Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Chapter 10. Deleting a Red Hat OpenShift Service on AWS cluster

If you want to delete a Red Hat OpenShift Service on AWS cluster, you can use either the Red Hat OpenShift Cluster Manager or the ROSA command-line interface (CLI) (rosa). After deleting your cluster, you can also delete the AWS Identity and Access Management (IAM) resources that are used by the cluster.

You can delete a Red Hat OpenShift Service on AWS cluster by using the ROSA CLI or Red Hat OpenShift Cluster Manager.

After deleting the cluster, you can clean up the cluster-specific Identity and Access Management (IAM) resources in your AWS account by using the ROSA CLI. The cluster-specific resources include the Operator roles and the OpenID Connect (OIDC) provider.

Note

The cluster deletion must complete before you remove the IAM resources, because the resources are used in the cluster deletion and clean up processes.

If add-ons are installed, the cluster deletion takes longer because add-ons are uninstalled before the cluster is deleted. The amount of time depends on the number and size of the add-ons.

Prerequisites

  • You have installed a Red Hat OpenShift Service on AWS cluster.
  • You have installed and configured the latest ROSA CLI on your installation host.

Procedure

  1. Get the cluster ID, the Amazon Resource Names (ARNs) for the cluster-specific Operator roles, and the endpoint URL for the OIDC provider by running the following command: 

    $ rosa describe cluster --cluster=<cluster_name>
    Copy to Clipboard Toggle word wrap

    Example output

    Name:                       test_cluster
Domain Prefix:              test_cluster
Display Name:               test_cluster
ID:                         <cluster_id>
    1 
    
External ID:                <external_id>
Control Plane:              ROSA Service Hosted
OpenShift Version:          4.19.0
Channel Group:              stable
DNS:                        test_cluster.l3cn.p3.openshiftapps.com
AWS Account:                <AWS_id>
AWS Billing Account:        <AWS_id>
API URL:                    https://api.test_cluster.l3cn.p3.openshiftapps.com:443
Console URL:
Region:                     us-east-1
Availability:
 - Control Plane:           MultiAZ
 - Data Plane:              SingleAZ

Nodes:
 - Compute (desired):       2
 - Compute (current):       0
Network:
 - Type:                    OVNKubernetes
 - Service CIDR:            172.30.0.0/16
 - Machine CIDR:            10.0.0.0/16
 - Pod CIDR:                10.128.0.0/14
 - Host Prefix:             /23
 - Subnets:                 <subnet_ids>
EC2 Metadata Http Tokens:   optional
Role (STS) ARN:             arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Installer-Role
Support Role ARN:           arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Support-Role
Instance IAM Roles:
 - Worker:                  arn:aws:iam::<AWS_id>:role/test_cluster-HCP-ROSA-Worker-Role
Operator IAM Roles:
    2 
    
 - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-cloud-network-config-controller-cloud-crede
 - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-image-registry-installer-cloud-credentials
 - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-ingress-operator-cloud-credentials
 - arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-kube-controller-manager
 - arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-capa-controller-manager
 - arn:aws:iam::<AWS_id>:role/test_cluster-kube-system-control-plane-operator
 - arn:aws:iam::<AWS_id>:role/hcpcluster-kube-system-kms-provider
 - arn:aws:iam::<AWS_id>:role/test_cluster-openshift-cluster-csi-drivers-ebs-cloud-credentials
Managed Policies:           Yes
State:                      ready
Private:                    No
Created:                    Apr 16 2024 20:32:06 UTC
User Workload Monitoring:   Enabled
Details Page:               https://console.redhat.com/openshift/details/s/<cluster_id>
OIDC Endpoint URL:          https://oidc.op1.openshiftapps.com/<cluster_id> (Managed)
    3 
    
Audit Log Forwarding:       Disabled
External Authentication:    Disabled
    Copy to Clipboard Toggle word wrap

    1
    Lists the cluster ID.
    2
    Specifies the ARNs for the cluster-specific Operator roles. For example, in the sample output the ARN for the role required by the Machine Config Operator is arn:aws:iam::<aws_account_id>:role/mycluster-x4q9-openshift-machine-api-aws-cloud-credentials.
    3
    Displays the endpoint URL for the cluster-specific OIDC provider.
    Important

    After the cluster is deleted, you need the cluster ID to delete the cluster-specific STS resources using the ROSA CLI.

  2. Delete the cluster by using either the OpenShift Cluster Manager or the ROSA CLI:

    • To delete the cluster by using the OpenShift Cluster Manager:

      1. Navigate to the OpenShift Cluster Manager.
      2. Click the Options menu kebab next to your cluster and select Delete cluster.
      3. Type the name of your cluster into the prompt and click Delete.

    • To delete the cluster using the ROSA CLI:

      1. Run the following command, replacing <cluster_name> with the name or ID of your cluster: 

        $ rosa delete cluster --cluster=<cluster_name> --watch
        Copy to Clipboard Toggle word wrap
        Important

        You must wait for cluster deletion to complete before you remove the Operator roles and the OIDC provider.

  3. Delete the cluster-specific Operator IAM roles by running one of the following commands:

    • For clusters without a shared Virtual Private Cloud (VPC): 

      $ rosa delete operator-roles --prefix <operator_role_prefix>
      Copy to Clipboard Toggle word wrap

    • For clusters with a shared VPC: 

      $ rosa delete operator-roles --prefix <operator_role_prefix> --delete-hosted-shared-vpc-policies
      Copy to Clipboard Toggle word wrap

  4. Delete the OIDC provider by running the following command: 

    $ rosa delete oidc-provider --oidc-config-id <oidc_config_id>
    Copy to Clipboard Toggle word wrap

Troubleshooting

  • Ensure that there are no add-ons for your cluster pending in the Hybrid Cloud Console.
  • Ensure that all AWS resources and dependencies have been deleted in the Amazon Web Console.

10.2. Deleting the account-wide IAM resources
Copy link

After you have deleted all Red Hat OpenShift Service on AWS clusters that depend on the account-wide AWS Identity and Access Management (IAM) resources, you can delete the account-wide resources.

If you no longer need to install a Red Hat OpenShift Service on AWS cluster by using Red Hat OpenShift Cluster Manager, you can also delete the OpenShift Cluster Manager and user IAM roles.

Important

The account-wide IAM roles and policies might be used by other Red Hat OpenShift Service on AWS clusters in the same AWS account. Only remove the resources if they are not required by other clusters.

The OpenShift Cluster Manager and user IAM roles are required if you want to install, manage, and delete other Red Hat OpenShift Service on AWS clusters in the same AWS account by using OpenShift Cluster Manager. Only remove the roles if you no longer need to install Red Hat OpenShift Service on AWS clusters in your account by using OpenShift Cluster Manager. For more information about repairing your cluster if these roles are removed before deletion, see "Repairing a cluster that cannot be deleted" in Troubleshooting cluster deployments.

This section provides steps to delete the account-wide IAM roles and policies that you created for Red Hat OpenShift Service on AWS deployments, along with the account-wide Operator policies. You can delete the account-wide AWS Identity and Access Management (IAM) roles and policies only after deleting all of the Red Hat OpenShift Service on AWS clusters that depend on them.

Important

The account-wide IAM roles and policies might be used by other Red Hat OpenShift Service on AWS clusters in the same AWS account. Only remove the roles if they are not required by other clusters.

Prerequisites

  • You have account-wide IAM roles that you want to delete.
  • You have installed and configured the latest ROSA CLI (rosa) on your installation host.

Procedure

  1. Delete the account-wide roles:

    1. List the account-wide roles in your AWS account by using the ROSA CLI (rosa): 

      $ rosa list account-roles
      Copy to Clipboard Toggle word wrap

      Example output

      I: Fetching account roles
ROLE NAME                                 ROLE TYPE      ROLE ARN                                                                 OPENSHIFT VERSION  AWS Managed
ManagedOpenShift-HCP-ROSA-Installer-Role  Installer      arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Installer-Role  4.19               Yes
ManagedOpenShift-HCP-ROSA-Support-Role    Support        arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Support-Role    4.19               Yes
ManagedOpenShift-HCP-ROSA-Worker-Role     Worker         arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Worker-Role     4.19               Yes
      Copy to Clipboard Toggle word wrap

    2. Delete the account-wide roles by running one of the following commands:

      • For clusters without a shared Virtual Private Cloud (VPC): 

        $ rosa delete account-roles --prefix <prefix> --mode auto
        1
        Copy to Clipboard Toggle word wrap
        1
        You must include the --<prefix> argument. Replace <prefix> with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, ManagedOpenShift.

      • For clusters with a shared VPC: 

        $ rosa delete account-roles --prefix <prefix> --delete-hosted-shared-vpc-policies --mode auto
        1
        Copy to Clipboard Toggle word wrap
        1
        You must include the --<prefix> argument. Replace <prefix> with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, ManagedOpenShift.
        Important

        The account-wide IAM roles might be used by other Red Hat OpenShift Service on AWS clusters in the same AWS account. Only remove the roles if they are not required by other clusters.

        Example output

        W: There are no classic account roles to be deleted
I: Deleting hosted CP account roles
? Delete the account role 'delete-rosa-HCP-ROSA-Installer-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Installer-Role'
? Delete the account role 'delete-rosa-HCP-ROSA-Support-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Support-Role'
? Delete the account role 'delete-rosa-HCP-ROSA-Worker-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Worker-Role'
I: Successfully deleted the hosted CP account roles
        Copy to Clipboard Toggle word wrap

  2. Delete the account-wide in-line and Operator policies:

    1. Under the Policies page in the AWS IAM Console, filter the list of policies by the prefix that you specified when you created the account-wide roles and policies.

      Note

      If you did not specify a custom prefix when you created the account-wide roles, search for the default prefix, ManagedOpenShift.

    2. Delete the account-wide policies and Operator policies by using the AWS IAM Console. For more information about deleting IAM policies by using the AWS IAM Console, see Deleting IAM policies in the AWS documentation.

      Important

      The account-wide and Operator IAM policies might be used by other Red Hat OpenShift Service on AWS clusters in the same AWS account. Only remove the roles if they are not required by other clusters.

When you install a Red Hat OpenShift Service on AWS cluster by using Red Hat OpenShift Cluster Manager, you also create OpenShift Cluster Manager and user Identity and Access Management (IAM) roles that link to your Red Hat organization. After deleting your cluster, you can unlink and delete the roles by using the ROSA CLI (rosa).

Important

The OpenShift Cluster Manager and user IAM roles are required if you want to use OpenShift Cluster Manager to install and manage other Red Hat OpenShift Service on AWS clusters in the same AWS account. Only remove the roles if you no longer need to use the OpenShift Cluster Manager to install Red Hat OpenShift Service on AWS clusters.

Prerequisites

  • You created OpenShift Cluster Manager and user IAM roles and linked them to your Red Hat organization.
  • You have installed and configured the latest ROSA CLI (rosa) on your installation host.
  • You have organization administrator privileges in your Red Hat organization.

Procedure

  1. Unlink the OpenShift Cluster Manager IAM role from your Red Hat organization and delete the role:

    1. List the OpenShift Cluster Manager IAM roles in your AWS account: 

      $ rosa list ocm-roles
      Copy to Clipboard Toggle word wrap

      Example output

      I: Fetching ocm roles
ROLE NAME                                                     ROLE ARN                                                                                         LINKED  ADMIN  AWS Managed
ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>  Yes      Yes     Yes
      Copy to Clipboard Toggle word wrap

    2. If your OpenShift Cluster Manager IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization by running the following command: 

      $ rosa unlink ocm-role --role-arn <arn>
      1
      Copy to Clipboard Toggle word wrap
      1
      Replace <arn> with the Amazon Resource Name (ARN) for your OpenShift Cluster Manager IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>.

      Example output

      I: Unlinking OCM role
? Unlink the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' role from organization '<red_hat_organization_id>'? Yes
I: Successfully unlinked role-arn 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' from organization account '<red_hat_organization_id>'
      Copy to Clipboard Toggle word wrap

    3. Delete the OpenShift Cluster Manager IAM role and policies: 

      $ rosa delete ocm-role --role-arn <arn>
      Copy to Clipboard Toggle word wrap

      Example output

      I: Deleting OCM role
? OCM Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>
? Delete 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' ocm role? Yes
? OCM role deletion mode: auto
      1 
      
I: Successfully deleted the OCM role
      Copy to Clipboard Toggle word wrap

      1
      Specifies the deletion mode. You can use auto mode to automatically delete the OpenShift Cluster Manager IAM role and policies. In manual mode, the ROSA CLI generates the aws commands needed to delete the role and policies. manual mode enables you to review the details before running the aws commands manually.

  2. Unlink the user IAM role from your Red Hat organization and delete the role:

    1. List the user IAM roles in your AWS account: 

      $ rosa list user-roles
      Copy to Clipboard Toggle word wrap

      Example output

      I: Fetching user roles
ROLE NAME                                  ROLE ARN                                                                  LINKED
ManagedOpenShift-User-<ocm_user_name>-Role  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role  Yes
      Copy to Clipboard Toggle word wrap

    2. If your user IAM role is listed as linked in the output of the preceding command, unlink the role from your Red Hat organization: 

      $ rosa unlink user-role --role-arn <arn>
      1
      Copy to Clipboard Toggle word wrap
      1
      Replace <arn> with the Amazon Resource Name (ARN) for your user IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role.

      Example output

      I: Unlinking user role
? Unlink the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' role from the current account '<ocm_user_account_id>'? Yes
I: Successfully unlinked role ARN 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' from account '<ocm_user_account_id>'
      Copy to Clipboard Toggle word wrap

    3. Delete the user IAM role: 

      $ rosa delete user-role --role-arn <arn>
      Copy to Clipboard Toggle word wrap

      Example output

      I: Deleting user role
? User Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role
? Delete the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' role from the AWS account? Yes
? User role deletion mode: auto
      1 
      
I: Successfully deleted the user role
      Copy to Clipboard Toggle word wrap

      1
      Specifies the deletion mode. You can use auto mode to automatically delete the user IAM role. In manual mode, the ROSA CLI generates the aws command needed to delete the role. manual mode enables you to review the details before running the aws command manually.
Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2025 Red Hat