Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. ROSA CLI

8.1. Getting started with the ROSA CLI

8.1.1. About the ROSA CLI

Use the Red Hat OpenShift Service on AWS (ROSA) command-line interface (CLI), the rosa command, to create, update, manage, and delete ROSA clusters and resources.

8.1.2. Setting up the ROSA CLI

Use the following steps to install and configure the ROSA CLI (rosa) on your installation host.

Procedure

Install and configure the latest AWS CLI (aws).
1. Follow the AWS Command Line Interface documentation to install and configure the AWS CLI for your operating system.
  Specify your aws_access_key_id, aws_secret_access_key, and region in the .aws/credentials file. See AWS Configuration basics in the AWS documentation.
  Note
  You can optionally use the AWS_DEFAULT_REGION environment variable to set the default AWS region.
2. Query the AWS API to verify if the AWS CLI is installed and configured correctly:
```
$ aws sts get-caller-identity  --output text
```
  Example output
```
<aws_account_id>    arn:aws:iam::<aws_account_id>:user/<username>  <aws_user_id>
```
Download the latest version of the ROSA CLI (rosa) for your operating system from the Downloads page on OpenShift Cluster Manager.
Extract the rosa binary file from the downloaded archive. The following example extracts the binary from a Linux tar archive:
```
$ tar xvf rosa-linux.tar.gz
```
Add rosa to your path. In the following example, the /usr/local/bin directory is included in the path of the user:
```
$ sudo mv rosa /usr/local/bin/rosa
```
Verify if the ROSA CLI is installed correctly by querying the rosa version:
```
$ rosa version
```
Example output
```
1.2.15
Your ROSA CLI is up to date.
```
Optional: Enable tab completion for the ROSA CLI. With tab completion enabled, you can press the Tab key twice to automatically complete subcommands and receive command suggestions:
- To enable persistent tab completion for Bash on a Linux host:
  1. Generate a rosa tab completion configuration file for Bash and save it to your /etc/bash_completion.d/ directory:
    # rosa completion bash > /etc/bash_completion.d/rosa
  2. Open a new terminal to activate the configuration.
- To enable persistent tab completion for Bash on a macOS host:
  1. Generate a rosa tab completion configuration file for Bash and save it to your /usr/local/etc/bash_completion.d/ directory:
    $ rosa completion bash > /usr/local/etc/bash_completion.d/rosa
  2. Open a new terminal to activate the configuration.
- To enable persistent tab completion for Zsh:
  1. If tab completion is not enabled for your Zsh environment, enable it by running the following command:
    $ echo "autoload -U compinit; compinit" >> ~/.zshrc
  2. Generate a rosa tab completion configuration file for Zsh and save it to the first directory in your functions path:
    $ rosa completion zsh > "${fpath[1]}/_rosa"
  3. Open a new terminal to activate the configuration.
- To enable persistent tab completion for fish:
  1. Generate a rosa tab completion configuration file for fish and save it to your ~/.config/fish/completions/ directory:
    $ rosa completion fish > ~/.config/fish/completions/rosa.fish
  2. Open a new terminal to activate the configuration.
- To enable persistent tab completion for PowerShell:
  1. Generate a rosa tab completion configuration file for PowerShell and save it to a file named rosa.ps1:
    PS> rosa completion powershell | Out-String | Invoke-Expression
  2. Source the rosa.ps1 file from your PowerShell profile.
Note
For more information about configuring rosa tab completion, see the help menu by running the rosa completion --help command.

8.1.3. Configuring the ROSA CLI

Use the following commands to configure the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa.

8.1.3.1. login

Log in to your Red Hat account, saving the credentials to the rosa configuration file. You must provide a token when logging in. You can copy your token from the ROSA token page.

The ROSA CLI (rosa) looks for a token in the following priority order:

Command-line arguments
The ROSA_TOKEN environment variable
The rosa configuration file
Interactively from a command-line prompt

Syntax

$ rosa login [arguments]

Table 8.1. Arguments
Option	Definition
--client-id	The OpenID client identifier (string). Default: `cloud-services`
--client-secret	The OpenID client secret (string).
--insecure	Enables insecure communication with the server. This disables verification of TLS certificates and host names.
--scope	The OpenID scope (string). If this option is used, it replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default: `openid`
--token	Accesses or refreshes the token (string).
--token-url	The OpenID token URL (string). Default: `https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token`

Table 8.2. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.1.3.2. logout

Log out of rosa. Logging out also removes the rosa configuration file.

Syntax

$ rosa logout [arguments]

Table 8.3. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.1.3.3. verify permissions

Verify that the AWS permissions required to create a ROSA cluster are configured correctly:

Syntax

$ rosa verify permissions [arguments]

Note

This command verifies permissions only for clusters that do not use the AWS Security Token Service (STS).

Table 8.4. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--region	The AWS region (string) in which to run the command. This value overrides the `AWS_REGION` environment variable.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Verify that the AWS permissions are configured correctly:

$ rosa verify permissions

Verify that the AWS permissions are configured correctly in a specific region:

$ rosa verify permissions --region=us-west-2

8.1.3.4. verify quota

Verifies that AWS quotas are configured correctly for your default region.

Syntax

$ rosa verify quota [arguments]

Table 8.5. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--region	The AWS region (string) in which to run the command. This value overrides the `AWS_REGION` environment variable.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Verify that the AWS quotas are configured correctly for the default region:

$ rosa verify quota

Verify that the AWS quotas are configured correctly in a specific region:

$ rosa verify quota --region=us-west-2

8.1.3.5. download rosa

Download the latest compatible version of the rosa CLI.

After you download rosa, extract the contents of the archive and add it to your path.

Syntax

$ rosa download rosa [arguments]

Table 8.6. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

8.1.3.6. download oc

Download the latest compatible version of the OpenShift Container Platform CLI (oc).

After you download oc, you must extract the contents of the archive and add it to your path.

Syntax

$ rosa download oc [arguments]

Table 8.7. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

Example

Download oc client tools:

$ rosa download oc

8.1.3.7. verify oc

Verifies that the OpenShift Container Platform CLI (oc) is installed correctly.

Syntax

$ rosa verify oc [arguments]

Table 8.8. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

Example

Verify oc client tools:

$ rosa verify oc

Additional resources

8.1.4. Initializing ROSA

Use the init command to initialize Red Hat OpenShift Service on AWS (ROSA) only if you are using non-STS.

8.1.4.1. init

Perform a series of checks to verify that you are ready to deploy a ROSA cluster.

The list of checks includes the following:

Checks to see that you have logged in (see login)
Checks that your AWS credentials are valid
Checks that your AWS permissions are valid (see verify permissions)
Checks that your AWS quota levels are high enough (see verify quota)
Runs a cluster simulation to ensure cluster creation will perform as expected
Checks that the osdCcsAdmin user has been created in your AWS account
Checks that the OpenShift Container Platform command-line tool is available on your system

Syntax

$ rosa init [arguments]

Table 8.9. Arguments
Option	Definition
--region	The AWS region (string) in which to verify quota and permissions. This value overrides the `AWS_REGION` environment variable only when running the `init` command, but it does not change your AWS CLI configuration.
--delete	Deletes the stack template that is applied to your AWS account during the `init` command.
--client-id	The OpenID client identifier (string). Default: `cloud-services`
--client-secret	The OpenID client secret (string).
--insecure	Enables insecure communication with the server. This disables verification of TLS certificates and host names.
--scope	The OpenID scope (string). If this option is used, it completely replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default: `openid`
--token	Accesses or refreshes the token (string).
--token-url	The OpenID token URL (string). Default: `https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token`

Table 8.10. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Configure your AWS account to allow ROSA clusters:

$ rosa init

Configure a new AWS account using pre-existing OpenShift Cluster Manager credentials:

$ rosa init --token=$OFFLINE_ACCESS_TOKEN

8.1.5. Using a Bash script

This is an example workflow of how to use a Bash script with the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa.

Prerequisites

Make sure that AWS credentials are available as one of the following options:

AWS profile
Environment variables (AWS_ACCESS_KEY_ID, AWS_SECRET_ACCESS_KEY)

Procedure

Initialize rosa using an Red Hat OpenShift Cluster Manager offline token from Red Hat:
```
$ rosa init --token=<token>
```

Create the ROSA cluster:

$ rosa create cluster --cluster-name=<cluster_name>

Add an identity provider (IDP):

$ rosa create idp --cluster=<cluster_name> --type=<identity_provider> [arguments]

Add a dedicated-admin user:

$ rosa grant user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>

8.1.6. Updating the ROSA CLI

Update to the latest compatible version of the ROSA CLI (rosa).

Procedure

Confirm that a new version of the ROSA CLI (rosa) is available:

$ rosa version

Example output

1.2.12
There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/

Download the latest compatible version of the ROSA CLI:
```
$ rosa download rosa
```
This command downloads an archive called rosa-*.tar.gz into the current directory. The exact name of the file depends on your operating system and system architecture.
Extract the contents of the archive:
```
$ tar -xzf rosa-linux.tar.gz
```
Install the new version of the ROSA CLI by moving the extracted file into your path. In the following example, the /usr/local/bin directory is included in the path of the user:
```
$ sudo mv rosa /usr/local/bin/rosa
```

Verification

Verify that the new version of ROSA is installed.
```
$ rosa version
```
Example output
```
1.2.15
Your ROSA CLI is up to date.
```

8.2. Managing objects with the ROSA CLI

Managing objects with the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa, such as adding dedicated-admin users, managing clusters, and scheduling cluster upgrades.

Note

To access a cluster that is accessible only over an HTTP proxy server, you can set the HTTP_PROXY, HTTPS_PROXY, and NO_PROXY variables. These environment variables are respected by the rosa CLI so that all communication with the cluster goes through the HTTP proxy.

8.2.1. Common commands and arguments

These common commands and arguments are available for the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa.

8.2.1.1. debug

Enables debug mode for the parent command to help with troubleshooting.

Example

$ rosa create cluster --cluster-name=<cluster_name> --debug

8.2.1.2. download

Downloads the latest compatible version of the specified software to the current directory in an archive file. Extract the contents of the archive and add the contents to your path to use the software. To download the latest ROSA CLI, specify rosa. To download the latest OpenShift CLI, specify oc.

Example

$ rosa download <software>

8.2.1.3. help

Displays general help information for the ROSA CLI (rosa) and a list of available commands. This option can also be used as an argument to display help information for a parent command, such as version or create.

Examples

Displays general help for the ROSA CLI.

$ rosa --help

Displays general help for version.

$ rosa version --help

8.2.1.4. interactive

Enables interactive mode.

Example

$ rosa create cluster --cluster-name=<cluster_name> --interactive

8.2.1.5. profile

Specifies an AWS profile from your credential file.

Example

$ rosa create cluster --cluster-name=<cluster_name> --profile=myAWSprofile

8.2.1.6. version

Displays the rosa version and checks whether a newer version is available.

Example

$ rosa version [arguments]

Example output

Displayed when a newer version of the ROSA CLI is available.

1.2.12
There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/

8.2.2. Parent commands

The Red Hat OpenShift Service on AWS (ROSA) CLI, rosa, uses parent commands with child commands to manage objects. The parent commands are create, edit, delete, list, and describe. Not all parent commands can be used with all child commands. For more information, see the specific reference topics that describes the child commands.

8.2.2.1. create

Creates an object or resource when paired with a child command.

Example

$ rosa create cluster --cluster-name=mycluster

8.2.2.2. edit

Edits options for an object, such as making a cluster private.

Example

$ rosa edit cluster --cluster=mycluster --private

8.2.2.3. delete

Deletes an object or resource when paired with a child command.

Example

$ rosa delete ingress --cluster=mycluster

8.2.2.4. list

Lists clusters or resources for a specific cluster.

Example

$ rosa list users --cluster=mycluster

8.2.2.5. describe

Shows the details for a cluster.

Example

$ rosa describe cluster --cluster=mycluster

8.2.3. Create objects

This section describes the create commands for clusters and resources.

8.2.3.1. create account-roles

Create the required account-wide role and policy resources for your cluster.

Syntax

$ rosa create account-roles [flags]

Table 8.11. Flags
Option	Definition
--debug	Enable debug mode.
-i, --interactive	Enable interactive mode.
-m, --mode string	How to perform the operation. Valid options are: `auto` Resource changes will be automatically applied using the current AWS account. `manual` Commands necessary to modify AWS resources will be output to be run manually.
--path string	The Amazon Resource Name (ARN) path for the account-wide roles and policies, including the Operator policies.
--permissions-boundary string	The ARN of the policy that is used to set the permissions boundary for the account roles.
--prefix string	User-defined prefix for all generated AWS resources. The default is `ManagedOpenShift`.
--profile string	Use a specific AWS profile from your credential file.
-y, --yes	Automatically answer yes to confirm operations.

8.2.3.2. create admin

Create a cluster administrator with an automatically generated password that can log in to a cluster.

Syntax

$ rosa create admin --cluster=<cluster_name>|<cluster_id>

Table 8.12. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID (string) of the cluster to add to the identity provider (IDP).

Table 8.13. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile string	Specifies an AWS profile from your credentials file.

Example

Create a cluster administrator that can log in to a cluster named mycluster.

$ rosa create admin --cluster=mycluster

8.2.3.3. create break glass credential

Create a break glass credential for a hosted control plane cluster with external authentication enabled.

Syntax

$ rosa create break-glass-credential --cluster=<cluster_name> [arguments]

Table 8.14. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the break glass credential will be added.
--expiration	Optional: How long a break glass credential can be used before expiring. The expiration duration must be a minimum of 10 minutes and a maximum of 24 hours. If you do not enter a value, the expiration duration defaults to 24 hours.
--username	Optional. The username for the break glass credential. If you do not enter a value, a random username is generated for you.

Table 8.15. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--region	Specifies an AWS region, overriding the `AWS_REGION` environment variable.
--yes	Automatically answers `yes` to confirm the operation.

Examples

Add a break glass credential to a cluster named mycluster.

Syntax

$ rosa create break-glass-credential --cluster=mycluster

Add a break glass credential to a cluster named mycluster using the interactive mode.

Syntax

$ rosa create break-glass-credential --cluster=mycluster -i

8.2.3.4. create cluster

Create a new cluster.

Syntax

$ rosa create cluster --cluster-name=<cluster_name> [arguments]

Table 8.16. Arguments
Option	Definition
--additional-compute-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups that are used with the standard machine pool created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources.
--additional-infra-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups that are used with the infra nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources.
--additional-control-plane-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups that are used with the control plane nodes created alongside the cluster. For more information on additional security groups, see the requirements for Security groups under Additional resources.
--cluster-name <cluster_name>	Required. The name of the cluster. When used with the `create cluster` command, this argument is used to set the cluster name and can hold up to 54 characters. The value for this argument must be unique within your organization.
--compute-machine-type <instance_type>	The instance type for compute nodes in the cluster. This determines the amount of memory and vCPU that is allocated to each compute node. For more information on valid instance types, see AWS Instance types in ROSA service definition.
--controlplane-iam-role <arn>	The ARN of the IAM role to attach to control plane instances.
--disable-scp-checks	Indicates whether cloud permission checks are disabled when attempting to install a cluster.
--dry-run	Simulates creating the cluster.
--domain-prefix	Optional: When used with the `create cluster` command, this argument sets the subdomain for your cluster on `*.openshiftapps.com`. The value for this argument must be unique within your organization, cannot be longer than 15 characters, and cannot be changed after cluster creation. If the argument is not supplied, an autogenerated value is created that depends on the length of the cluster name. If the cluster name is fewer than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.
--ec2-metadata-http-tokens string	Configures the use of IMDSv2 for EC2 instances. Valid values are `optional` (default) or `required`.
--enable-autoscaling	Enables autoscaling of compute nodes. By default, autoscaling is set to `2` nodes. To set non-default node limits, use this argument with the `--min-replicas` and `--max-replicas` arguments.
--host-prefix <subnet>	The subnet prefix length to assign to each individual node, as an integer. For example, if host prefix is set to `23`, then each node is assigned a `/23` subnet out of the given CIDR.
--machine-cidr <address_block>	Block of IP addresses (ipNet) used by ROSA while installing the cluster, for example, `10.0.0.0/16`. Important OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the `100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the `100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
--max-replicas <number_of_nodes>	Specifies the maximum number of compute nodes when enabling autoscaling. Default: `2`
--min-replicas <number_of_nodes>	Specifies the minimum number of compute nodes when enabling autoscaling. Default: `2`
--multi-az	Deploys to multiple data centers.
--operator-roles-prefix <string>	Prefix that are used for all IAM roles used by the operators needed in the OpenShift installer. A prefix is generated automatically if you do not specify one.
--pod-cidr <address_block>	Block of IP addresses (ipNet) from which pod IP addresses are allocated, for example, `10.128.0.0/14`. Important OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the `100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the `100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
--private	Restricts primary API endpoint and application routes to direct, private connectivity.
--private-link	Specifies to use AWS PrivateLink to provide private connectivity between VPCs and services. The `--subnet-ids` argument is required when using `--private-link`.
--region <region_name>	The name of the AWS region where your worker pool will be located, for example, `us-east-1`. This argument overrides the `AWS_REGION` environment variable.
--replicas n	The number of worker nodes to provision per availability zone. Single-zone clusters require at least 2 nodes. Multi-zone clusters require at least 3 nodes. Default: `2` for single-zone clusters; `3` for multi-zone clusters.
--role-arn <arn>	The ARN of the installer role that OpenShift Cluster Manager uses to create the cluster. This is required if you have not already created account roles.
--service-cidr <address_block>	Block of IP addresses (ipNet) for services, for example, `172.30.0.0/16`. Important OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the `100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the `100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
--sts \| --non-sts	Specifies whether to use AWS Security Token Service (STS) or IAM credentials (non-STS) to deploy your cluster.
--subnet-ids <aws_subnet_id>	The AWS subnet IDs that are used when installing the cluster, for example, `subnet-01abc234d5678ef9a`. Subnet IDs must be in pairs with one private subnet ID and one public subnet ID per availability zone. Subnets are comma-delimited, for example, `--subnet-ids=subnet-1,subnet-2`. Leave the value empty for installer-provisioned subnet IDs. When using `--private-link`, the `--subnet-ids` argument is required and only one private subnet is allowed per zone.
--support-role-arn string	The ARN of the role used by Red Hat Site Reliabilty Engineers (SREs) to enable access to the cluster account to provide support.
--tags	Tags that are used on resources created by Red Hat OpenShift Service on AWS in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar". Important Red Hat OpenShift Service on AWS only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited. Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed. Red Hat OpenShift Service on AWS does not support adding additional tags outside of ROSA cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.
--version string	The version of ROSA that will be used to install the cluster or cluster resources. For `cluster` use an `X.Y.Z` format, for example, `4.16.0`. For `account-role` use an `X.Y` format, for example, `4.16`.
--worker-iam-role string	The ARN of the IAM role that will be attached to compute instances.

Table 8.17. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Create a cluster named mycluster.

$ rosa create cluster --cluster-name=mycluster

Create a cluster with a specific AWS region.

$ rosa create cluster --cluster-name=mycluster --region=us-east-2

Create a cluster with autoscaling enabled on the default worker machine pool.

$ rosa create cluster --cluster-name=mycluster -region=us-east-1 --enable-autoscaling --min-replicas=2 --max-replicas=5

8.2.3.5. create external-auth-provider

Add an external identity provider instead of the OpenShift OAuth2 server.

Important

You can only use external authentication providers on ROSA with HCP clusters.

Syntax

$ rosa create external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.18. Arguments
Option	Definition
--claim-mapping-groups-claim <string>	Required. Describes rules on how to transform information from an ID token into a cluster identity.
--claim-validation-rule <strings>	Rules that are applied to validate token claims to authenticate users. The input will be in a `<claim>:<required_value>` format. To have multiple claim validation rules, you can separate the values by `,`. For example, `<claim>:<required_value>,<claim>:<required_value>`.
--claim-mapping-username-claim <string>	The name of the claim that should be used to construct user names for the cluster identity.
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the IDP will be added.
--console-client-id <string>	The identifier of the OIDC client from the OIDC provider for the OpenShift Cluster Manager web console.
--console-client-secret <string>	The secret that is associated with the console application registration.
--issuer-audiences <strings>	An array of audiences to check the incoming tokens against. Valid tokens must include at least one of these values in their audience claim.
--issuer-ca-file <string>	The path to the PEM-encoded certificate file to use when making requests to the server.
--issuer-url <string>	The serving URL of the token issuer.
--name <string>	A name that is used to refer to the external authentication provider.

Table 8.19. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile string from your credentials file.

Examples

Add a Microsoft Entra ID identity provider to a cluster named mycluster.

$ rosa create external-auth-provider --cluster=mycluster --name <provider_name> --issuer-audiences <audience_id> --issuer-url <issuing id> --claim-mapping-username-claim email --claim-mapping-groups-claim groups

8.2.3.6. create idp

Add an identity provider (IDP) to define how users log in to a cluster.

Syntax

$ rosa create idp --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.20. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the IDP will be added.
--ca <path_to_file>	The path to the PEM-encoded certificate file to use when making requests to the server, for example, `/usr/share/cert.pem`.
--client-id	The client ID (string) from the registered application.
--client-secret	The client secret (string) from the registered application.
--mapping-method	Specifies how new identities (string) are mapped to users when they log in. Default: `claim`
--name	The name (string) for the identity provider.
--type	The type (string) of identity provider. Options: `github`, `gitlab`, `google`, `ldap`, `openid`

Table 8.21. GitHub arguments
Option	Definition
--hostname	The optional domain (string) that are used with a hosted instance of GitHub Enterprise.
--organizations	Specifies the organizations for login access. Only users that are members of at least one of the listed organizations (string) are allowed to log in.
--teams	Specifies the teams for login access. Only users that are members of at least one of the listed teams (string) are allowed to log in. The format is `<org>/<team>`.

Table 8.22. GitLab arguments
Option	Definition
--host-url	The host URL (string) of a GitLab provider. Default: `https://gitlab.com`

Table 8.23. Google arguments
Option	Definition
--hosted-domain	Restricts users to a Google Apps domain (string).

Table 8.24. LDAP arguments
Option	Definition
--bind-dn	The domain name (string) to bind with during the search phase.
--bind-password	The password (string) to bind with during the search phase.
--email-attributes	The list (string) of attributes whose values should be used as the email address.
--id-attributes	The list (string) of attributes whose values should be used as the user ID. Default: `dn`
--insecure	Does not make TLS connections to the server.
--name-attributes	The list (string) of attributes whose values should be used as the display name. Default: `cn`
--url	An RFC 2255 URL (string) which specifies the LDAP search parameters that are used.
--username-attributes	The list (string) of attributes whose values should be used as the preferred username. Default: `uid`

Table 8.25. OpenID arguments
Option	Definition
--email-claims	The list (string) of claims that are used as the email address.
--extra-scopes	The list (string) of scopes to request, in addition to the `openid` scope, during the authorization token request.
--issuer-url	The URL (string) that the OpenID provider asserts as the issuer identifier. It must use the HTTPS scheme with no URL query parameters or fragment.
--name-claims	The list (string) of claims that are used as the display name.
--username-claims	The list (string) of claims that are used as the preferred username when provisioning a user.
--groups-claims	The list (string) of claims that are used as the groups names.

Table 8.26. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Add a GitHub identity provider to a cluster named mycluster.

$ rosa create idp --type=github --cluster=mycluster

Add an identity provider following interactive prompts.

$ rosa create idp --cluster=mycluster --interactive

8.2.3.7. create ingress

Add an ingress endpoint to enable API access to the cluster.

Syntax

$ rosa create ingress --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.27. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required: The name or ID of the cluster to which the ingress will be added.
--label-match	The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers.
--private	Restricts application route to direct, private connectivity.

Table 8.28. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Add an internal ingress to a cluster named mycluster.

$ rosa create ingress --private --cluster=mycluster

Add a public ingress to a cluster named mycluster.

$ rosa create ingress --cluster=mycluster

Add an ingress with a route selector label match.

$ rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz

8.2.3.8. create kubeletconfig

Create a custom KubeletConfig object to allow custom configuration of nodes in a machine pool. For Red Hat OpenShift Service on AWS clusters, these settings are cluster-wide. For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, each machine pool can be configured differently.

Syntax

$ rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]

Table 8.29. Flags
Option	Definition
--pod-pids-limit <number>	Required. The maximum number of PIDs for each node in the machine pool associated with the `KubeletConfig` object.
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster in which to create the `KubeletConfig` object.
--name	Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one `KubeletConfig` for the cluster. Specifies a name for the `KubeletConfig` object.
-i, --interactive	Enable interactive mode.
-h, --help	Shows help for this command.

For more information about setting the PID limit for the cluster, see Configuring PID limits.

8.2.3.9. create machinepool

Add a machine pool to an existing cluster.

Syntax

$ rosa create machinepool --cluster=<cluster_name> | <cluster_id> --replicas=<number> --name=<machinepool_name> [arguments]

Table 8.30. Arguments
Option	Definition
--additional-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups for this machine pool. For more information on additional security groups, see the requirements for Security groups under Additional resources.
--cluster <cluster_name>\|<cluster_id>	Required: The name or ID of the cluster to which the machine pool will be added.
--enable-autoscaling	Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the `--min-replicas` and `--max-replicas` arguments. To disable autoscaling, use `--enable-autoscaling=false` with the `--replicas` argument.
--instance-type	The instance type (string) that should be used. Default: `m5.xlarge`
--kubelet-configs <kubeletconfig_name>	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any `KubeletConfig` objects to apply to nodes in a machine pool.
--labels	The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. This list overwrites any modifications made to node labels on an ongoing basis.
--max-replicas	Specifies the maximum number of compute nodes when enabling autoscaling.
--min-replicas	Specifies the minimum number of compute nodes when enabling autoscaling.
--name	Required: The name (string) for the machine pool.
--replicas	Required when autoscaling is not configured. The number (integer) of machines for this machine pool.
--tags	Apply user defined tags to all resources created by ROSA in AWS. Tags are comma separated, for example: `'key value, foo bar'`.
--taints	Taints for the machine pool. This string value should be formatted as a comma-separated list of `key=value:ScheduleType`. This list will overwrite any modifications made to Node taints on an ongoing basis.

Table 8.31. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Interactively add a machine pool to a cluster named mycluster.

$ rosa create machinepool --cluster=mycluster --interactive

Add a machine pool that is named mp-1 to a cluster with autoscaling enabled.

$ rosa create machinepool --cluster=mycluster --enable-autoscaling --min-replicas=2 --max-replicas=5 --name=mp-1

Add a machine pool that is named mp-1 with 3 replicas of m5.xlarge to a cluster.

$ rosa create machinepool --cluster=mycluster --replicas=3 --instance-type=m5.xlarge --name=mp-1

Add a machine pool with labels to a cluster.

$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --labels=foo=bar,bar=baz --name=mp-1

Add a machine pool with tags to a cluster.

$ rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --tags='foo bar,bar baz' --name=mp-1

8.2.3.10. create ocm-role

Create the required ocm-role resources for your cluster.

Syntax

$ rosa create ocm-role [flags]

Table 8.32. Flags
Option	Definition
--admin	Enable admin capabilities for the role.
--debug	Enable debug mode.
-i, --interactive	Enable interactive mode.
-m, --mode string	How to perform the operation. Valid options are: `auto`: Resource changes will be automatically applied using the current AWS account `manual`: Commands necessary to modify AWS resources will be output to be run manually
--path string	The ARN path for the OCM role and policies.
--permissions-boundary string	The ARN of the policy that is used to set the permissions boundary for the OCM role.
--prefix string	User-defined prefix for all generated AWS resources. The default is `ManagedOpenShift`.
--profile string	Use a specific AWS profile from your credential file.
-y, --yes	Automatically answer yes to confirm operation.

For more information about the OCM role created with the rosa create ocm-role command, see Account-wide IAM role and policy reference.

8.2.3.11. create user-role

Create the required user-role resources for your cluster.

Syntax

$ rosa create user-role [flags]

Table 8.33. Flags
Option	Definition
--debug	Enable debug mode.
-i, --interactive	Enable interactive mode.
-m, --mode string	How to perform the operation. Valid options are: `auto`: Resource changes will be automatically applied using the current AWS account `manual`: Commands necessary to modify AWS resources will be output to be run manually
--path string	The ARN path for the user role and policies.
--permissions-boundary string	The ARN of the policy that is used to set the permissions boundary for the user role.
--prefix string	User-defined prefix for all generated AWS resources The default is `ManagedOpenShift`.
--profile string	Use a specific AWS profile from your credential file.
-y, --yes	Automatically answer yes to confirm operation.

For more information about the user role created with the rosa create user-role command, see Understanding AWS account association.

8.2.4. Additional resources

See AWS Instance types for a list of supported instance types.
See Account-wide IAM role and policy reference for a list of IAM roles needed for cluster creation.
See Understanding AWS account association for more information about the OCM role and user role.
See Additional custom security groups for information about security group requirements.

8.2.5. Edit objects

This section describes the edit commands for clusters and resources.

8.2.5.1. edit cluster

Allows edits to an existing cluster.

Syntax

$ rosa edit cluster --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.34. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to edit.
--private	Restricts a primary API endpoint to direct, private connectivity.
--enable-delete-protection=true	Enables the delete protection feature.
--enable-delete-protection=false	Disables the delete protection feature.

Table 8.35. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Edit a cluster named mycluster to make it private.

$ rosa edit cluster --cluster=mycluster --private

Edit all cluster options interactively on a cluster named mycluster.

$ rosa edit cluster --cluster=mycluster --interactive

8.2.5.2. edit ingress

Edits the additional non-default application router for a cluster.

Syntax

$ rosa edit ingress --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.36. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to which the ingress will be added.
--cluster-routes-hostname	Components route hostname for OAuth, console, and download.
--cluster-routes-tls-secret-ref	Components route TLS secret reference for OAuth, console, and download.
--excluded-namespaces	Excluded namespaces for ingress. Format is a comma-separated list `value1, value2…`. If no values are specified, all namespaces will be exposed.
--label-match	The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers.
--lb-type	Type of Load Balancer. Options are `classic`, `nlb`.
--namespace-ownership-policy	Namespace Ownership Policy for ingress. Options are `Strict` and `InterNamespaceAllowed`. Default is `Strict`.
--private	Restricts the application route to direct, private connectivity.
--route-selector	Route Selector for ingress. Format is a comma-separated list of key=value. If no label is specified, all routes will be exposed on both routers. For legacy ingress support these are inclusion labels, otherwise they are treated as exclusion label.
--wildcard-policy	Wildcard Policy for ingress. Options are `WildcardsDisallowed` and `WildcardsAllowed`. Default is `WildcardsDisallowed`.

Table 8.37. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Make an additional ingress with the ID a1b2 as a private connection on a cluster named mycluster.

$ rosa edit ingress --private --cluster=mycluster a1b2

Update the router selectors for the additional ingress with the ID a1b2 on a cluster named mycluster.

$ rosa edit ingress --label-match=foo=bar --cluster=mycluster a1b2

Update the default ingress using the sub-domain identifier apps on a cluster named mycluster.

$ rosa edit ingress --private=false --cluster=mycluster apps

Update the load balancer type of the apps2 ingress.

$ rosa edit ingress --lb-type=nlb --cluster=mycluster apps2

8.2.5.3. edit kubeletconfig

Edit a custom KubeletConfig object in a machine pool.

Syntax

$ rosa edit kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]

Table 8.38. Flags
Option	Definition
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster for which the `KubeletConfig` object will be edited.
-i, --interactive	Enable interactive mode.
--pod-pids-limit <number>	Required. The maximum number of PIDs for each node in the machine pool associated with the `KubeletConfig` object.
--name	Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one `KubeletConfig` for the cluster. Specifies a name for the `KubeletConfig` object.
-h, --help	Shows help for this command.

For more information about setting the PID limit for the cluster, see Configuring PID limits.

8.2.5.4. edit machinepool

Allows edits to the machine pool in a cluster.

Syntax

$ rosa edit machinepool --cluster=<cluster_name> | <cluster_id> <machinepool_ID> [arguments]

Table 8.39. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to edit on which the additional machine pool will be edited.
--enable-autoscaling	Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the `--min-replicas` and `--max-replicas` arguments. To disable autoscaling, use `--enable-autoscaling=false` with the `--replicas` argument.
--labels	The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. Editing this value only affects newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to node labels on an ongoing basis.
--kubelet-configs <kubeletconfig_name>	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any `KubeletConfig` objects to apply to nodes in a machine pool.
--max-replicas	Specifies the maximum number of compute nodes when enabling autoscaling.
--min-replicas	Specifies the minimum number of compute nodes when enabling autoscaling.
--node-drain-grace-period	Specifies the node drain grace period when upgrading or replacing the machine pool. (This is for ROSA with HCP clusters only.)
--replicas	Required when autoscaling is not configured. The number (integer) of machines for this machine pool.
--taints	Taints for the machine pool. This string value should be formatted as a comma-separated list of `key=value:ScheduleType`. Editing this value only affect newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to Node taints on an ongoing basis.

Table 8.40. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Set 4 replicas on a machine pool named mp1 on a cluster named mycluster.

$ rosa edit machinepool --cluster=mycluster --replicas=4 --name=mp1

Enable autoscaling on a machine pool named mp1 on a cluster named mycluster.

$ rosa edit machinepool --cluster=mycluster --enable-autoscaling --min-replicas=3 --max-replicas=5 --name=mp1

Disable autoscaling on a machine pool named mp1 on a cluster named mycluster.

$ rosa edit machinepool --cluster=mycluster  --enable-autoscaling=false --replicas=3 --name=mp1

Modify the autoscaling range on a machine pool named mp1 on a cluster named mycluster.

$ rosa edit machinepool --max-replicas=9 --cluster=mycluster --name=mp1

Associate a KubeletConfig object with an existing machine pool on a Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) cluster.

$ rosa edit machinepool -c mycluster --kubelet-configs=set-high-pids --name high-pid-pool

8.2.6. Delete objects

This section describes the delete commands for clusters and resources.

8.2.6.1. delete admin

Deletes a cluster administrator from a specified cluster.

Syntax

$ rosa delete admin --cluster=<cluster_name> | <cluster_id>

Table 8.41. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to add to the identity provider (IDP).

Table 8.42. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Delete a cluster administrator from a cluster named mycluster.

$ rosa delete admin --cluster=mycluster

8.2.6.2. delete cluster

Deletes a cluster.

Syntax

$ rosa delete cluster --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.43. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to delete.
--watch	Watches the cluster uninstallation logs.
--best-effort	Skips steps in the cluster destruction chain that are known to cause the cluster deletion process to fail. You should use this option with care and it is recommended that you manually check your AWS account for any resources that might be left over after using `--best-effort`.

Table 8.44. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Examples

Delete a cluster named mycluster.

$ rosa delete cluster --cluster=mycluster

8.2.6.3. delete external-auth-provider

Deletes an external authentication provider from a cluster.

Syntax

$ rosa delete external-auth-provider <name_of_external_auth_provider> --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.45. Arguments
Option	Definition
--cluster	Required. The name or ID string of the cluster the external auth provider will be deleted from.

Table 8.46. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile string from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Example

Delete an identity provider named exauth-1 from a cluster named mycluster.

$ rosa delete external-auth-provider exauth-1 --cluster=mycluster

8.2.6.4. delete idp

Deletes a specific identity provider (IDP) from a cluster.

Syntax

$ rosa delete idp --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.47. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster from which the IDP will be deleted.

Table 8.48. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Example

Delete an identity provider named github from a cluster named mycluster.

$ rosa delete idp github --cluster=mycluster

8.2.6.5. delete ingress

Deletes a non-default application router (ingress) from a cluster.

Syntax

$ rosa delete ingress --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.49. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster from which the ingress will be deleted.

Table 8.50. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Examples

Delete an ingress with the ID a1b2 from a cluster named mycluster.

$ rosa delete ingress --cluster=mycluster a1b2

Delete a secondary ingress with the subdomain name apps2 from a cluster named mycluster.

$ rosa delete ingress --cluster=mycluster apps2

8.2.6.6. delete kubeletconfig

Delete a custom KubeletConfig object from a cluster.

Syntax

$ rosa delete kubeletconfig --cluster=<cluster_name|cluster_id> [flags]

Table 8.51. Flags
Option	Definition
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster for which you want to delete the `KubeletConfig` object.
-h, --help	Shows help for this command.
--name	Required for Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters. Optional for Red Hat OpenShift Service on AWS, as there is only one `KubeletConfig` for the cluster. Specifies a name for the `KubeletConfig` object.
-y, --yes	Automatically answers `yes` to confirm the operation.

8.2.6.7. delete machinepool

Deletes a machine pool from a cluster.

Syntax

$ rosa delete machinepool --cluster=<cluster_name> | <cluster_id> <machine_pool_id>

Table 8.52. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the machine pool will be deleted from.

Table 8.53. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Example

Delete the machine pool with the ID mp-1 from a cluster named mycluster.

$ rosa delete machinepool --cluster=mycluster mp-1

8.2.7. Install and uninstall add-ons

This section describes how to install and uninstall Red Hat managed service add-ons to a cluster.

8.2.7.1. install addon

Installs a managed service add-on on a cluster.

Syntax

$ rosa install addon --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.54. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster where the add-on will be installed.

Table 8.55. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Uses a specific AWS profile (string) from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Example

Add the dbaas-operator add-on installation to a cluster named mycluster.

$ rosa install addon --cluster=mycluster dbaas-operator

8.2.7.2. uninstall addon

Uninstalls a managed service add-on from a cluster.

Syntax

$ rosa uninstall addon --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.56. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the add-on will be uninstalled from.

Table 8.57. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Uses a specific AWS profile (string) from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Example

Remove the dbaas-operator add-on installation from a cluster named mycluster.

$ rosa uninstall addon --cluster=mycluster dbaas-operator

8.2.8. List and describe objects

This section describes the list and describe commands for clusters and resources.

8.2.8.1. list addon

List the managed service add-on installations.

Syntax

$ rosa list addons --cluster=<cluster_name> | <cluster_id>

Table 8.58. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to list the add-ons for.

Table 8.59. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.8.2. List break glass credentials

List all of the break glass credentials for a cluster.

Syntax

$ rosa list break-glass-credential [arguments]

Table 8.60. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the break glass credentials have been added.

Table 8.61. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the break glass credentials for a cluster named mycluster.

$ rosa list break-glass-credential --cluster=mycluster

8.2.8.3. list clusters

List all of your clusters.

Syntax

$ rosa list clusters [arguments]

Table 8.62. Arguments
Option	Definition
--count	The number (integer) of clusters to display. Default: `100`

Table 8.63. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.8.4. list external-auth-provider

List any external authentication providers for a cluster.

Syntax

$ rosa list external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.64. Arguments
Option	Definition
--cluster	Required: The name or ID string of the cluster that the external authentication provider will be listed for.

Table 8.65. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile string from your credentials file.

Example

List any external authentication providers for a cluster named mycluster.

$ rosa list external-auth-provider --cluster=mycluster

8.2.8.5. list idps

List all of the identity providers (IDPs) for a cluster.

Syntax

$ rosa list idps --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.66. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the IDPs will be listed for.

Table 8.67. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all identity providers (IDPs) for a cluster named mycluster.

$ rosa list idps --cluster=mycluster

8.2.8.6. list ingresses

List all of the API and ingress endpoints for a cluster.

Syntax

$ rosa list ingresses --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.68. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the IDPs will be listed for.

Table 8.69. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all API and ingress endpoints for a cluster named mycluster.

$ rosa list ingresses --cluster=mycluster

8.2.8.7. list instance-types

List all of the available instance types for use with ROSA. Availability is based on the account’s AWS quota.

Syntax

$ rosa list instance-types [arguments]

Table 8.70. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--output	The output format. Allowed formats are `json` or `yaml`.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all instance types.

$ rosa list instance-types

8.2.8.8. list kubeletconfigs

List the KubeletConfig objects configured on a cluster.

Syntax

$ rosa list kubeletconfigs --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.71. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the machine pools will be listed for.

Table 8.72. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

Example

List all of the KubeletConfig objects on a cluster named mycluster.

$ rosa list kubeletconfigs --cluster=mycluster

8.2.8.9. list machinepools

List the machine pools configured on a cluster.

Syntax

$ rosa list machinepools --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.73. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the machine pools will be listed for.

Table 8.74. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the machine pools on a cluster named mycluster.

$ rosa list machinepools --cluster=mycluster

8.2.8.10. list regions

List all of the available regions for the current AWS account.

Syntax

$ rosa list regions [arguments]

Table 8.75. Arguments
Option	Definition
--multi-az	Lists regions that provide support for multiple availability zones.

Table 8.76. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the available regions.

$ rosa list regions

8.2.8.11. list upgrades

List all available and scheduled cluster version upgrades.

Syntax

$ rosa list upgrades --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.77. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the available upgrades will be listed for.

Table 8.78. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the available upgrades for a cluster named mycluster.

$ rosa list upgrades --cluster=mycluster

8.2.8.12. list users

List the cluster administrator and dedicated administrator users for a specified cluster.

Syntax

$ rosa list users --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.79. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the cluster administrators will be listed for.

Table 8.80. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the cluster administrators and dedicated administrators for a cluster named mycluster.

$ rosa list users --cluster=mycluster

8.2.8.13. list versions

List all of the OpenShift versions that are available for creating a cluster.

Syntax

$ rosa list versions [arguments]

Table 8.81. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the OpenShift Container Platform versions.

$ rosa list versions

8.2.8.14. describe admin

Show the details of a specified cluster-admin user and a command to log in to the cluster.

Syntax

$ rosa describe admin --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.82. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to which the cluster-admin belongs.

Table 8.83. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Describe the cluster-admin user for a cluster named mycluster.

$ rosa describe admin --cluster=mycluster

8.2.8.15. describe addon

Show the details of a managed service add-on.

Syntax

$ rosa describe addon <addon_id> | <addon_name> [arguments]

Table 8.84. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Describe an add-on named dbaas-operator.

$ rosa describe addon dbaas-operator

8.2.8.16. describe break glass credential

Shows the details for a break glass credential for a specific cluster.

Syntax

$ rosa describe break-glass-credential --id=<break_glass_credential_id> --cluster=<cluster_name>| <cluster_id> [arguments]

Table 8.85. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.
--id	Required: The ID (string) of the break glass credential.
--kubeconfig	Optional: Retrieves the kubeconfig from the break glass credential.

Table 8.86. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.8.17. describe cluster

Shows the details for a cluster.

Syntax

$ rosa describe cluster --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.87. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.

Table 8.88. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--get-role-policy-bindings	Lists the policies that are attached to the STS roles assigned to the cluster.

Example

Describe a cluster named mycluster.

$ rosa describe cluster --cluster=mycluster

8.2.8.18. describe kubeletconfig

Show the details of a custom KubeletConfig object.

Syntax

$ rosa describe kubeletconfig --cluster=<cluster_name|cluster_id> [flags]

Table 8.89. Flags
Option	Definition
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster for which you want to view the `KubeletConfig` object.
-h, --help	Shows help for this command.
--name	Optional. Specifies the name of the `KubeletConfig` object to describe.
-o, --output string	-o, --output string

8.2.8.19. describe machinepool

Describes a specific machine pool configured on a cluster.

Syntax

$ rosa describe machinepool --cluster=<cluster_name> --machinepool=<machinepool_name>| <cluster_id> <machinepool_id> [arguments]

Table 8.90. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.
--machinepool	Required: The name or ID (string) of the machinepool.

Table 8.91. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Describe a machine pool named mymachinepool on a cluster named mycluster.

$ rosa describe machinepool --cluster=mycluster --machinepool=mymachinepool

8.2.9. Revoke objects

This section describes the revoke commands for clusters and resources.

8.2.9.1. revoke-break-glass-credential

Revokes all break glass credentials from a specified hosted control plane cluster with external authentication enabled.

Syntax

$ rosa revoke break-glass-credential --cluster=<cluster_name> | <cluster_id>

Table 8.92. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster from which the break glass credentials will be deleted.

Table 8.93. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers `yes` to confirm the operation.

Example

Revoke the break glass credentials from a cluster named mycluster.

$ rosa revoke break-glass-credential --cluster=mycluster

8.2.10. Upgrade and delete upgrade for objects

This section describes the upgrade command usage for objects.

8.2.10.1. upgrade cluster

Schedule a cluster upgrade.

Syntax

$ rosa upgrade cluster --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.94. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the upgrade will be scheduled for.
--interactive	Enables interactive mode.
--version	The version (string) of OpenShift Container Platform that the cluster will be upgraded to.
--schedule-date	The next date (string) when the upgrade will run at the specified time. Format: `yyyy-mm-dd`
--schedule-time	The next time the upgrade will run on the specified date. Format: `HH:mm`
--node-drain-grace-period ^[1]	Sets a grace period (string) for how long the pod disruption budget-protected workloads are respected during upgrades. After this grace period, any workloads protected by pod disruption budgets that have not been successfully drained from a node will be forcibly evicted. Default: `1 hour`
--control-plane ^[2]	Upgrades the cluster’s hosted control plane.

Classic clusters only
ROSA with HCP clusters only

Table 8.95. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.

Examples

Interactively schedule an upgrade on a cluster named mycluster.

$ rosa upgrade cluster --cluster=mycluster --interactive

Schedule a cluster upgrade within the hour on a cluster named mycluster.

$ rosa upgrade cluster --cluster=mycluster --version 4.5.20

8.2.10.2. delete cluster upgrade

Cancel a scheduled cluster upgrade.

Syntax

$ rosa delete upgrade --cluster=<cluster_name> | <cluster_id>

Table 8.96. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the upgrade will be cancelled for.

Table 8.97. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--yes	Automatically answers `yes` to confirm the operation.

8.2.10.3. upgrade machinepool

Upgrades a specific machine pool configured on a cluster.

Note

The upgrade command for machinepools applies to ROSA with HCP clusters only.

Syntax

$ rosa upgrade machinepool --cluster=<cluster_name> <machinepool_name>

Table 8.98. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.

Table 8.99. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Upgrade a machine pool on a cluster named mycluster.

$ rosa upgrade machinepool --cluster=mycluster

8.2.10.4. delete machinepool upgrade

Cancel a scheduled machinepool upgrade.

Syntax

$ rosa delete upgrade --cluster=<cluster_name> <machinepool_name>

Table 8.100. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.

Table 8.101. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.10.5. upgrade roles

Upgrades roles configured on a cluster.

Syntax

$ rosa upgrade roles --cluster=<cluster_id>

Table 8.102. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.

Table 8.103. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Upgrade roles on a cluster named mycluster.

$ rosa upgrade roles --cluster=mycluster

8.3. Checking account and version information with the ROSA CLI

Use the following commands to check your account and version information.

8.3.1. whoami

Display information about your AWS and Red Hat accounts by using the following command syntax:

Syntax

$ rosa whoami [arguments]

Table 8.104. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

$ rosa whoami

8.3.2. version

Display the version of your rosa CLI by using the following command syntax:

Syntax

$ rosa version [arguments]

Table 8.105. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

$ rosa version

8.4. Checking logs with the ROSA CLI

Use the following commands to check your install and uninstall logs.

8.4.1. logs install

Show the cluster install logs by using the following command syntax:

Syntax

$ rosa logs install --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.106. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to get logs for.
--tail	The number (integer) of lines to get from the end of the log. Default: `2000`
--watch	Watches for changes after getting the logs.

Table 8.107. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Show the last 100 install log lines for a cluster named mycluster:

$ rosa logs install mycluster --tail=100

Show the install logs for a cluster named mycluster:

$ rosa logs install --cluster=mycluster

8.4.2. logs uninstall

Show the cluster uninstall logs by using the following command syntax:

Syntax

$ rosa logs uninstall --cluster=<cluster_name> | <cluster_id> [arguments]

Table 8.108. Arguments
Option	Definition
--cluster	The name or ID (string) of the cluster to get logs for.
--tail	The number (integer) of lines to get from the end of the log. Default: `2000`
--watch	Watches for changes after getting the logs.

Table 8.109. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Show the last 100 uninstall logs for a cluster named mycluster:

$ rosa logs uninstall --cluster=mycluster --tail=100

8.5. Least privilege permissions for ROSA CLI commands

You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the Red Hat OpenShift Service on AWS (ROSA) command line interface (CLI).

Important

Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.

Note

The examples listed cover several of the most common ROSA CLI commands. For more information regarding ROSA CLI commands, see Common commands and arguments.

For more information about configuring permissions, policies, and roles in the AWS console, see AWS Identity and Access Management in the AWS documentation.

8.5.1. Least privilege permissions for common ROSA CLI commands

The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.

8.5.1.1. Create a managed OpenID Connect (OIDC) provider

Run the following command with the specified permissions to create your managed OIDC provider by using auto mode.

Input

$ rosa create oidc-config --mode auto

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateOidcConfig",
            "Effect": "Allow",
            "Action": [
                "iam:TagOpenIDConnectProvider",
                "iam:CreateOpenIDConnectProvider"
            ],
            "Resource": "*"
        }
    ]
}

8.5.1.2. Create an unmanaged OpenID Connect provider

Run the following command with the specified permissions to create your unmanaged OIDC provider by using auto mode.

Input

$ rosa create oidc-config --mode auto --managed=false

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:TagOpenIDConnectProvider",
                "iam:ListRoleTags",
                "iam:ListRoles",
                "iam:CreateOpenIDConnectProvider",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutBucketTagging",
                "s3:PutBucketPolicy",
                "s3:PutObjectTagging",
                "s3:PutBucketPublicAccessBlock",
                "secretsmanager:CreateSecret",
                "secretsmanager:TagResource"
            ],
            "Resource": "*"
        }
    ]
}

8.5.1.3. List your account roles

Run the following command with the specified permissions to list your account roles.

Input

$ rosa list account-roles

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListAccountRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

8.5.1.4. List your Operator roles

Run the following command with the specified permissions to list your Operator roles.

Input

$ rosa list operator-roles

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}

8.5.1.5. List your OIDC providers

Run the following command with the specified permissions to list your OIDC providers.

Input

$ rosa list oidc-providers

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "ListOidcProviders",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:ListOpenIDConnectProviderTags"
            ],
            "Resource": "*"
        }
    ]
}

8.5.1.6. Verify your quota

Run the following command with the specified permissions to verify your quota.

Input

$ rosa verify quota

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VerifyQuota",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeAccountLimits",
                "servicequotas:ListServiceQuotas"
            ],
            "Resource": "*"
        }
    ]
}

8.5.1.7. Delete your managed OIDC configuration

Run the following command with the specified permissions to delete your managed OIDC configuration by using auto mode.

Input

$ rosa delete oidc-config -–mode auto

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeleteOidcConfig",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:DeleteOpenIDConnectProvider"
            ],
            "Resource": "*"
        }
    ]
}

8.5.1.8. Delete your unmanaged OIDC configuration

Run the following command with the specified permissions to delete your unmanaged OIDC configuration by using auto mode.

Input

$ rosa delete oidc-config -–mode auto

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:ListOpenIDConnectProviders",
                "iam:DeleteOpenIDConnectProvider",
                "secretsmanager:DeleteSecret",
                "s3:ListBucket",
                "s3:DeleteObject",
                "s3:DeleteBucket"
            ],
            "Resource": "*"
        }
    ]
}

8.5.2. Least privilege permissions for common ROSA with HCP CLI commands

The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA with hosted control plane (HCP) clusters.

8.5.2.1. Create a cluster

Run the following command with the specified permissions to create ROSA with HCP clusters.

Input

$ rosa create cluster --hosted-cp

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateCluster",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "ec2:DescribeSubnets",
                "ec2:DescribeRouteTables",
                "ec2:DescribeAvailabilityZones"
            ],
            "Resource": "*"
        }
    ]
}

8.5.2.2. Create your account roles and Operator roles

Run the following command with the specified permissions to create account and Operator roles by using auto mode.

Input

$ rosa create account-roles --mode auto --hosted-cp

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAccountRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}

8.5.2.3. Delete your account roles

Run the following command with the specified permissions to delete the account roles in auto mode.

Input

$ rosa delete account-roles -–mode auto

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeleteAccountRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies"
            ],
            "Resource": "*"
        }
    ]
}

8.5.2.4. Delete your Operator roles

Run the following command with the specified permissions to delete your Operator roles in auto mode.

Input

$ rosa delete operator-roles -–mode auto

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "DeleteOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole"
            ],
            "Resource": "*"
        }
    ]
}

8.5.3. Least privilege permissions for common ROSA Classic CLI commands

The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA Classic clusters.

8.5.3.1. Create a cluster

Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.

Input

$ rosa create cluster

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateCluster",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListRoleTags",
                "iam:ListRoles"
            ],
            "Resource": "*"
        }
    ]
}

8.5.3.2. Create account roles and Operator roles

Run the following command with the specified permissions to create account and Operator roles in `auto' mode.

Input

$ rosa create account-roles --mode auto --classic

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "CreateAccountOperatorRoles",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:UpdateAssumeRolePolicy",
                "iam:ListRoleTags",
                "iam:GetPolicy",
                "iam:TagRole",
                "iam:ListRoles",
                "iam:CreateRole",
                "iam:AttachRolePolicy",
                "iam:TagPolicy",
                "iam:CreatePolicy",
                "iam:ListPolicyTags"
            ],
            "Resource": "*"
        }
    ]
}

8.5.3.3. Delete your account roles

Run the following command with the specified permissions to delete the account roles in auto mode.

Input

$ rosa delete account-roles -–mode auto

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:DeletePolicy"
            ],
            "Resource": "*"
        }
    ]
}

8.5.3.4. Delete your Operator roles

Run the following command with the specified permissions to delete the Operator roles in auto mode.

Input

$ rosa delete operator-roles -–mode auto

Policy

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:GetRole",
                "iam:ListInstanceProfilesForRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:ListRoles",
                "iam:DeleteRole",
                "iam:ListRolePolicies",
                "iam:GetPolicy",
                "iam:ListPolicyVersions",
                "iam:DeletePolicy"
            ],
            "Resource": "*"
        }
    ]
}

8.5.4. ROSA CLI commands with no required permissions

The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.

Table 8.110. Commands
Command	Input
list cluster	`$ rosa list cluster`
list versions	`$ rosa list versions`
describe cluster	`$ rosa describe cluster -c <cluster name>`
create admin	`$ rosa create admin -c <cluster name>`
list users	`$ rosa list users -c <cluster-name>`
list upgrades	`$ rosa list upgrades`
list OIDC configuration	`$ rosa list oidc-config`
list identity providers	`$ rosa list idps -c <cluster-name>`
list ingresses	`$ rosa list ingresses -c <cluster-name>`

8.5.5. Additional resources

For more information about AWS roles, see IAM roles.
For more information about AWS policies and permissions, see Policies and permissions in IAM.