Red Hat SummitChapter 7. ROSA CLI
7.1. Getting started with the ROSA CLI
7.1.1. About the ROSA CLI
Use the ROSA command-line interface (CLI) (rosa) to create, update, manage, and delete Red Hat OpenShift Service on AWS clusters and resources.
7.1.2. Setting up the ROSA CLI
Use the following steps to install and configure the ROSA CLI (rosa) on your installation host.
Procedure
Install and configure the latest AWS CLI (
aws).Follow the AWS Command Line Interface documentation to install and configure the AWS CLI for your operating system.
Specify your
aws_access_key_id,aws_secret_access_key, andregionin the.aws/credentialsfile. See AWS Configuration basics in the AWS documentation.NoteYou can optionally use the
AWS_DEFAULT_REGIONenvironment variable to set the default AWS region.Query the AWS API to verify if the AWS CLI is installed and configured correctly:
aws sts get-caller-identity --output text
$ aws sts get-caller-identity --output textCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
<aws_account_id> arn:aws:iam::<aws_account_id>:user/<username> <aws_user_id>
<aws_account_id> arn:aws:iam::<aws_account_id>:user/<username> <aws_user_id>Copy to Clipboard Copied! Toggle word wrap Toggle overflow
-
Download the latest version of the ROSA CLI (
rosa) for your operating system from the Downloads page on OpenShift Cluster Manager. Extract the
rosabinary file from the downloaded archive. The following example extracts the binary from a Linux tar archive:tar xvf rosa-linux.tar.gz
$ tar xvf rosa-linux.tar.gzCopy to Clipboard Copied! Toggle word wrap Toggle overflow Add
rosato your path. In the following example, the/usr/local/bindirectory is included in the path of the user:sudo mv rosa /usr/local/bin/rosa
$ sudo mv rosa /usr/local/bin/rosaCopy to Clipboard Copied! Toggle word wrap Toggle overflow Verify if the ROSA CLI is installed correctly by querying the
rosaversion:rosa version
$ rosa versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
1.2.15 Your ROSA CLI is up to date.
1.2.15 Your ROSA CLI is up to date.Copy to Clipboard Copied! Toggle word wrap Toggle overflow Optional: Enable tab completion for the ROSA CLI. With tab completion enabled, you can press the
Tabkey twice to automatically complete subcommands and receive command suggestions:To enable persistent tab completion for Bash on a Linux host:
Generate a
rosatab completion configuration file for Bash and save it to your/etc/bash_completion.d/directory:rosa completion bash > /etc/bash_completion.d/rosa
# rosa completion bash > /etc/bash_completion.d/rosaCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open a new terminal to activate the configuration.
To enable persistent tab completion for Bash on a macOS host:
Generate a
rosatab completion configuration file for Bash and save it to your/usr/local/etc/bash_completion.d/directory:rosa completion bash > /usr/local/etc/bash_completion.d/rosa
$ rosa completion bash > /usr/local/etc/bash_completion.d/rosaCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open a new terminal to activate the configuration.
To enable persistent tab completion for Zsh:
If tab completion is not enabled for your Zsh environment, enable it by running the following command:
echo "autoload -U compinit; compinit" >> ~/.zshrc
$ echo "autoload -U compinit; compinit" >> ~/.zshrcCopy to Clipboard Copied! Toggle word wrap Toggle overflow Generate a
rosatab completion configuration file for Zsh and save it to the first directory in your functions path:rosa completion zsh > "${fpath[1]}/_rosa"$ rosa completion zsh > "${fpath[1]}/_rosa"Copy to Clipboard Copied! Toggle word wrap Toggle overflow - Open a new terminal to activate the configuration.
To enable persistent tab completion for fish:
Generate a
rosatab completion configuration file for fish and save it to your~/.config/fish/completions/directory:rosa completion fish > ~/.config/fish/completions/rosa.fish
$ rosa completion fish > ~/.config/fish/completions/rosa.fishCopy to Clipboard Copied! Toggle word wrap Toggle overflow - Open a new terminal to activate the configuration.
To enable persistent tab completion for PowerShell:
Generate a
rosatab completion configuration file for PowerShell and save it to a file namedrosa.ps1:PS> rosa completion powershell | Out-String | Invoke-Expression
PS> rosa completion powershell | Out-String | Invoke-ExpressionCopy to Clipboard Copied! Toggle word wrap Toggle overflow -
Source the
rosa.ps1file from your PowerShell profile.
NoteFor more information about configuring
rosatab completion, see the help menu by running therosa completion --helpcommand.
7.1.3. Configuring the ROSA CLI
Use the following commands to configure the ROSA command-line interface (CLI) (rosa).
7.1.3.1. login
There are several methods you can use to log in to your Red Hat account using the ROSA command-line interface (CLI) (rosa). These methods are described in detail below.
7.1.3.1.1. Authenticating the ROSA CLI with Red Hat single sign-on
You can log in to the ROSA CLI (rosa) with Red Hat single sign-on. Red Hat recommends using the rosa command line tool with Red Hat single sign-on, instead of using an offline authentication token.
An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account.
Alternatively, authenticating with the Red Hat single sign-on method automatically sends your rosa instance a refresh token that is valid for 10 hours. This unique, temporary authorization code enhances security and reduces the risk of unauthorized access.
The method of authenticating using Red Hat single sign-on does not break any existing automations that rely on offline tokens. Red Hat recommends using services accounts for automation purposes. If you still need to use offline tokens for automation or other purposes, you can download the OpenShift Cluster Manager API token from the OpenShift Cluster Manager API Token page.
Use one of the following methods of authentication:
- If your system has a web browser, see the "Authenticating the ROSA CLI with a single sign-on authorization code" section to authenticate with Red Hat single sign-on.
- If you are working with containers, remote hosts, or other environments without a web browser, see the "Authenticating the ROSA CLI with a single sign-on device code" section to authenticate with Red Hat single sign-on.
- To authenticate the ROSA CLI using an offline token, see the "Authenticating the ROSA CLI with an offline token" section.
Single sign-on authorization is supported with ROSA CLI (rosa) version 1.2.36 or later.
7.1.3.1.2. Authenticating the ROSA CLI with a single sign-on authorization code
To log in to the ROSA CLI (
rosa) with a Red Hat single sign-on authorization code, run the following command:Syntax
rosa login --use-auth-code
$ rosa login --use-auth-codeCopy to Clipboard Copied! Toggle word wrap Toggle overflow Running this command redirects you to the Red Hat single sign-on login. Log in with your Red Hat login or email.
Expand Table 7.1. Optional arguments inherited from parent commands Option Definition --help
Shows help for this command.
--debug
Enables debug mode.
To switch accounts, logout from https://sso.redhat.com and run the
rosa logoutcommand in your terminal before attempting to login again.
7.1.3.1.3. Authenticating the ROSA CLI with a single sign-on device code
If you are working with containers, remote hosts, and other environments without a web browser, you can use a Red Hat single sign-on device code for secure authentication. To do this, you must use a second device that has a web browser to approve the login.
Single sign-on authorization is supported with ROSA CLI (rosa) version 1.2.36 or later.
To log in to the ROSA CLI (
rosa) with a Red Hat single sign-on device code, run the following command:Syntax
rosa login --use-device-code
$ rosa login --use-device-codeCopy to Clipboard Copied! Toggle word wrap Toggle overflow Running this command will redirect you to the Red Hat SSO login and provide a log in code.
Expand Table 7.2. Optional arguments inherited from parent commands Option Definition --help
Shows help for this command.
--debug
Enables debug mode.
To switch accounts, logout from https://sso.redhat.com and run the
rosa logoutcommand in your terminal before attempting to login again.
7.1.3.1.4. Authenticating the ROSA CLI with an offline token
Log in to your Red Hat account, saving the credentials to the rosa configuration file.
To use offline tokens for automation purposes, you can download the OpenShift Cluster Manager API token from the OpenShift Cluster Manager API Token page. To use service accounts for automation purposes, see the Service Accounts page.
Red Hat recommends using service accounts for automation purposes.
To log in to ROSA CLI (
rosa) with a Red Hat offline token, run the following command:Syntax
rosa login [arguments]
$ rosa login [arguments]Copy to Clipboard Copied! Toggle word wrap Toggle overflow Expand Table 7.3. Arguments Option Definition --client-id
The OpenID client identifier (string). Default:
cloud-services--client-secret
The OpenID client secret (string).
--insecure
Enables insecure communication with the server. This disables verification of TLS certificates and host names.
--scope
The OpenID scope (string). If this option is used, it replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default:
openid--token
Accesses or refreshes the token (string).
--token-url
The OpenID token URL (string). Default:
https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/tokenExpand Table 7.4. Optional arguments inherited from parent commands Option Definition --help
Shows help for this command.
--debug
Enables debug mode.
--profile
Specifies an AWS profile (string) from your credentials file.
7.1.3.2. logout
Log out of rosa. Logging out also removes the rosa configuration file.
Syntax
rosa logout [arguments]
$ rosa logout [arguments]| Option | Definition |
|---|---|
| --help | Shows help for this command. |
| --debug | Enables debug mode. |
| --profile | Specifies an AWS profile (string) from your credentials file. |
7.1.3.3. verify permissions
Verify that the AWS permissions required to create a Red Hat OpenShift Service on AWS cluster are configured correctly:
Syntax
rosa verify permissions [arguments]
$ rosa verify permissions [arguments]This command verifies permissions only for clusters that do not use the AWS Security Token Service (STS).
| Option | Definition |
|---|---|
| --help | Shows help for this command. |
| --debug | Enables debug mode. |
| --region |
The AWS region (string) in which to run the command. This value overrides the |
| --profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Verify that the AWS permissions are configured correctly:
rosa verify permissions
$ rosa verify permissionsVerify that the AWS permissions are configured correctly in a specific region:
rosa verify permissions --region=us-west-2
$ rosa verify permissions --region=us-west-27.1.3.4. verify quota
Verifies that AWS quotas are configured correctly for your default region.
Syntax
rosa verify quota [arguments]
$ rosa verify quota [arguments]| Option | Definition |
|---|---|
| --help | Shows help for this command. |
| --debug | Enables debug mode. |
| --region |
The AWS region (string) in which to run the command. This value overrides the |
| --profile | Specifies an AWS profile (string) from your credentials file. |
Examples
Verify that the AWS quotas are configured correctly for the default region:
rosa verify quota
$ rosa verify quotaVerify that the AWS quotas are configured correctly in a specific region:
rosa verify quota --region=us-west-2
$ rosa verify quota --region=us-west-27.1.3.5. download rosa
Download the latest compatible version of the rosa CLI.
After you download rosa, extract the contents of the archive and add it to your path.
Syntax
rosa download rosa [arguments]
$ rosa download rosa [arguments]| Option | Definition |
|---|---|
| --help | Shows help for this command. |
| --debug | Enables debug mode. |
7.1.3.6. download oc
Download the latest compatible version of the OpenShift Container Platform CLI (oc).
After you download oc, you must extract the contents of the archive and add it to your path.
Syntax
rosa download oc [arguments]
$ rosa download oc [arguments]| Option | Definition |
|---|---|
| --help | Shows help for this command. |
| --debug | Enables debug mode. |
Example
Download oc client tools:
rosa download oc
$ rosa download oc7.1.3.7. verify oc
Verifies that the OpenShift Container Platform CLI (oc) is installed correctly.
Syntax
rosa verify oc [arguments]
$ rosa verify oc [arguments]| Option | Definition |
|---|---|
| --help | Shows help for this command. |
| --debug | Enables debug mode. |
Example
Verify oc client tools:
rosa verify oc
$ rosa verify oc7.1.4. Updating the ROSA CLI
Update to the latest compatible version of the ROSA CLI (rosa).
Procedure
Confirm that a new version of the ROSA CLI (
rosa) is available:rosa version
$ rosa versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
1.2.12 There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/
1.2.12 There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/Copy to Clipboard Copied! Toggle word wrap Toggle overflow Download the latest compatible version of the ROSA CLI:
rosa download rosa
$ rosa download rosaCopy to Clipboard Copied! Toggle word wrap Toggle overflow This command downloads an archive called
rosa-*.tar.gzinto the current directory. The exact name of the file depends on your operating system and system architecture.Extract the contents of the archive:
tar -xzf rosa-linux.tar.gz
$ tar -xzf rosa-linux.tar.gzCopy to Clipboard Copied! Toggle word wrap Toggle overflow Install the new version of the ROSA CLI by moving the extracted file into your path. In the following example, the
/usr/local/bindirectory is included in the path of the user:sudo mv rosa /usr/local/bin/rosa
$ sudo mv rosa /usr/local/bin/rosaCopy to Clipboard Copied! Toggle word wrap Toggle overflow
Verification
Verify that the new version of the ROSA CLI is installed.
rosa version
$ rosa versionCopy to Clipboard Copied! Toggle word wrap Toggle overflow Example output
1.2.15 Your ROSA CLI is up to date.
1.2.15 Your ROSA CLI is up to date.Copy to Clipboard Copied! Toggle word wrap Toggle overflow
7.2. ROSA CLI command reference
This reference provides descriptions and example commands for ROSA CLI (rosa) commands.
Run rosa -h to list all commands or run rosa <command> --help to get additional details for a specific command.
7.2.1. ROSA CLI commands
7.2.1.1. rosa create account-roles
Create account-wide IAM roles before creating your cluster.
Example usage
Create default account roles for ROSA clusters using STS
# Create default account roles for ROSA clusters using STS
rosa create account-roles
# Create account roles with a specific permissions boundary
rosa create account-roles --permissions-boundary arn:aws:iam::123456789012:policy/perm-boundary7.2.1.2. rosa create admin
Creates an admin user to login to the cluster
Example usage
Create an admin user to login to the cluster
# Create an admin user to login to the cluster
rosa create admin -c mycluster -p MasterKey1237.2.1.3. rosa create autoscaler
Create an autoscaler for a cluster
Example usage
7.2.1.4. rosa create break-glass-credential
Create a break glass credential for a cluster.
Example usage
Interactively create a break glass credential to a cluster named "mycluster"
# Interactively create a break glass credential to a cluster named "mycluster"
rosa create break-glass-credential --cluster=mycluster --interactive7.2.1.5. rosa create cluster
Create cluster
Example usage
Create a cluster named "mycluster"
# Create a cluster named "mycluster"
rosa create cluster --cluster-name=mycluster
# Create a cluster in the us-east-2 region
rosa create cluster --cluster-name=mycluster --region=us-east-27.2.1.6. rosa create decision
Create a decision for an Access Request
Example usage
Create a decision for an Access Request to approve it
# Create a decision for an Access Request to approve it
rosa create decision --access-request <access_request_id> --decision Approved7.2.1.7. rosa create dns-domain
Create DNS Domain.
Example usage
Create DNS Domain
# Create DNS Domain
rosa create dns-domain7.2.1.8. rosa create external-auth-provider
Create an external authentication provider for a cluster.
Example usage
Interactively create an external authentication provider to a cluster named "mycluster"
# Interactively create an external authentication provider to a cluster named "mycluster"
rosa create external-auth-provider --cluster=mycluster --interactive7.2.1.9. rosa create iamserviceaccount
Create IAM role for Kubernetes service account
Example usage
Create an IAM role for a service account
# Create an IAM role for a service account
rosa create iamserviceaccount --cluster my-cluster --name my-app --namespace default7.2.1.10. rosa create idp
Add IDP for cluster
Example usage
Add a GitHub identity provider to a cluster named "mycluster"
# Add a GitHub identity provider to a cluster named "mycluster"
rosa create idp --type=github --cluster=mycluster
# Add an identity provider following interactive prompts
rosa create idp --cluster=mycluster --interactive7.2.1.11. rosa create image-mirror
Create image mirror for a cluster
Example usage
7.2.1.12. rosa create kubeletconfig
Create a custom kubeletconfig for a cluster
Example usage
Create a custom kubeletconfig with a pod-pids-limit of 5000
# Create a custom kubeletconfig with a pod-pids-limit of 5000
rosa create kubeletconfig --cluster=mycluster --pod-pids-limit=50007.2.1.13. rosa create machinepool
Add machine pool to cluster
Example usage
7.2.1.14. rosa create network
Network AWS cloudformation stack
Example usage
7.2.1.15. rosa create ocm-role
Create role used by OCM
Example usage
Create default ocm role for ROSA clusters using STS
# Create default ocm role for ROSA clusters using STS
rosa create ocm-role
# Create ocm role with a specific permissions boundary
rosa create ocm-role --permissions-boundary arn:aws:iam::123456789012:policy/perm-boundary7.2.1.16. rosa create oidc-config
Create OIDC config compliant with OIDC protocol.
Example usage
Create OIDC config
# Create OIDC config
rosa create oidc-config7.2.1.17. rosa create oidc-provider
Create OIDC provider for an STS cluster.
Example usage
Create OIDC provider for cluster named "mycluster"
# Create OIDC provider for cluster named "mycluster"
rosa create oidc-provider --cluster=mycluster7.2.1.18. rosa create operator-roles
Create operator IAM roles for a cluster.
Example usage
Create default operator roles for cluster named "mycluster"
# Create default operator roles for cluster named "mycluster"
rosa create operator-roles --cluster=mycluster
# Create operator roles with a specific permissions boundary
rosa create operator-roles -c mycluster --permissions-boundary arn:aws:iam::123456789012:policy/perm-boundary7.2.1.19. rosa create tuning-configs
Add tuning config
Example usage
Add a tuning config with name "tuned1" and spec from a file "file1" to a cluster named "mycluster"
# Add a tuning config with name "tuned1" and spec from a file "file1" to a cluster named "mycluster"
rosa create tuning-config --name=tuned1 --spec-path=file1 --cluster=mycluster"7.2.1.20. rosa create user-role
Create user role to verify account association
Example usage
Create user roles
# Create user roles
rosa create user-role
# Create user role with a specific permissions boundary
rosa create user-role --permissions-boundary arn:aws:iam::123456789012:policy/perm-boundary7.2.1.21. rosa delete account-roles
Delete Account Roles
Example usage
Delete Account roles"
# Delete Account roles"
rosa delete account-roles -p prefix7.2.1.22. rosa delete admin
Deletes the admin user
Example usage
Delete the admin user
# Delete the admin user
rosa delete admin --cluster=mycluster7.2.1.23. rosa delete autoscaler
Delete autoscaler for cluster
Example usage
Delete the autoscaler config for cluster named "mycluster"
# Delete the autoscaler config for cluster named "mycluster"
rosa delete autoscaler --cluster=mycluster7.2.1.24. rosa delete cluster
Delete cluster
Example usage
Delete a cluster named "mycluster"
# Delete a cluster named "mycluster"
rosa delete cluster --cluster=mycluster7.2.1.25. rosa delete dns-domain
Delete DNS domain
Example usage
Delete a DNS domain with ID github-1
# Delete a DNS domain with ID github-1
rosa delete dns-domain github-17.2.1.26. rosa delete external-auth-provider
Delete external authentication provider
Example usage
Delete an external authentication provider named exauth-1
# Delete an external authentication provider named exauth-1
rosa delete external-auth-provider exauth-1 --cluster=mycluster7.2.1.27. rosa delete iamserviceaccount
Delete IAM role for Kubernetes service account
Example usage
Delete IAM role for service account
# Delete IAM role for service account
rosa delete iamserviceaccount --cluster my-cluster \
--name my-app \
--namespace default7.2.1.28. rosa delete idp
Delete cluster IDPs
Example usage
Delete an identity provider named github-1
# Delete an identity provider named github-1
rosa delete idp github-1 --cluster=mycluster7.2.1.29. rosa delete image-mirror
Delete image mirror from a cluster
Example usage
7.2.1.30. rosa delete ingress
Delete cluster ingress
Example usage
Delete ingress with ID a1b2 from a cluster named 'mycluster'
# Delete ingress with ID a1b2 from a cluster named 'mycluster'
rosa delete ingress --cluster=mycluster a1b2
# Delete secondary ingress using the sub-domain name
rosa delete ingress --cluster=mycluster apps27.2.1.31. rosa delete kubeletconfig
Delete a kubeletconfig from a cluster
Example usage
Delete the KubeletConfig for ROSA Classic cluster 'foo'
# Delete the KubeletConfig for ROSA Classic cluster 'foo'
rosa delete kubeletconfig --cluster foo
# Delete the KubeletConfig named 'bar' from cluster 'foo'
rosa delete kubeletconfig --cluster foo --name bar7.2.1.32. rosa delete machinepool
Delete machine pool
Example usage
Delete machine pool with ID mp-1 from a cluster named 'mycluster'
# Delete machine pool with ID mp-1 from a cluster named 'mycluster'
rosa delete machinepool --cluster=mycluster mp-17.2.1.33. rosa delete ocm-role
Delete OCM role
Example usage
Delete OCM role
# Delete OCM role
rosa delete ocm-role --role-arn arn:aws:iam::123456789012:role/xxx-OCM-Role-12234567787.2.1.34. rosa delete oidc-config
Delete OIDC Config
Example usage
Delete OIDC config based on registered OIDC Config ID that has been supplied
# Delete OIDC config based on registered OIDC Config ID that has been supplied
rosa delete oidc-config --oidc-config-id <oidc_config_id>7.2.1.35. rosa delete oidc-provider
Delete OIDC Provider
Example usage
Delete OIDC provider for cluster named "mycluster"
# Delete OIDC provider for cluster named "mycluster"
rosa delete oidc-provider --cluster=mycluster7.2.1.36. rosa delete operator-roles
Delete Operator Roles
Example usage
Delete Operator roles for cluster named "mycluster"
# Delete Operator roles for cluster named "mycluster"
rosa delete operator-roles --cluster=mycluster7.2.1.37. rosa delete tuning-configs
Delete tuning config
Example usage
Delete tuning config with name tuned1 from a cluster named 'mycluster'
# Delete tuning config with name tuned1 from a cluster named 'mycluster'
rosa delete tuning-config --cluster=mycluster tuned17.2.1.38. rosa delete user-role
Delete user role
Example usage
Delete user role
# Delete user role
rosa delete user-role --role-arn {prefix}-User-{username}-Role7.2.1.39. rosa describe access-request
Show details of an Access Request
Example usage
Describe an Access Request wit id <access_request_id>
# Describe an Access Request wit id <access_request_id>
rosa describe access-request --id <access_request_id>7.2.1.40. rosa describe addon
Show details of an add-on
Example usage
Describe an add-on named "codeready-workspaces"
# Describe an add-on named "codeready-workspaces"
rosa describe addon codeready-workspaces7.2.1.41. rosa describe addon-installation
Show details of an add-on installation
Example usage
Describe the 'bar' add-on installation on cluster 'foo'
# Describe the 'bar' add-on installation on cluster 'foo'
rosa describe addon-installation --cluster foo --addon bar7.2.1.42. rosa describe admin
Show details of the cluster-admin user
Example usage
Describe cluster-admin user of a cluster named mycluster
# Describe cluster-admin user of a cluster named mycluster
rosa describe admin -c mycluster7.2.1.43. rosa describe autoscaler
Show details of the autoscaler for a cluster
Example usage
Describe the autoscaler for cluster 'foo'
# Describe the autoscaler for cluster 'foo'
rosa describe autoscaler --cluster foo7.2.1.44. rosa describe break-glass-credential
Show details of a break glass credential on a cluster
Example usage
Show details of a break glass credential with ID "12345" on a cluster named "mycluster"
# Show details of a break glass credential with ID "12345" on a cluster named "mycluster"
rosa describe break-glass-credential 12345 --cluster=mycluster7.2.1.45. rosa describe cluster
Show details of a cluster
Example usage
Describe a cluster named "mycluster"
# Describe a cluster named "mycluster"
rosa describe cluster --cluster=mycluster7.2.1.46. rosa describe external-auth-provider
Show details of an external authentication provider on a cluster
Example usage
Show details of an external authentication provider named "exauth" on a cluster named "mycluster"
# Show details of an external authentication provider named "exauth" on a cluster named "mycluster"
rosa describe external-auth-provider exauth --cluster=mycluster7.2.1.47. rosa describe iamserviceaccount
Describe IAM role for Kubernetes service account
Example usage
Describe IAM role for service account
# Describe IAM role for service account
rosa describe iamserviceaccount --cluster my-cluster \
--name my-app \
--namespace default7.2.1.48. rosa describe ingress
Show details of the specified ingress within cluster
Example usage
rosa describe ingress <ingress_id> -c mycluster
rosa describe ingress <ingress_id> -c mycluster7.2.1.49. rosa describe kubeletconfig
Show details of a kubeletconfig for a cluster
Example usage
Describe the custom kubeletconfig for ROSA Classic cluster 'foo'
# Describe the custom kubeletconfig for ROSA Classic cluster 'foo'
rosa describe kubeletconfig --cluster foo
# Describe the custom kubeletconfig named 'bar' for cluster 'foo'
rosa describe kubeletconfig --cluster foo --name bar7.2.1.50. rosa describe machinepool
Show details of a machine pool on a cluster
Example usage
Show details of a machine pool named "mymachinepool" on a cluster named "mycluster"
# Show details of a machine pool named "mymachinepool" on a cluster named "mycluster"
rosa describe machinepool --cluster=mycluster --machinepool=mymachinepool7.2.1.51. rosa describe tuning-configs
Show details of tuning config
Example usage
Describe the 'tuned1' tuned config on cluster 'foo'
# Describe the 'tuned1' tuned config on cluster 'foo'
rosa describe tuning-config --cluster foo tuned17.2.1.52. rosa describe upgrade
Show details of an upgrade
Example usage
Describe an upgrade-policy"
# Describe an upgrade-policy"
rosa describe upgrade7.2.1.53. rosa download openshift-client
Download OpenShift client tools
Example usage
Download oc client tools
# Download oc client tools
rosa download oc7.2.1.54. rosa download rosa-client
Download ROSA client tools
Example usage
Download rosa client tools
# Download rosa client tools
rosa download rosa7.2.1.55. rosa edit addon
Edit add-on installation parameters on cluster
Example usage
Edit the parameters of the Red Hat OpenShift logging operator add-on installation
# Edit the parameters of the Red Hat OpenShift logging operator add-on installation
rosa edit addon --cluster=mycluster cluster-logging-operator7.2.1.56. rosa edit autoscaler
Edit the autoscaler of a cluster
Example usage
7.2.1.57. rosa edit cluster
Edit cluster
Example usage
7.2.1.58. rosa edit image-mirror
Edit image mirror for a cluster
Example usage
7.2.1.59. rosa edit ingress
Edit a cluster ingress (load balancer)
Example usage
7.2.1.60. rosa edit kubeletconfig
Edit a kubeletconfig for a cluster
Example usage
Edit a KubeletConfig to have a pod-pids-limit of 10000
# Edit a KubeletConfig to have a pod-pids-limit of 10000
rosa edit kubeletconfig --cluster=mycluster --pod-pids-limit=10000
# Edit a KubeletConfig named 'bar' to have a pod-pids-limit of 10000
rosa edit kubeletconfig --cluster=mycluster --name=bar --pod-pids-limit=100007.2.1.61. rosa edit machinepool
Edit machine pool
Example usage
7.2.1.62. rosa edit tuning-configs
Edit tuning config
Example usage
Update the tuning config with name 'tuning-1' with the spec defined in file1
# Update the tuning config with name 'tuning-1' with the spec defined in file1
rosa edit tuning-config --cluster=mycluster tuning-1 --spec-path file17.2.1.63. rosa grant user
Grant user access to cluster
Example usage
Add cluster-admin role to a user
# Add cluster-admin role to a user
rosa grant user cluster-admin --user=myusername --cluster=mycluster
# Grant dedicated-admins role to a user
rosa grant user dedicated-admin --user=myusername --cluster=mycluster7.2.1.64. rosa init
Applies templates to support Red Hat OpenShift Service on AWS
Example usage
Configure your AWS account to allow IAM (non-STS) ROSA clusters
# Configure your AWS account to allow IAM (non-STS) ROSA clusters
rosa init
# Configure a new AWS account using pre-existing OCM credentials
rosa init --token=$OFFLINE_ACCESS_TOKEN7.2.1.65. rosa install addon
Install add-ons on cluster
Example usage
Add the CodeReady Workspaces add-on installation to the cluster
# Add the CodeReady Workspaces add-on installation to the cluster
rosa install addon --cluster=mycluster codeready-workspaces7.2.1.66. rosa link ocm-role
Link OCM role to specific OCM organization.
Example usage
Link OCM role
# Link OCM role
rosa link ocm-role --role-arn arn:aws:iam::123456789012:role/ManagedOpenshift-OCM-Role7.2.1.67. rosa link user-role
Link user role to specific OCM account.
Example usage
Link user roles
# Link user roles
rosa link user-role --role-arn arn:aws:iam::{accountid}:role/{prefix}-User-{username}-Role7.2.1.68. rosa list access-request
List Access Requests
Example usage
List all Access Requests for cluster 'foo'
# List all Access Requests for cluster 'foo'
rosa list access-request --cluster foo7.2.1.69. rosa list account-roles
List account roles and policies
Example usage
List all account roles
# List all account roles
rosa list account-roles7.2.1.70. rosa list addons
List add-on installations
Example usage
List all add-on installations on a cluster named "mycluster"
# List all add-on installations on a cluster named "mycluster"
rosa list addons --cluster=mycluster7.2.1.71. rosa list break-glass-credentials
List break glass credential
Example usage
List all break glass credentials for a cluster named 'mycluster'"
# List all break glass credentials for a cluster named 'mycluster'"
rosa list break-glass-credentials -c mycluster7.2.1.72. rosa list clusters
List clusters
Example usage
List all clusters
# List all clusters
rosa list clusters7.2.1.73. rosa list dns-domain
List DNS Domains
Example usage
List all DNS Domains tied to your organization ID"
# List all DNS Domains tied to your organization ID"
rosa list dns-domain7.2.1.74. rosa list external-auth-providers
List external authentication provider
Example usage
List all external authentication providers for a cluster named 'mycluster'"
# List all external authentication providers for a cluster named 'mycluster'"
rosa list external-auth-provider -c mycluster7.2.1.75. rosa list gates
List available OCP Gates
Example usage
7.2.1.76. rosa list iamserviceaccounts
List IAM roles for Kubernetes service accounts
Example usage
List IAM roles for service accounts
# List IAM roles for service accounts
rosa list iamserviceaccounts --cluster my-cluster7.2.1.77. rosa list idps
List cluster IDPs
Example usage
List all identity providers on a cluster named "mycluster"
# List all identity providers on a cluster named "mycluster"
rosa list idps --cluster=mycluster7.2.1.78. rosa list image-mirrors
List cluster image mirrors
Example usage
List all image mirrors on a cluster named "mycluster"
# List all image mirrors on a cluster named "mycluster"
rosa list image-mirrors --cluster=mycluster7.2.1.79. rosa list ingresses
List cluster Ingresses
Example usage
List all routes on a cluster named "mycluster"
# List all routes on a cluster named "mycluster"
rosa list ingresses --cluster=mycluster7.2.1.80. rosa list instance-types
List Instance types
Example usage
List all instance types
# List all instance types
rosa list instance-types7.2.1.81. rosa list kubeletconfigs
List kubeletconfigs
Example usage
List the kubeletconfigs for cluster 'foo'
# List the kubeletconfigs for cluster 'foo'
rosa list kubeletconfig --cluster foo7.2.1.82. rosa list machinepools
List cluster machine pools
Example usage
List all machine pools on a cluster named "mycluster"
# List all machine pools on a cluster named "mycluster"
rosa list machinepools --cluster=mycluster
# List machine pools showing all information
rosa list machinepools --cluster=mycluster --all7.2.1.83. rosa list ocm-roles
List ocm roles
Example usage
List all ocm roles
# List all ocm roles
rosa list ocm-roles7.2.1.84. rosa list oidc-config
List OIDC Configuration resources
Example usage
List all OIDC Configurations tied to your organization ID"
# List all OIDC Configurations tied to your organization ID"
rosa list oidc-config7.2.1.85. rosa list oidc-providers
List OIDC providers
Example usage
List all oidc providers
# List all oidc providers
rosa list oidc-providers7.2.1.86. rosa list operator-roles
List operator roles and policies
Example usage
List all operator roles
# List all operator roles
rosa list operator-roles7.2.1.87. rosa list regions
List available regions
Example usage
List all available regions
# List all available regions
rosa list regions7.2.1.88. rosa list tuning-configs
List tuning configs
Example usage
List all tuning configuration for a cluster named 'mycluster'"
# List all tuning configuration for a cluster named 'mycluster'"
rosa list tuning-configs -c mycluster7.2.1.89. rosa list user-roles
List user roles
Example usage
List all user roles
# List all user roles
rosa list user-roles7.2.1.90. rosa list users
List cluster users
Example usage
List all users on a cluster named "mycluster"
# List all users on a cluster named "mycluster"
rosa list users --cluster=mycluster7.2.1.91. rosa list versions
List available versions
Example usage
List all OpenShift versions
# List all OpenShift versions
rosa list versions7.2.1.92. rosa login
Log in to your Red Hat account
Example usage
Login to the OpenShift API with an existing token generated from https://console.redhat.com/openshift/token/rosa
# Login to the OpenShift API with an existing token generated from https://console.redhat.com/openshift/token/rosa
rosa login --token=$OFFLINE_ACCESS_TOKEN7.2.1.93. rosa logs
Show installation or uninstallation logs for a cluster
Example usage
Show install logs for a cluster named 'mycluster'
# Show install logs for a cluster named 'mycluster'
rosa logs install --cluster=mycluster
# Show uninstall logs for a cluster named 'mycluster'
rosa logs uninstall --cluster=mycluster7.2.1.94. rosa logs install
Show cluster installation logs
Example usage
Show last 100 install log lines for a cluster named "mycluster"
# Show last 100 install log lines for a cluster named "mycluster"
rosa logs install mycluster --tail=100
# Show install logs for a cluster using the --cluster flag
rosa logs install --cluster=mycluster7.2.1.95. rosa logs uninstall
Show cluster uninstallation logs
Example usage
Show last 100 uninstall log lines for a cluster named "mycluster"
# Show last 100 uninstall log lines for a cluster named "mycluster"
rosa logs uninstall mycluster --tail=100
# Show uninstall logs for a cluster using the --cluster flag
rosa logs uninstall --cluster=mycluster7.2.1.96. rosa register oidc-config
Registers unmanaged OIDC config with Openshift Clusters Manager.
Example usage
Register OIDC config
# Register OIDC config
rosa register oidc-config7.2.1.97. rosa revoke break-glass-credentials
Revoke break glass credentials
Example usage
Revoke all break glass credentials
# Revoke all break glass credentials
rosa revoke break-glass-credentials --cluster=mycluster7.2.1.98. rosa revoke user
Revoke role from users
Example usage
Revoke cluster-admin role from a user
# Revoke cluster-admin role from a user
rosa revoke user cluster-admins --user=myusername --cluster=mycluster
# Revoke dedicated-admin role from a user
rosa revoke user dedicated-admins --user=myusername --cluster=mycluster7.2.1.99. rosa uninstall addon
Uninstall add-on from cluster
Example usage
Remove the CodeReady Workspaces add-on installation from the cluster
# Remove the CodeReady Workspaces add-on installation from the cluster
rosa uninstall addon --cluster=mycluster codeready-workspaces7.2.1.100. rosa unlink ocm-role
Unlink ocm role from a specific OCM organization
Example usage
#Unlink ocm role rosa unlink ocm-role --role-arn arn:aws:iam::123456789012:role/ManagedOpenshift-OCM-Role
#Unlink ocm role
rosa unlink ocm-role --role-arn arn:aws:iam::123456789012:role/ManagedOpenshift-OCM-Role7.2.1.101. rosa unlink user-role
Unlink user role from a specific OCM account
Example usage
Unlink user role
# Unlink user role
rosa unlink user-role --role-arn arn:aws:iam::{accountid}:role/{prefix}-User-{username}-Role7.2.1.102. rosa upgrade account-roles
Upgrade account-wide IAM roles to the latest version.
Example usage
Upgrade account roles for ROSA STS clusters
# Upgrade account roles for ROSA STS clusters
rosa upgrade account-roles7.2.1.103. rosa upgrade cluster
Upgrade cluster
Example usage
7.2.1.104. rosa upgrade machinepool
Upgrade machinepool
Example usage
Interactively schedule an upgrade on the cluster named "mycluster"" for a machinepool named "np1"
# Interactively schedule an upgrade on the cluster named "mycluster"" for a machinepool named "np1"
rosa upgrade machinepool np1 --cluster=mycluster --interactive
# Schedule a machinepool upgrade within the hour
rosa upgrade machinepool np1 -c mycluster --version 4.12.207.2.1.105. rosa upgrade operator-roles
Upgrade operator IAM roles for a cluster.
Example usage
Upgrade cluster-specific operator IAM roles
# Upgrade cluster-specific operator IAM roles
rosa upgrade operators-roles7.2.1.106. rosa upgrade roles
Upgrade cluster-specific IAM roles to the latest version.
Example usage
Upgrade cluster roles for ROSA STS clusters
# Upgrade cluster roles for ROSA STS clusters
rosa upgrade roles -c <cluster_key>7.2.1.107. rosa verify network
Verify VPC subnets are configured correctly
Example usage
Verify two subnets
# Verify two subnets
rosa verify network --subnet-ids subnet-03046a9b92b5014fb,subnet-03046a9c92b5014fb7.2.1.108. rosa verify openshift-client
Verify OpenShift client tools
Example usage
Verify oc client tools
# Verify oc client tools
rosa verify oc7.2.1.109. rosa verify permissions
Verify AWS permissions are ok for non-STS cluster install
Example usage
Verify AWS permissions are configured correctly
# Verify AWS permissions are configured correctly
rosa verify permissions
# Verify AWS permissions in a different region
rosa verify permissions --region=us-west-27.2.1.110. rosa verify quota
Verify AWS quota is ok for cluster install
Example usage
Verify AWS quotas are configured correctly
# Verify AWS quotas are configured correctly
rosa verify quota
# Verify AWS quotas in a different region
rosa verify quota --region=us-west-27.2.1.111. rosa verify rosa-client
Verify ROSA client tools
Example usage
Verify rosa client tools
# Verify rosa client tools
rosa verify rosa7.2.1.112. rosa whoami
Displays user account information
Example usage
Displays user information
# Displays user information
rosa whoami7.3. Least privilege permissions for ROSA CLI commands
You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the ROSA command-line interface (CLI) (rosa).
Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.
For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.
7.3.1. Least privilege permissions for common Red Hat OpenShift Service on AWS CLI commands
The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building Red Hat OpenShift Service on AWS clusters.
7.3.1.1. Create a managed OpenID Connect (OIDC) provider
Run the following command with the specified permissions to create your managed OIDC provider by using auto mode.
Input
rosa create oidc-config --mode auto
$ rosa create oidc-config --mode autoPolicy
7.3.1.2. Create an unmanaged OpenID Connect provider
Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto mode.
Input
rosa create oidc-config --mode auto --managed=false
$ rosa create oidc-config --mode auto --managed=falsePolicy
7.3.1.3. List your account roles
Run the following command with the specified permissions to list your account roles.
Input
rosa list account-roles
$ rosa list account-rolesPolicy
7.3.1.4. List your Operator roles
Run the following command with the specified permissions to list your Operator roles.
Input
rosa list operator-roles
$ rosa list operator-rolesPolicy
7.3.1.5. List your OIDC providers
Run the following command with the specified permissions to list your OIDC providers.
Input
rosa list oidc-providers
$ rosa list oidc-providersPolicy
7.3.1.6. Verify your quota
Run the following command with the specified permissions to verify your quota.
Input
rosa verify quota
$ rosa verify quotaPolicy
7.3.1.7. Delete your managed OIDC configuration
Run the following command with the specified permissions to delete your managed OIDC configuration by using auto mode.
Input
rosa delete oidc-config -–mode auto
$ rosa delete oidc-config -–mode autoPolicy
7.3.1.8. Delete your unmanaged OIDC configuration
Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto mode.
Input
rosa delete oidc-config -–mode auto
$ rosa delete oidc-config -–mode autoPolicy
7.3.1.9. Create a cluster
Run the following command with the specified permissions to create Red Hat OpenShift Service on AWS clusters.
Input
rosa create cluster --hosted-cp
$ rosa create cluster --hosted-cpPolicy
7.3.1.10. Create your account roles and Operator roles
Run the following command with the specified permissions to create account and Operator roles by using auto mode.
Input
rosa create account-roles --mode auto --hosted-cp
$ rosa create account-roles --mode auto --hosted-cpPolicy
7.3.1.11. Delete your account roles
Run the following command with the specified permissions to delete the account roles in auto mode.
Input
rosa delete account-roles -–mode auto
$ rosa delete account-roles -–mode autoPolicy
7.3.1.12. Delete your Operator roles
Run the following command with the specified permissions to delete your Operator roles in auto mode.
Input
rosa delete operator-roles -–mode auto
$ rosa delete operator-roles -–mode autoPolicy
7.3.2. ROSA CLI commands with no required permissions
The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.
| Command | Input |
|---|---|
| list cluster |
|
| list versions |
|
| describe cluster |
|
| create admin |
|
| list users |
|
| list upgrades |
|
| list OIDC configuration |
|
| list identity providers |
|
| list ingresses |
|
7.4. Managing billing accounts for Red Hat OpenShift Service on AWS clusters
You can use the ROSA CLI (rosa) to link your cluster to the desired AWS billing account after the cluster has been deployed.
This can be useful if you have accidentally linked to the wrong AWS billing account during cluster deployment, or if you simply want to update the billing account.
You also have the option to update your billing account through the OpenShift Cluster Manager. For more information, see Updating billing accounts for Red Hat OpenShift Service on AWS clusters.
7.4.1. Update billing accounts for Red Hat OpenShift Service on AWS clusters
Prerequisites
- You must have more than one AWS billing account.
- The AWS billing account you want your cluster to link to must already be linked to the Red Hat organization where the cluster is deployed.
Procedure
Run the following command in your terminal window:
Syntax
rosa edit cluster -c <cluster_ID>
$ rosa edit cluster -c <cluster_ID>1 Copy to Clipboard Copied! Toggle word wrap Toggle overflow - 1
- Replace
<cluster_ID>with the ID of the cluster that you want to update the AWS billing account.
NoteTo locate the IDs of your active clusters, run the
$ rosa list clusterscommand in your terminal window.-
Skip to the
Billing Accountparameter within the interactive mode. Select the desired AWS billing account from the list of available options and press "Enter".
The AWS billing account for your cluster is now updated.
'%20d='M201.5%20305.5c-13.8%200-24.9-11.1-24.9-24.6%200-13.8%2011.1-24.9%2024.9-24.9%2013.6%200%2024.6%2011.1%2024.6%2024.9%200%2013.6-11.1%2024.6-24.6%2024.6zM504%20256c0%20137-111%20248-248%20248S8%20393%208%20256%20119%208%20256%208s248%20111%20248%20248zm-132.3-41.2c-9.4%200-17.7%203.9-23.8%2010-22.4-15.5-52.6-25.5-86.1-26.6l17.4-78.3%2055.4%2012.5c0%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.3%2024.9-24.9s-11.1-24.9-24.9-24.9c-9.7%200-18%205.8-22.1%2013.8l-61.2-13.6c-3-.8-6.1%201.4-6.9%204.4l-19.1%2086.4c-33.2%201.4-63.1%2011.3-85.5%2026.8-6.1-6.4-14.7-10.2-24.1-10.2-34.9%200-46.3%2046.9-14.4%2062.8-1.1%205-1.7%2010.2-1.7%2015.5%200%2052.6%2059.2%2095.2%20132%2095.2%2073.1%200%20132.3-42.6%20132.3-95.2%200-5.3-.6-10.8-1.9-15.8%2031.3-16%2019.8-62.5-14.9-62.5zM302.8%20331c-18.2%2018.2-76.1%2017.9-93.6%200-2.2-2.2-6.1-2.2-8.3%200-2.5%202.5-2.5%206.4%200%208.6%2022.8%2022.8%2087.3%2022.8%20110.2%200%202.5-2.2%202.5-6.1%200-8.6-2.2-2.2-6.1-2.2-8.3%200zm7.7-75c-13.6%200-24.6%2011.1-24.6%2024.9%200%2013.6%2011.1%2024.6%2024.6%2024.6%2013.8%200%2024.9-11.1%2024.9-24.6%200-13.8-11-24.9-24.9-24.9z'/%3e%3c/svg%3e){kind=small}