Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Getting started with ROSA GovCloud

Red Hat OpenShift Service on AWS classic architecture 4

Setting up clusters and accounts with GovCloud

Red Hat OpenShift Documentation Team

Abstract

This document provides information on how to get started with Red Hat OpenShift Service on AWS (ROSA) GovCloud.

This service is for use by federal and government agencies, or by commercial organizations and Federal Information Security Modernization Act (FISMA) R&D Universities supporting a government contract or in the process of bidding on a government contract such as a request for proposal (RFP) or request for information (RFI) pre-bid stage.

Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud, carries the following requirements:

  • Red Hat OpenShift Service on AWS classic architecture FedRAMP can only be deployed into an existing VPC. See Create Amazon VPC architecture for the AWS PrivateLink use case for instructions on setting up a VPC.
  • Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud only supports the use of the AWS STS credentials method.
  • Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud only uses Federal Information Processing Standards (FIPS) validated modules in process cryptographic libraries.

  • Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud requires a separate Red Hat account for use with FedRAMP, even if you already have an existing Red Hat account for Red Hat OpenShift Service on AWS classic architecture clusters in commercial regions.

    • Each person who needs to be able to create, modify, or delete clusters must have their own Red Hat FedRAMP account.
    • Access to an existing cluster, to use that cluster, does not require a Red Hat FedRAMP account.
  • You can use your Red Hat FedRAMP account to deploy to multiple AWS GovCloud accounts.

1.1. Signing up for a Red Hat FedRAMP account
Copy link

To access Red Hat OpenShift Service on AWS classic architecture in AWS GovCloud, you must sign up for a Red Hat FedRAMP account.

Procedure

  1. Navigate to https://console.redhat.com/openshift/create/rosa/govcloud.
  2. Complete the access request form.

  3. Click Submit to sign up.

    You will receive a Submission confirmation.

Red Hat’s confirmed stateside support team will contact you through email for the following information:

  • Admin details to include your organization name, administrator first and last name and administrator email.

  • User authentication option to the FedRAMP Hybrid Cloud Console from one of the following two options:

    • Local group in a Red Hat managed Keycloak instance, where users will be required to setup multi-factor authentication (MFA) with an approved device.

      Note

      Only device YubiKEY 5C NFC FIPS currently accepted.

    • Customer managed Identity Provider (IdP), integrated via OpenID Connect (OIDC), where you will need to provide the following:

      • Discovery Endpoint: The IdP’s OIDC discovery URL (typically ending in /.well-known/openid-configuration). This allows Keycloak to automatically fetch most of the IdP’s settings.
      • Client ID and secret: Credentials that allow Keycloak to authenticate with the customer’s IdP.
      • Email domain(s): A list of approved email domains. Only users with an email address from one of these domains will be allowed to log in.

      • Essential claim: A specific key-value pair (e.g., "rh-approved": "true") that must be present in a user’s token from the IdP to grant them access.

        In this configuration, the customer takes on the responsibility for implementing FIPS 140-2 validated MFA.

Once you have access to the FedRAMP accounts, you can manage the credentials as needed.

To change your FedRAMP account password, you must have access to your Red Hat FedRAMP account.

Procedure

  1. Navigate to https://sso.openshiftusgov.com/realms/redhat-external/account.
  2. Sign in with your current username and password.
  3. Under the middle box called Account Security, click Signing In.
  4. Under Basic Authentication select Password.

  5. Click Update and choose a password that meets the following requirements:

    • minimum of fifteen (15) characters
    • at least one (1) upper-case letter
    • at least one (1) lower-case letter
    • at least one (1) number
    • at least one (1) special character (e.g. ~ ! @ # $ % ^ & * ( ) _ + = - ‘ [ ] / ? > <)
  6. Confirm your password.
  7. Click Submit.

2.2. Opening a support ticket
Copy link

To get access to open a support ticket please complete the following.

Procedure

  1. If you need to create an account, please contact fedramp-css@openshiftusgov.com.
  2. Once access is granted, navigate to https://redhatgov.servicenowservices.com/css.
  3. Click Create Case and complete the required information.
  4. Click Submit.

To install a Red Hat OpenShift Service on AWS classic architecture cluster in AWS GovCloud you must:

To deploy a Red Hat OpenShift Service on AWS classic architecture cluster in AWS GovCloud, you must be logged in to your Red Hat FedRAMP account.

Prerequisites

  • You have configured your AWS CLI to use GovCloud.
  • You are logged into your government region.

Procedure

  1. Navigate to https://console.openshiftusgov.com/openshift/token.
  2. Sign in with your Red Hat FedRAMP account credentials where you will see a screen with your token.
  3. Copy your token for the next step.

  4. In your terminal:

    1. Run rosa login and paste your copied token in order to log into the service. 

      $ rosa login --govcloud --token=<TOKEN>
      Copy to Clipboard Toggle word wrap
      Note

      Depending on your AWS CLI configuration, you may need to add a government region to the end of the command string like --region us-gov-west-1.

    2. Run rosa whoami to confirm all information is correct ensuring that you are using the AWS Gov region and the OCM API is “https://api.openshiftusgov.com”.. 

      $ rosa whoami
      Copy to Clipboard Toggle word wrap

      Example output

      AWS ARN:                                 arn:aws-us-gov:iam::00000000000:user/rosa-gov-user
AWS Account ID:                       00000000000
AWS Default Region:                 us-gov-east-1
OCM API:                                   https://api.openshiftusgov.com
OCM Account Email:                  rosa-gov-user@redhat.com
OCM Account ID:                       3ZXXXXXXXXXXXXXXXXXXXXXXXXX
OCM Account Name:                 Rosa Gov
OCM Account Username:          rosa-gov-user
OCM Organization External ID:  rosa-gov-user
OCM Organization ID:                3ZXXXXXXXXXXXXXXXXXXXXXXXXX
OCM Organization Name:          rosa-gov-user
      Copy to Clipboard Toggle word wrap

  5. You must create a VPC where Red Hat OpenShift Service on AWS classic architecture will be deployed. For instructions on setting up a VPC, see Amazon VPC architecture for the AWS PrivateLink use case.

Legal Notice
Copy link

Copyright © 2025 Red Hat

OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

Modified versions must remove all Red Hat trademarks.

Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.

Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red HatBack to top