ROSA CLI Default to STS

Updated -

Red Hat OpenShift Service on AWS

ROSA CLI Change of Default Action When Creating a Cluster

The Background

  • The ROSA CLI is capable of creating a ROSA cluster using two different AWS credential modes: STS and non-STS (mint-mode)
  • For ROSA CLI 1.2.8 and older, the default for this credential mode selection is non-STS mode, which uses long-term AWS credentials for the AWS role that the cluster requires for installation and functionality.
  • For ROSA CLI 1.2.8 and older, if the user initiates cluster creation with rosa create cluster and relying on default selections, the cluster would be created with non-STS mode. Alternatively, to create a cluster with STS mode, and using default selections, the following command is valid: rosa create cluster --sts.
  • Red Hat is dedicated to secure usage patterns with our products and services, which is the driving force behind this change of default workflow. We believe that AWS Security Token Service is the most secure method to interact with AWS cloud APIs.

The Change

  • As of ROSA CLI version 1.3.0 the ROSA CLI will default to STS mode for cluster creation.
  • This change means that this command will default to a STS-mode cluster: rosa create cluster.
    • Additionally, the --sts in rosa create cluster --sts becomes redundant.
  • For those that still wish to create non-STS clusters, you must specify that mode:
    • as of ROSA CLI 1.3.0 rosa create cluster --non-sts


  • If you utilise automation or scripting that relies on the defaults provided with the ROSA CLI, then you may need to change your automation or scripting to accomodate this new default.
  • In general, if you previously relied on the ROSA CLI defaults for cluster creation, the cluster creation workflow is different when using STS by default. You need to prepare appropriate AWS IAM STS roles and policies before creating a cluster. Please familiarise with ROSA STS workflow, from official documentation.

Further Resources