Chapter 3. Understanding the ROSA with STS deployment workflow
Before you create a Red Hat OpenShift Service on AWS (ROSA) cluster, you must complete the AWS prerequisites, verify that the required AWS service quotas are available, and set up your environment.
This document provides an overview of the ROSA with STS deployment workflow stages and refers to detailed resources for each stage.
3.1. Overview of the ROSA with STS deployment workflow
The AWS Security Token Service (STS) is a global web service that provides short-term credentials for IAM or federated users. You can use AWS STS with Red Hat OpenShift Service on AWS (ROSA) to allocate temporary, limited-privilege credentials for component-specific IAM roles. The service enables cluster components to make AWS API calls using secure cloud resource management practices.
You can follow the workflow stages outlined in this section to set up and access a ROSA cluster that uses STS.
- Complete the AWS prerequisites for ROSA with STS. To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements.
- Review the required AWS service quotas. To prepare for your cluster deployment, review the AWS service quotas that are required to run a ROSA cluster.
- Set up the environment and install ROSA using STS. Before you create a ROSA with STS cluster, you must enable ROSA in your AWS account, install and configure the required CLI tools, and verify the configuration of the CLI tools. You must also verify that the AWS Elastic Load Balancing (ELB) service role exists and that the required AWS resource quotas are available.
Create a ROSA cluster with STS quickly or create a cluster using customizations. Use the ROSA CLI (
rosa) or Red Hat OpenShift Cluster Manager to create a cluster with STS. You can create a cluster quickly by using the default options, or you can apply customizations to suit the needs of your organization.
Access your cluster. You can configure an identity provider and grant cluster administrator privileges to the identity provider users as required. You can also access a newly-deployed cluster quickly by configuring a
- Revoke access to a ROSA cluster for a user. You can revoke access to a ROSA with STS cluster from a user by using the ROSA CLI or the web console.
Delete a ROSA cluster. You can delete a ROSA with STS cluster by using the ROSA CLI (
rosa). After deleting a cluster, you can delete the STS resources by using the AWS Identity and Access Management (IAM) Console.
3.2. Additional resources
- For information about using the ROSA deployment workflow to create a cluster that does not use AWS STS, see Understanding the ROSA deployment workflow.