Failed in creating openshift cluster via rosa command to AWS

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4

Issue

  • Creation of ROSA STS cluster failed to install.
  • Missing role: ManagedOpenShift-Installer-Role.

Resolution

  • Verify the ManagedOpenShift-Installer-Role in the AWS IAM
  • Make sure the policy it attached allows ec2:DescribeRegions
  • Check that, there's no Permissions boundary set (for troubleshooting purpose)

  • Also, check the Trust Relationships has arn:aws:iam::XXXXXXXXX:role/RH-Managed-OpenShift-Installer
    Methods of account-wide role creation

  • If the above is met but still have issue, please open a support case with AWS to troubleshoot further about the permission issue.

Root Cause

  • Request reached to AWS, but denied due to permission issue.

Diagnostic Steps

  • Check event logs:
{
    "eventVersion": "1.XX",
    "userIdentity": {
        "type": "AssumedRole",
        "principalId": "XXXXXXXXX:OCM",
        "arn": "arn:aws:sts::XXXXXXXXX:assumed-role/ManagedOpenShift-Installer-Role/OCM",
        "accountId": "XXXXX",
        "accessKeyId": "XXXXXXX",
        "sessionContext": {
            "sessionIssuer": {
                "type": "Role",
                "principalId": "XXXXXXXXXXXXXXX",
                "arn": "arn:aws:iam::8XXXXXXX0:role/ManagedOpenShift-Installer-Role",
                "accountId": "8XXXXXXXX0",
                "userName": "ManagedOpenShift-Installer-Role"
            },
            "webIdFederationData": {},
            "attributes": {
                "creationDate": "XXXX-XX-XXTXX:XX:XXZ",
                "mfaAuthenticated": "false"
            }
        }
    },
"eventTime": "XXXX-XX-XXTXX:XX:XXZ",
    "eventSource": "ec2.amazonaws.com",
    "eventName": "DescribeRegions",
    "awsRegion": "us-east-1",
    "sourceIPAddress": "XX.XX.XXX.XXX",
    "userAgent": "aws-sdk-go-vX/X.XX.X os/linux lang/go/1.18.1 md/GOOS/linux md/GOARCH/amd64 api/ec2/1.25.0",
    "errorCode": "Client.UnauthorizedOperation",
    "errorMessage": "You are not authorized to perform this operation.",
    "requestParameters": {
    .
    .
         }

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments