Rotate AWS IAM User Access Keys in OSD/ROSA

Solution Unverified - Updated -


  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • Red Hat OpenShift Dedicated (OSD)
    • 4
  • AWS Access Keys
  • non-STS


  • Is it possible to rotate the AWS IAM User Access Keys used by OSD/ROSA clusters?
  • AWS Access Keys have not been rotated since the OSD/ROSA cluster creation.
  • As a security requirement AWS Access Keys created for OSD/ROSA cluster and older than 90 days needs to be rotated.


For requesting the rotation of the AWS Access Keys, please open a support case with Red Hat. Provide the clusterID of the cluster/clusters that needs the key's rotation.

Note: Scheduling maintenance tasks for Managed OpenShift clusters in advance or targeting specific timing is not available as explained in Scheduled maintenance tasks for Managed OpenShift clusters.

Please, note that to avoid the need of the rotation, STS clusters doesn’t have any access keys/secret access keys that need to be rotated.

Root Cause

In OSD and ROSA non-STS clusters, the AWS Access Keys are created by the installer and managed by the Red Hat SRE Team.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.