ROSA installation fails with CLUSTERS-MGMT-400 and error: Failed to get list of available aws cloud regions

Solution Unverified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4

Issue

  • The rosa create cluster command fails with the following error:

    E: Failed to retrieve AWS regions: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400' and operation identifier is 'xxxxxxxxx': Failed to get list of available aws cloud regions.

Resolution

Refer to How to check the permissions for AWS roles needed for ROSA STS clusters? to confirm if all the required permissions for installing ROSA are in place, or add the required permissions to the policies. It is also possible to delete and recreate the roles again.

If all the roles have the correct permissions, review the AWS organization permissions and SCPs that could have explicit deny for specific operations.

Root Cause

One possible reason is that the AWS account have explicit deny for specific operations. Review the AWS organization permissions and SCPs that could prevent the installation of ROSA clusters.

Diagnostic Steps

Check the output of the rosa list regions command, and the output of the same command adding --debug parameter:

$ rosa list regions
E: Failed to fetch regions: Failed to get list of available aws cloud regions.

$ rosa list regions --debug

Check if the AWS user is able to list the regions with aws commands aws account list-regions and aws ec2 describe-regions, like for example:

$ aws account list-regions
An error occurred (AccessDeniedException) when calling the ListRegions operation: User: arn:aws:sts::XXXXXXXXXX:assumed-role/XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX/XXXXXXXXXXXXXXXX is not authorized to perform: account:ListRegions on resource: arn:aws:account::XXXXXXXXXXXXXXXXXXXXXXXX:account with an explicit deny

If the message shows that the account is not authorized with an "explicit deny", it is needed to review the user permissions with the AWS administrator.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments