all access requests in either Pending or Approved status. If you use the '--cluster' flag, the CLI lists all access requests in any status for the specified cluster.

Syntax

$ rosa list access-request [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.79. Arguments
OptionDefinition

-c, --cluster string

Required: The name or ID (string) of the cluster that the machine pools will be listed for.

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.80. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all Access Requests for cluster foo. 

$ rosa list access-request --cluster foo
Copy to Clipboard Toggle word wrap

7.2.9.3. list account-roles
Copy link

Lists all account roles and policies for the current AWS account.

Syntax

$ rosa list account-roles [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.81. Arguments
OptionDefinition

-c, --cluster string

Required: The name or ID (string) of the cluster that the machine pools will be listed for.

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.82. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all AWS account roles associated with your account. 

$ rosa list account-roles
Copy to Clipboard Toggle word wrap

7.2.9.4. describe addon-installation
Copy link

Shows detailed information about an add-on installation.

Expand
Table 7.83. Arguments
OptionDefinition

-c, --cluster string

Required: The name or ID (string) of the cluster that the machine pools will be listed for.

--addon string

Required: Name or ID of the add-on installation.

Expand
Table 7.84. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Describes the bar add-on installation on cluster foo. 

$ rosa describe addon-installation --cluster foo --addon bar
Copy to Clipboard Toggle word wrap

7.2.9.5. describe admin
Copy link

Shows the details of a specified cluster-admin user and a command to log in to the cluster.

Syntax

$ rosa describe admin --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.85. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster to which the cluster-admin belongs.

Expand
Table 7.86. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Describes the cluster-admin user for a cluster named mycluster. 

$ rosa describe admin --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.6. describe addon
Copy link

Shows the details of a managed service add-on.

Syntax

$ rosa describe addon <addon_id> | <addon_name> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.87. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Describes an add-on named dbaas-operator. 

$ rosa describe addon dbaas-operator
Copy to Clipboard Toggle word wrap

7.2.9.7. list addon
Copy link

Lists the managed service add-on installations.

Syntax

$ rosa list addons [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.88. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster to list the add-ons for.

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.89. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all add-on installations on a cluster named mycluster. 

$ rosa list addons --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.8. describe autoscaler
Copy link

Shows detailed information about the configuration for a specified cluster’s autoscaler.

Note

Cluster autoscalers are only supported on Red Hat OpenShift Service on AWS classic architecture clusters that use self-hosted control planes.

Syntax

$ rosa describe autoscaler [flag]
Copy to Clipboard Toggle word wrap

Expand
Table 7.90. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.91. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Describes the autoscaler for cluster foo. 

$ rosa describe autoscaler --cluster foo
Copy to Clipboard Toggle word wrap

7.2.9.9. describe break-glass-credential
Copy link

Shows the details for a break glass credential for a specific cluster.

Syntax

$ rosa describe break-glass-credential --id=<break_glass_credential_id> --cluster=<cluster_name>| <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.92. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

--id

Required: The ID (string) of the break glass credential.

--kubeconfig

Optional: Retrieves the kubeconfig from the break glass credential.

Expand
Table 7.93. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.10. List break-glass-credential
Copy link

Lists all of the break glass credentials for a cluster.

Syntax

$ rosa list break-glass-credential [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.94. Arguments
OptionDefinition

--cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster to which the break glass credentials have been added.

Expand
Table 7.95. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all of the break glass credentials for a cluster named mycluster. 

$ rosa list break-glass-credential --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.11. describe cluster
Copy link

Shows the details for a cluster.

Syntax

$ rosa describe cluster [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.96. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

--external-id <arn_string>

An optional, unique identifier that might be required when you assume a role in another account.

--get-role-policy-bindings

Lists the policies that are attached to the STS roles assigned to the cluster.

Expand
Table 7.97. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Describes a cluster named mycluster. 

$ rosa describe cluster --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.12. list clusters
Copy link

Lists all of your clusters.

Syntax

$ rosa list clusters [flag]
Copy to Clipboard Toggle word wrap

Expand
Table 7.98. Arguments

Option

Definition

-a, --all

Lists all clusters across different AWS accounts under the same Red Hat organization

-o, --output string

Specify your output format. You may use either json or yaml.

--get-role-policy-bindings

Lists the policies that are attached to the STS roles assigned to the cluster.

Expand
Table 7.99. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.13. list dns-domain
Copy link

Lists all DNS domains.

Syntax

$ rosa list dns-domain [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.100. Arguments
OptionDefinition

-a, --all

Lists all DNS domains. The default options lists just user defined domains.

--hosted-cp

Filters the list to only DNS Domains used for hosted control plane clusters.

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.101. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all DNS Domains tied to your organization ID. 

$ rosa list dns-domain
Copy to Clipboard Toggle word wrap

7.2.9.14. describe external-auth-provider
Copy link

Shows detailed information about an external authentication provider on a cluster.

Syntax

$ rosa describe external-auth-provider [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.102. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

--name string

The name for the external authentication provider of the cluster to target.

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.103. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Shows details of an external authentication provider named exauth on a cluster named mycluster. 

$ rosa describe external-auth-provider exauth --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.15. list external-auth-provider
Copy link

Lists any external authentication providers for a cluster.

Syntax

$ rosa list external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.104. Arguments
OptionDefinition

--cluster

Required: The name or ID string of the cluster that the external authentication provider will be listed for.

Expand
Table 7.105. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists any external authentication providers for a cluster named mycluster. 

$ rosa list external-auth-provider --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.16. list gates
Copy link

Lists all available OCP Gates for a specific OCP release or by cluster upgrade version.

Syntax

$ rosa list gates [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.106. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

--gate string

Gate type. Options are sts and ocp.

-o, --output string

Specify your output format. You may use either json or yaml.

--version string

Specified OpenShift version.

Expand
Table 7.107. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

  • Lists all OCP gates for an OCP version. 

    $ rosa list gates --version 4.19
    Copy to Clipboard Toggle word wrap

  • Lists all STS gates for an OCP version. 

    $ rosa list gates --gate sts --version 4.19
    Copy to Clipboard Toggle word wrap

  • Lists all OCP gates for an OCP version. 

    $ rosa list gates --gate ocp --version 4.19
    Copy to Clipboard Toggle word wrap

  • Lists available gates for a cluster upgrade version. 

    $ rosa list gates -c mycluster --version 4.19.7
    Copy to Clipboard Toggle word wrap

7.2.9.17. list idps
Copy link

Lists all of the identity providers (IDPs) for a cluster.

Syntax

$ rosa list idps [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.108. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the IDPs will be listed for.

Expand
Table 7.109. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all identity providers (IDPs) for a cluster named mycluster. 

$ rosa list idps --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.18. describe ingress
Copy link

Shows detailed information about the specified ingress within cluster.

Syntax

$ rosa describe ingress [ingress]
Copy to Clipboard Toggle word wrap

Expand
Table 7.110. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

--ingress string

Specify the ingress of the cluster to target

-o, --output string

Specify your output format. You may use either json or yaml.

Expand
Table 7.111. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Shows the details of an ingress named a1b2c3d4 on cluster named mycluster. 

$ rosa describe ingress a1b2c3d4 -c mycluster
Copy to Clipboard Toggle word wrap

7.2.9.19. list ingresses
Copy link

Lists all of the API and ingress endpoints for a cluster.

Syntax

$ rosa list ingresses [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.112. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the IDPs will be listed for.

Expand
Table 7.113. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all API and ingress endpoints for a cluster named mycluster. 

$ rosa list ingresses --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.20. list instance-types
Copy link

Lists all of the available instance types for use with Red Hat OpenShift Service on AWS classic architecture. Availability is based on the account’s AWS quota.

Syntax

$ rosa list instance-types [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.114. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all instance types. 

$ rosa list instance-types
Copy to Clipboard Toggle word wrap

7.2.9.21. describe kubeletconfig
Copy link

Shows the details of a custom KubeletConfig object.

Syntax

$ rosa describe kubeletconfig --cluster=<cluster_name|cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.115. Flags
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster for which you want to view the KubeletConfig object.

-h, --help

Shows help for this command.

--name

Optional. Specifies the name of the KubeletConfig object to describe.

-o, --output string

The output format. You can specify either json or yaml.

7.2.9.22. list kubeletconfigs
Copy link

Lists the KubeletConfig objects configured on a cluster.

Syntax

$ rosa list kubeletconfigs --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.116. Arguments
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster that the machine pools will be listed for.

Expand
Table 7.117. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all of the KubeletConfig objects on a cluster named mycluster. 

$ rosa list kubeletconfigs --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.23. describe machinepool
Copy link

Describes a specific machine pool configured on a cluster.

Syntax

$ rosa describe machinepool --cluster=[<cluster_name>|<cluster_id>] --machinepool=<machinepool_name> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.118. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

--machinepool

Required: The name or ID (string) of the machinepool.

Expand
Table 7.119. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Describes a machine pool named mymachinepool on a cluster named mycluster. 

$ rosa describe machinepool --cluster=mycluster --machinepool=mymachinepool
Copy to Clipboard Toggle word wrap

7.2.9.24. list machinepools
Copy link

Lists the machine pools configured on a cluster.

Syntax

$ rosa list machinepools --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.120. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the machine pools will be listed for.

Expand
Table 7.121. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all of the machine pools on a cluster named mycluster. 

$ rosa list machinepools --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.25. list ocm-roles
Copy link

Lists all OCM roles for the current AWS account.

Syntax

$ rosa list ocm-roles [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.122. Arguments
OptionDefinition

-o, --output string

The output format. You can specify either json or yaml.

Expand
Table 7.123. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.26. list oidc-config
Copy link

Lists the OIDC Configuration resources associated with your AWS account.

Syntax

$ rosa list oidc-config
Copy to Clipboard Toggle word wrap

Expand
Table 7.124. Arguments
OptionDefinition

-o, --output string

The output format. You can specify either json or yaml.

Expand
Table 7.125. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.27. list oidc-providers
Copy link

Lists all of the OIDC providers for the current AWS account.

Syntax

$ rosa list oidc-providers [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.126. Arguments
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster that the OIDC providers will be listed for.

--oidc-config-id string

This argument filters OIDC providers by OIDC config ID. It returns one provider linked to the config ID.

-o, --output string

The output format. You can specify either json or yaml.

Expand
Table 7.127. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.28. list operator-roles
Copy link

Lists all Operator roles and policies for the current AWS account.

Syntax

$ rosa list operator-roles [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.128. Arguments
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster.

-o, --output string

The output format. You can specify either json or yaml.

--prefix string

List only Operator roles that are associated with the given prefix. The prefix must match up to `openshift

kube-system`.

--version string

Expand
Table 7.129. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.29. list regions
Copy link

Lists all of the available regions for the current AWS account.

Syntax

$ rosa list regions [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.130. Arguments
OptionDefinition

--multi-az

Lists regions that provide support for multiple availability zones.

Expand
Table 7.131. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all of the available regions. 

$ rosa list regions
Copy to Clipboard Toggle word wrap

7.2.9.30. describe tuning-configs
Copy link

Shows detailed information about a tuning config for a cluster.

Syntax

$ rosa describe tuning-config --cluster <cluster-name-or-id> <tuning-name>
Copy to Clipboard Toggle word wrap

Expand
Table 7.132. Arguments
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster.

-o, --output string

The output format. You can specify either json or yaml.

Expand
Table 7.133. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Describes the tuned1 tuned config on cluster foo. 

$ rosa describe tuning-config --cluster foo tuned1
Copy to Clipboard Toggle word wrap

7.2.9.31. list tuning-configs
Copy link

Lists tuning configuration resources for a cluster.

Syntax

$ rosa list tuning-configs --cluster <cluster-name-or-id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.134. Arguments
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster.

-o, --output string

The output format. You can specify either json or yaml.

Expand
Table 7.135. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all tuning configuration for a cluster named mycluster. 

$ rosa list tuning-configs -c mycluster
Copy to Clipboard Toggle word wrap

7.2.9.32. describe upgrade
Copy link

Shows detailed information about an upgrade.

Syntax

$ rosa describe upgrade [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.136. Arguments
OptionDefinition

-c, --cluster <cluster_name>|<cluster_id>

Required. The name or ID of the cluster.

--machinepool string

The name of the machine pool of the cluster to target.

Expand
Table 7.137. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.33. list upgrades
Copy link

Lists all available and scheduled cluster version upgrades.

Syntax

$ rosa list upgrades --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.138. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the available upgrades will be listed for.

--machinepool string

The name of the machine pool of the cluster to target.

-o, --output string

The output format. You can specify either json or yaml.

Expand
Table 7.139. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all of the available upgrades for a cluster named mycluster. 

$ rosa list upgrades --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.34. list user-roles
Copy link

Lists all user roles for current AWS account.

Syntax

$ rosa list user-roles
Copy to Clipboard Toggle word wrap

Expand
Table 7.140. Arguments
OptionDefinition

-o, --output string

The output format. You can specify either json or yaml.

Expand
Table 7.141. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

7.2.9.35. list users
Copy link

Lists the cluster administrator and dedicated administrator users for a specified cluster.

Syntax

$ rosa list users --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.142. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the cluster administrators will be listed for.

Expand
Table 7.143. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all of the cluster administrators and dedicated administrators for a cluster named mycluster. 

$ rosa list users --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.2.9.36. list versions
Copy link

Lists all of the OpenShift versions that are available for creating a cluster.

Syntax

$ rosa list versions [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.144. Optional arguments inherited from parent commands
OptionDefinition

--help, -h

Shows help for this command.

--debug

Enables debug mode.

--interactive

Enables interactive mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Lists all of the Red Hat OpenShift Service on AWS classic architecture versions. 

$ rosa list versions
Copy to Clipboard Toggle word wrap

7.2.10. Upgrade and delete upgrade for objects
Copy link

This section describes the upgrade command usage for objects.

7.2.10.1. upgrade cluster
Copy link

Schedule a cluster upgrade.

Syntax

$ rosa upgrade cluster --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.145. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the upgrade will be scheduled for.

--interactive

Enables interactive mode.

--version

The version (string) of OpenShift Container Platform that the cluster will be upgraded to.

--schedule-date

The next date (string) when the upgrade will run at the specified time in Coordinated Universal Time (UTC). Format: yyyy-mm-dd

--schedule-time

The next time the upgrade will run on the specified date in Coordinated Universal Time (UTC). Format: HH:mm

--node-drain-grace-period

Sets a grace period (string) for how long the pod disruption budget-protected workloads are respected during upgrades. After this grace period, any workloads protected by pod disruption budgets that have not been successfully drained from a node will be forcibly evicted. Default: 1 hour

Expand
Table 7.146. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

Examples

Interactively schedule an upgrade on a cluster named mycluster. 

$ rosa upgrade cluster --cluster=mycluster --interactive
Copy to Clipboard Toggle word wrap

Schedule a cluster upgrade within the hour on a cluster named mycluster. 

$ rosa upgrade cluster --cluster=mycluster --version 4.5.20
Copy to Clipboard Toggle word wrap

7.2.10.2. delete cluster upgrade
Copy link

Cancel a scheduled cluster upgrade.

Syntax

$ rosa delete upgrade --cluster=<cluster_name> | <cluster_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.147. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster that the upgrade will be cancelled for.

Expand
Table 7.148. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--yes

Automatically answers yes to confirm the operation.

7.2.10.3. upgrade roles
Copy link

Upgrades roles configured on a cluster.

Syntax

$ rosa upgrade roles --cluster=<cluster_id>
Copy to Clipboard Toggle word wrap

Expand
Table 7.149. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster.

Expand
Table 7.150. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Upgrade roles on a cluster named mycluster. 

$ rosa upgrade roles --cluster=mycluster
Copy to Clipboard Toggle word wrap

Use the following commands to check your account and version information.

7.3.1. whoami
Copy link

Display information about your AWS and Red Hat accounts by using the following command syntax:

Syntax

$ rosa whoami [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.151. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

$ rosa whoami
Copy to Clipboard Toggle word wrap

7.3.2. version
Copy link

Display the version of your rosa CLI by using the following command syntax:

Syntax

$ rosa version [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.152. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

$ rosa version
Copy to Clipboard Toggle word wrap

7.4. Checking logs with the ROSA CLI
Copy link

Use the following commands to check your install and uninstall logs.

7.4.1. logs install
Copy link

Show the cluster install logs by using the following command syntax:

Syntax

$ rosa logs install --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.153. Arguments
OptionDefinition

--cluster

Required: The name or ID (string) of the cluster to get logs for.

--tail

The number (integer) of lines to get from the end of the log. Default: 2000

--watch

Watches for changes after getting the logs.

Expand
Table 7.154. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Examples

Show the last 100 install log lines for a cluster named mycluster: 

$ rosa logs install mycluster --tail=100
Copy to Clipboard Toggle word wrap

Show the install logs for a cluster named mycluster: 

$ rosa logs install --cluster=mycluster
Copy to Clipboard Toggle word wrap

7.4.2. logs uninstall
Copy link

Show the cluster uninstall logs by using the following command syntax:

Syntax

$ rosa logs uninstall --cluster=<cluster_name> | <cluster_id> [arguments]
Copy to Clipboard Toggle word wrap

Expand
Table 7.155. Arguments
OptionDefinition

--cluster

The name or ID (string) of the cluster to get logs for.

--tail

The number (integer) of lines to get from the end of the log. Default: 2000

--watch

Watches for changes after getting the logs.

Expand
Table 7.156. Optional arguments inherited from parent commands
OptionDefinition

--help

Shows help for this command.

--debug

Enables debug mode.

--profile

Specifies an AWS profile (string) from your credentials file.

Example

Show the last 100 uninstall logs for a cluster named mycluster: 

$ rosa logs uninstall --cluster=mycluster --tail=100
Copy to Clipboard Toggle word wrap

You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the ROSA command-line interface (CLI) (rosa).

Important

Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.

For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.

The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building Red Hat OpenShift Service on AWS classic architecture clusters.

Run the following command with the specified permissions to create your managed OIDC provider by using auto mode.

Input

$ rosa create oidc-config --mode auto
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateOidcConfig",
            "Effect": "Allow",
            "Action": [
                "iam:TagOpenIDConnectProvider",
                "iam:CreateOpenIDConnectProvider"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto mode.

Input

$ rosa create oidc-config --mode auto --managed=false
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:TagOpenIDConnectProvider",
                "iam:ListRoleTags",
                "iam:ListRoles",
                "iam:CreateOpenIDConnectProvider",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutBucketTagging",
                "s3:PutBucketPolicy",
                "s3:PutObjectTagging",
                "s3:PutBucketPublicAccessBlock",
                "secretsmanager:CreateSecret",
                "secretsmanager:TagResource"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.3. List your account roles
Copy link

Run the following command with the specified permissions to list your account roles.

Input

$ rosa list account-roles
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAccountRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.4. List your Operator roles
Copy link

Run the following command with the specified permissions to list your Operator roles.

Input

$ rosa list operator-roles
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.5. List your OIDC providers
Copy link

Run the following command with the specified permissions to list your OIDC providers.

Input

$ rosa list oidc-providers
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListOidcProviders",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:ListOpenIDConnectProviderTags"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.6. Verify your quota
Copy link

Run the following command with the specified permissions to verify your quota.

Input

$ rosa verify quota
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VerifyQuota",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeAccountLimits",
                "servicequotas:ListServiceQuotas"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.7. Delete your managed OIDC configuration
Copy link

Run the following command with the specified permissions to delete your managed OIDC configuration by using auto mode.

Input

$ rosa delete oidc-config -–mode auto
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeleteOidcConfig",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:DeleteOpenIDConnectProvider"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.8. Delete your unmanaged OIDC configuration
Copy link

Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto mode.

Input

$ rosa delete oidc-config -–mode auto
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:DeleteOpenIDConnectProvider",
                "secretsmanager:DeleteSecret",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteBucket"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.9. Create a cluster
Copy link

Run the following command with the specified permissions to create a Red Hat OpenShift Service on AWS classic architecture cluster with least privilege permissions.

Input

$ rosa create cluster
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateCluster",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.10. Create account roles and Operator roles
Copy link

Run the following command with the specified permissions to create account and Operator roles in `auto' mode.

Input

$ rosa create account-roles --mode auto --classic
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAccountOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.11. Delete your account roles
Copy link

Run the following command with the specified permissions to delete the account roles in auto mode.

Input

$ rosa delete account-roles -–mode auto
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:DeletePolicy"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

7.5.1.12. Delete your Operator roles
Copy link

Run the following command with the specified permissions to delete the Operator roles in auto mode.

Input

$ rosa delete operator-roles -–mode auto
Copy to Clipboard Toggle word wrap

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:DeletePolicy"
            ],
            "Resource": "*"
        }
    ]
}
Copy to Clipboard Toggle word wrap

The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.

Expand
Table 7.157. Commands
CommandInput

list cluster

$ rosa list cluster

list versions

$ rosa list versions

describe cluster

$ rosa describe cluster -c <cluster name>

create admin

$ rosa create admin -c <cluster name>

list users

$ rosa list users -c <cluster-name>

list upgrades

$ rosa list upgrades

list OIDC configuration

$ rosa list oidc-config

list identity providers

$ rosa list idps -c <cluster-name>

list ingresses

$ rosa list ingresses -c <cluster-name>

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat