Removing Deprecated/Unused BYOCAdminAccess IAM Roles in Non-STS ROSA Clusters
Environment
- Red Hat OpenShift Service on AWS (ROSA)
- 4
Issue
- If we can delete or disable
BYOCAdminAccess-xxxxxxIAM roles
Resolution
Before proceeding with the removal of the BYOCAdminAccess IAM roles, it is crucial to confirm that the roles are unused.
Follow the steps below to safely remove the BYOCAdminAccess IAM roles:
1. Verify the Current Support Role:
Use the OCM command to confirm the supportRoleARN:
$ ocm get cluster <CLUSTER_ID>/resources/live | jq -r '.resources.aws_account_claim' | jq .spec.supportRoleARN
This command should display ManagedOpenShift-Support-xxxxxx as the supportRoleARN.
If you encounter difficulties running the above command, please open a support case.
2. Backup IAM Roles:
Before deleting any roles, create a backup of the IAM roles as a precautionary measure.
3. Removal of BYOCAdminAccess IAM Roles:
Once you have verified that the supportRoleARN has transitioned to ManagedOpenShift-Support-xxxxxx, and after taking necessary backups, you can proceed to remove the BYOCAdminAccess IAM roles.
Root Cause
BYOCAdminAccess IAM roles are deprecated and are not actively used in non-sts ROSA clusters. Newer clusters typically use ManagedOpenShift-Support-aaabbb, and older non-sts clusters might have both ManagedOpenShift-Support-cccddd and BYOCAdminAccess-cccddd.
Diagnostic Steps
- Check the current
supportRoleARNusing the OCM command mentioned above. - Review the principals of the roles to ensure no active components are using the
BYOCAdminAccessIAM roles.
This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.
Comments