Updating Trust Policies for ROSA cluster creation after Nov-21-2023

Solution Verified - Updated -

Environment

  • Red Hat OpenShift on AWS (ROSA) STS

Issue

  • Error encountered during new STS cluster creation:
"Failed to create cluster: The support role 'ManagedOpenShift-Support-Role' trusted policy does not allow support access. Role ARN 'arn:aws:iam::644306948063:role/RH-Technical-Support-xxxxxxx' is not present in the support role's trust policy."
  • Inability to create a new STS cluster using the ROSA CLI.
  • Why do I need to update my trust policies?
  • How do I update my support role to allow new cluster creation?

Resolution

NOTE This solution is only applicable after November 21 2023.

Before creating a new cluster, use one of the two following methods to update the Support Role in the AWS account to have the correct trust policies.

  1. Update using ROSA CLI:

    • Re-run the command: rosa create account-roles targeting the existing support role.
    • This command updates the existing Support Role’s trust policy by appending the required principal to the policy.

  2. Manual Update in AWS Console:

    • Log into to AWS account’s web console.
    • Navigate to: IAM -> Roles.
    • Search for the support role (ManagedOpenShift-Support-Role by default).
    • Go to the Trust Relationships tab.
    • Add the IAM role from the error message to .Statement.Principal.AWS.

Validation:

  • After completing either of the above methods, cluster creation should succeed.

Root Cause

Why is this necessary?

  • As part of ROSA's new support flow, more granular roles are assigned to each customer organization.
  • This is to enhance security by ensuring that any given jump role has only short-term access to a limited number of customer accounts.

Additional Notes

  • Ensure that the IAM roles and policies are correctly configured and up-to-date to avoid similar issues in the future.
  • Regularly review AWS and ROSA documentation for any updates in role management and policy settings.

This solution is part of Red Hat’s fast-track publication program, providing a huge library of solutions that Red Hat engineers have created while supporting our customers. To give you the knowledge you need the instant it becomes available, these articles may be presented in a raw and unedited form.

Comments