ROSA cluster can't be deleted from OCM when sts_user_role is not linked to account role

Solution Verified - Updated -

Environment

  • Red Hat OpenShift Service on AWS (ROSA)
    • 4

Issue

  • ROSA cluster can't be deleted from OCM with CLUSTERS-MGMT-400: Failed to delete cluster error.

Resolution

  • Using the below way to check and recreate user-role
    (make sure the Role prefix (zzzz) is the same as account-role prefix)
$ ./rosa list user-roles
I: Fetching user roles
I: No user roles available



$ ./rosa list account-roles
I: Fetching account roles
ROLE NAME               ROLE TYPE      ROLE ARN                                               OPENSHIFT VERSION  AWS Managed
zzzz-ControlPlane-Role  Control plane  arn:aws:iam::xxxxxxx:role/zzzz-ControlPlane-Role  4.13               No
zzzz-Installer-Role     Installer      arn:aws:iam::xxxxxxx:role/zzzz-Installer-Role     4.13               No
zzzz-Support-Role       Support        arn:aws:iam::xxxxxxx:role/zzzz-Support-Role       4.13               No
zzzz-Worker-Role        Worker         arn:aws:iam::xxxxxxx:role/zzzz-Worker-Role        4.13               No


$ ./rosa create user-role
I: Creating User role
? Role prefix: zzzz
? Permissions boundary ARN (optional): 
? Role Path (optional): 
? Role creation mode: auto
I: Creating ocm user role using 'arn:aws:iam::xxxxxxx:user/zzzz'
? Create the 'zzzz-User-xxxxxx-Role' role? Yes
I: Created role 'zzzz-User-xxxxxx-Role' with ARN 'arn:aws:iam::xxxxxxx:role/zzzz-User-xxxxxx-Role'
I: Linking User role
? User Role ARN: arn:aws:iam::xxxxxxx:role/zzzz-User-xxxxxx-Role
? Link the 'arn:aws:iam::xxxxxxx:role/zzzz-User-xxxxxx-Role' role with account 'xxxxxxx'? Yes
I: Successfully linked role ARN 'arn:aws:iam::xxxxxxx:role/zzzz-User-xxxxxx-Role' with account 'xxxxxxx'

Root Cause

  • If sts_user_role is deleted by mistake, then failed to delete cluster error will happen because AWS does not allow deleting related resources without the correct user role.

Diagnostic Steps

  • Found the below error in the OCM console
CLUSTERS-MGMT-400: Failed to delete cluster xxxxxxx: sts_user_role is not linked to your account. sts_ocm_role is linked to your organization 'xxxxxxx' which requires sts_user_role to be linked to your Red Hat account 'xxxxxxx'.Please create a user role and link it to the account: Your sts_user_role 'zzzz-User-xxxxxx-Role' linked to your Red Hat account 'xxxxxxx' does not exist on your AWS account 'xxxxxxx'.
Operation ID: xxxxxxx

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments