How to check the permissions for AWS roles needed for ROSA STS clusters?

Solution Unverified - Updated -


  • Red Hat OpenShift Service on AWS (ROSA)
    • 4
  • AWS Security Token Service (STS)
  • aws CLI


  • How to check if the roles used for install/manage a ROSA STS cluster have missing permissions?
  • How to get the policies of the AWS roles used with ROSA STS?


It is possible to re-create the permissions and policies creating them again with the -f flag:

$ rosa create ocm-role -f
$ rosa create user-role -f
$ rosa create account-roles -f
$ rosa create operator-roles -c ${CLUSTER} -f

To check if there is any missing permission, it is also possible to get the permissions and policies assigned to each role with the following commands:

  1. Get the [policy_arn] from a given [role_name]:

    $ aws iam list-attached-role-policies --role-name [role_name]
  2. Show the policy for the given [policy_arn], and get the DefaultVersionId field from that output:

    $ aws iam get-policy --policy-arn [policy_arn]
  3. Show the policy for the given [policy_arn] and [version_id] (from the above DefaultVersionId field):

    $ aws iam get-policy-version --policy-arn [policy_arn] --version-id [version_id]

To get the list of the roles for use with above commands, check the output of the following commands:

$ rosa list ocm-role
$ rosa list user-role
$ rosa list account-roles
$ rosa list operator-roles

Compare the permission of each given role with the permissions required as per the ROSA documentation: About IAM resources for ROSA clusters that use STS.

Root Cause

It is possible to get the permissions and policies assigned to each role with aws CLI commands or via the AWS web console.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.