Using the CloudWatch Logging add-on with ROSA STS Clusters

Solution Unverified - Updated -


  • ROSA clusters installed using the Security Token Service (STS) workflow do not have the ability to create the long-lived IAM credentials necessary for the Logging add-on to properly authenticate with AWS CloudWatch.
  • The following message is shown in the clusterlogforwarder resource when installing the Logging add-on in ROSA cluster with STS:

    invalid: unrecognized outputs: [cloudwatch], no valid outputs


  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4
  • AWS Security Token Service (STS)
  • Logging add-on for Amazon CloudWatch
  • Red Hat OpenShift Logging (RHOL)
    • 5

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content