ROSA STS 4.7 clusters are prevented from upgrading with an annotation on the CloudCredential CustomResource

Solution Verified - Updated -


  • To ensure AWS policies have been updated before enabling ROSA STS 4.7 cluster upgrades, they will require annotation on the CloudCredential CR, by the cluster administrator.
  • ROSA STS clusters upgrading from 4.7 to 4.8 need the below steps to ensure stability of the cluster through and after the upgrade operation.
  • There are warnings in a ROSA STS 4.7 cluster:

    One or more cluster operators have been blocking minor version cluster upgrades for at least an hour for reason MissingUpgradeableAnnotation. For more information refer to https://console-openshift-console.apps.[cluster_name].[xxxx]
    This cluster should not be updated to the next minor version.
    Cluster operator cloud-credential cannot be upgraded between minor versions: Upgradeable annotation on object needs updating before upgrade. See Manually Creating IAM documentation for instructions on preparing a cluster for upgrade.


  • Red Hat OpenShift Service on AWS (ROSA)
    • 4.7
  • AWS security token service (STS)

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content