ROSA STS No Account Roles Found - create cluster
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4.8+
- AWS security token service (STS)
rosacli < v1.1.11
Issue
-
When attempting to create a rosa cluster with sts, via
rosa create cluster --cluster-name <cluster_name> --sts, it is unsuccessful stating:W: No account roles found. You will need to manually set them in the next steps or run 'rosa create account-roles' to create them first. -
The above error occurs even though account roles were created with older versions of ROSA CLI via
rosa create account-rolesand the roles are visible in AWS.
Resolution
To successfully proceed with a ROSA cluster installation with STS, it is necessary to update the ROSA CLI to v 1.1.11 or newer.
It can be downloaded from the OpenShift Downloads page. Alternatively, see the following repo.
Once the rosa CLI is at least v1.1.11, it is necessary for the account roles to be updated. One way of achieving this is by running rosa create account-roles again (the --prefix parameter for the account role group will need to be specified if you have more than one group):
$ rosa create account-roles
To see a list of your ROSA account roles, use:
$ rosa list account-roles
Once the account roles are updated, you may proceed with cluster creation via rosa create cluster --cluster-name <cluster_name> --sts for ROSA 4.8 clusters and newer.
Root Cause
As every version of OpenShift may have changes to STS policies/roles, it is necessary to use the latest rosa CLI (v 1.1.11 or newer) for ROSA 4.10+ especially when creating ROSA STS clusters to ensure the latest version and management of the requisite STS account roles/policies.
Diagnostic Steps
Check ROSA cli version:
$ rosa version
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments