What IAM role is required to use OCM operations for ROSA + STS through rosa cli ?
Environment
- Red Hat OpenShift Service on AWS
Issue
- You are finding out the minimum IAM role for your new operation-only IAM user to manage your ROSA + STS cluster using rosa cli as the same with OCM web console.
Resolution
- You need not to grant any IAM role and Access permission for AWS dashboard for your IAM user when running rosa cli. There is no dependencies of IAM role for operations as the same with OCM web console, such as adding IdP, changing machinepool setting.
- In other words, if you have Red Hat account of your ROSA + STS cluster owner at least, you can do the OCM operations through OCM API(api.openshift.com) using rosa cli.
- Some sub-operations not related ROSA configuration changes like listing account roles or regions would be required IAM role for accessing each required AWS resource, but it's not about OCM operations.
Root Cause
- rosa cli does not depend on IAM role directly in contrast with aws cli, because rosa cli control over the changes only through OCM API(api.openshift.com).
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments