Ce contenu n'est pas disponible dans la langue sélectionnée.

Chapter 8. Setting up the environment for using STS


After you meet the AWS prerequisites, set up your environment and install Red Hat OpenShift Service on AWS (ROSA).

Tip

AWS Security Token Service (STS) is the recommended credential mode for installing and interacting with clusters on Red Hat OpenShift Service on AWS (ROSA) because it provides enhanced security.

8.1. Setting up the environment for STS

Before you create a Red Hat OpenShift Service on AWS (ROSA) cluster that uses the AWS Security Token Service (STS), complete the following steps to set up your environment.

Prerequisites

  • Review and complete the deployment prerequisites and policies.
  • Create a Red Hat account, if you do not already have one. Then, check your email for a verification link. You will need these credentials to install ROSA.

Procedure

  1. Log in to the Amazon Web Services (AWS) account that you want to use.

    It is recommended to use a dedicated AWS account to run production clusters. If you are using AWS Organizations, you can use an AWS account within your organization or create a new one.

    If you are using AWS Organizations and you need to have a service control policy (SCP) applied to the AWS account you plan to use, these policies must not be more restrictive than the roles and policies required by the cluster.

  2. Enable the ROSA service in the AWS Management Console.

    1. Sign in to your AWS account.
    2. To enable ROSA, go to the ROSA service and select Enable OpenShift.
  3. Install and configure the AWS CLI.

    1. Follow the AWS command-line interface documentation to install and configure the AWS CLI for your operating system.

      Specify the correct aws_access_key_id and aws_secret_access_key in the .aws/credentials file. See AWS Configuration basics in the AWS documentation.

    2. Set a default AWS region.

      Note

      You can use the environment variable to set the default AWS region.

      The ROSA service evaluates regions in the following priority order:

      1. The region specified when running the rosa command with the --region flag.
      2. The region set in the AWS_DEFAULT_REGION environment variable. See Environment variables to configure the AWS CLI in the AWS documentation.
      3. The default region set in your AWS configuration file. See Quick configuration with aws configure in the AWS documentation.
    3. Optional: Configure your AWS CLI settings and credentials by using an AWS named profile. rosa evaluates AWS named profiles in the following priority order:

      1. The profile specified when running the rosa command with the --profile flag.
      2. The profile set in the AWS_PROFILE environment variable. See Named profiles in the AWS documentation.
    4. Verify the AWS CLI is installed and configured correctly by running the following command to query the AWS API:

      $ aws sts get-caller-identity
  4. Install the latest version of the ROSA CLI (rosa).

    1. Download the latest release of the ROSA CLI for your operating system.
    2. Optional: Rename the file you downloaded to rosa and make the file executable. This documentation uses rosa to refer to the executable file.

      $ chmod +x rosa
    3. Optional: Add rosa to your path.

      $ mv rosa /usr/local/bin/rosa
    4. Enter the following command to verify your installation:

      $ rosa

      Example output

      Command line tool for Red Hat OpenShift Service on AWS.
      For further documentation visit https://access.redhat.com/documentation/en-us/red_hat_openshift_service_on_aws
      
      Usage:
        rosa [command]
      
      Available Commands:
        completion  Generates completion scripts
        create      Create a resource from stdin
        delete      Delete a specific resource
        describe    Show details of a specific resource
        download    Download necessary tools for using your cluster
        edit        Edit a specific resource
        grant       Grant role to a specific resource
        help        Help about any command
        init        Applies templates to support Red Hat OpenShift Service on AWS
        install     Installs a resource into a cluster
        link        Link a ocm/user role from stdin
        list        List all resources of a specific type
        login       Log in to your Red Hat account
        logout      Log out
        logs        Show installation or uninstallation logs for a cluster
        revoke      Revoke role from a specific resource
        uninstall   Uninstalls a resource from a cluster
        unlink      UnLink a ocm/user role from stdin
        upgrade     Upgrade a resource
        verify      Verify resources are configured correctly for cluster install
        version     Prints the version of the tool
        whoami      Displays user account information
      
      Flags:
            --color string   Surround certain characters with escape sequences to display them in color on the terminal. Allowed options are [auto never always] (default "auto")
            --debug          Enable debug mode.
        -h, --help           help for rosa
      
      Use "rosa [command] --help" for more information about a command.

    5. Generate the command completion scripts for the ROSA CLI. The following example generates the Bash completion scripts for a Linux machine:

      $ rosa completion bash | sudo tee /etc/bash_completion.d/rosa
    6. Source the scripts to enable rosa command completion from your existing terminal. The following example sources the Bash completion scripts for rosa on a Linux machine:

      $ source /etc/bash_completion.d/rosa
  5. Log in to your Red Hat account with the ROSA CLI.

    1. Enter the following command.

      $ rosa login
    2. Replace <my_offline_access_token> with your token.

      Example output

      To login to your Red Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa
      ? Copy the token and paste it here: <my-offline-access-token>

      Example output continued

      I: Logged in as '<rh-rosa-user>' on 'https://api.openshift.com'

  6. Verify that your AWS account has the necessary quota to deploy a ROSA cluster.

    $ rosa verify quota [--region=<aws_region>]

    Example output

    I: Validating AWS quota...
    I: AWS quota ok

    Note

    Sometimes your AWS quota varies by region. If you receive any errors, try a different region.

    If you need to increase your quota, go to the AWS Management Console and request a quota increase for the service that failed.

    After the quota check succeeds, proceed to the next step.

  7. Prepare your AWS account for cluster deployment:

    1. Run the following command to verify your Red Hat and AWS credentials are setup correctly. Check that your AWS Account ID, Default Region and ARN match what you expect. You can safely ignore the rows beginning with OpenShift Cluster Manager for now.

      $ rosa whoami

      Example output

      AWS Account ID:               000000000000
      AWS Default Region:           us-east-1
      AWS ARN:                      arn:aws:iam::000000000000:user/hello
      OCM API:                      https://api.openshift.com
      OCM Account ID:               1DzGIdIhqEWyt8UUXQhSoWaaaaa
      OCM Account Name:             Your Name
      OCM Account Username:         you@domain.com
      OCM Account Email:            you@domain.com
      OCM Organization ID:          1HopHfA2hcmhup5gCr2uH5aaaaa
      OCM Organization Name:        Red Hat
      OCM Organization External ID: 0000000

  8. Install the OpenShift CLI (oc), version 4.7.9 or greater, from the ROSA (rosa) CLI.

    1. Enter this command to download the latest version of the oc CLI:

      $ rosa download openshift-client
    2. After downloading the oc CLI, unzip it and add it to your path.
    3. Enter this command to verify that the oc CLI is installed correctly:

      $ rosa verify openshift-client

Create roles

After completing these steps, you are ready to set up IAM and OIDC access-based roles.

8.2. Next steps

8.3. Additional resources

Red Hat logoGithubRedditYoutubeTwitter

Apprendre

Essayez, achetez et vendez

Communautés

À propos de la documentation Red Hat

Nous aidons les utilisateurs de Red Hat à innover et à atteindre leurs objectifs grâce à nos produits et services avec un contenu auquel ils peuvent faire confiance.

Rendre l’open source plus inclusif

Red Hat s'engage à remplacer le langage problématique dans notre code, notre documentation et nos propriétés Web. Pour plus de détails, consultez leBlog Red Hat.

À propos de Red Hat

Nous proposons des solutions renforcées qui facilitent le travail des entreprises sur plusieurs plates-formes et environnements, du centre de données central à la périphérie du réseau.

© 2024 Red Hat, Inc.