Red Hat OpenShift Service on AWS

Chapter 8. ROSA CLI

8.1. Getting started with the ROSA CLI

8.1.1. About the ROSA CLI

Use the Red Hat OpenShift Service on AWS (ROSA) command-line interface (CLI), therosa command, to create, update, manage, and delete ROSA clusters and resources.

8.1.2. Setting up the ROSA CLI

Use the following steps to install and configure the ROSA CLI (rosa) on your installation host.

Procedure

Install and configure the latest AWS CLI (aws).
1. Follow theAWS Command Line Interface documentation to install and configure the AWS CLI for your operating system.
  Specify youraws_access_key_id,aws_secret_access_key, andregion in the.aws/credentials file. See AWS Configuration basics in the AWS documentation.
  Note
  You can optionally use theAWS_DEFAULT_REGION environment variable to set the default AWS region.
2. Query the AWS API to verify if the AWS CLI is installed and configured correctly:
  $aws sts get-caller-identity--output text
  Copy to Clipboard
  Example output
  <aws_account_id> arn:aws:iam::<aws_account_id>:user/<username> <aws_user_id>
  Copy to Clipboard
Download the latest version of the ROSA CLI (rosa) for your operating system from theDownloads page on OpenShift Cluster Manager.
Extract therosa binary file from the downloaded archive. The following example extracts the binary from a Linux tar archive:
```
tar xvf rosa-linux.tar.gz
```
```
$tar xvf rosa-linux.tar.gz
```
Copy to Clipboard
Addrosa to your path. In the following example, the/usr/local/bin directory is included in the path of the user:
```
sudo mv rosa /usr/local/bin/rosa
```
```
$sudomv rosa /usr/local/bin/rosa
```
Copy to Clipboard
Verify if the ROSA CLI is installed correctly by querying therosa version:
```
rosa version
```
```
$rosa version
```
Copy to Clipboard
Example output
```
1.2.15Your ROSA CLI is up to date.
```
```
1.2.15Your ROSA CLI is up to date.
```
Copy to Clipboard
Optional: Enable tab completion for the ROSA CLI. With tab completion enabled, you can press theTab key twice to automatically complete subcommands and receive command suggestions:
- To enable persistent tab completion for Bash on a Linux host:
  1. Generate arosa tab completion configuration file for Bash and save it to your/etc/bash_completion.d/ directory:
    #rosa completionbash> /etc/bash_completion.d/rosa
    Copy to Clipboard
  2. Open a new terminal to activate the configuration.
- To enable persistent tab completion for Bash on a macOS host:
  1. Generate arosa tab completion configuration file for Bash and save it to your/usr/local/etc/bash_completion.d/ directory:
    $rosa completionbash> /usr/local/etc/bash_completion.d/rosa
    Copy to Clipboard
  2. Open a new terminal to activate the configuration.
- To enable persistent tab completion for Zsh:
  1. If tab completion is not enabled for your Zsh environment, enable it by running the following command:
    $echo"autoload -U compinit; compinit">> ~/.zshrc
    Copy to Clipboard
  2. Generate arosa tab completion configuration file for Zsh and save it to the first directory in your functions path:
    $rosa completionzsh>"${fpath[1]}/_rosa"
    Copy to Clipboard
  3. Open a new terminal to activate the configuration.
- To enable persistent tab completion for fish:
  1. Generate arosa tab completion configuration file for fish and save it to your~/.config/fish/completions/ directory:
    $rosa completion fish> ~/.config/fish/completions/rosa.fish
    Copy to Clipboard
  2. Open a new terminal to activate the configuration.
- To enable persistent tab completion for PowerShell:
  1. Generate arosa tab completion configuration file for PowerShell and save it to a file namedrosa.ps1:
    PS> rosa completion powershell | Out-String | Invoke-Expression
    Copy to Clipboard
  2. Source therosa.ps1 file from your PowerShell profile.
Note
For more information about configuringrosa tab completion, see the help menu by running therosa completion --help command.

8.1.3. Configuring the ROSA CLI

Use the following commands to configure the Red Hat OpenShift Service on AWS (ROSA) CLI,rosa.

8.1.3.1. login

There are several methods you can use to log into your Red Hat account using the Red Hat OpenShift Service on AWS (ROSA) CLI (rosa). These methods are described in detail below.

Important

An offline authentication token is long-lived, stored on your operating system, and cannot be revoked. These factors increase overall security risks and the likelihood of unauthorized access to your account. Alternatively, the Red Hat secure browser-based single sign-on (SSO) method automatically sends your CLI instance a refresh token that is valid for 10 hours. Because this authorization code is unique and temporary, it is more secure and is the Red Hat recommended method of authentication.

8.1.3.1.1. login with single sign-on (SSO) authorization code

If your system supports a web-based browser, you can log in to the ROSA CLI (rosa) with a Red Hat single sign-on (SSO) authorization code.

Note

Single sign-on authorization is supported with ROSA CLI (rosa) version 1.2.36 or later.

To log into the ROSA CLI (rosa) with a Red Hat single sign-on authorization code, run the following command:
Syntax
```
rosa login --use-auth-code
```
```
$rosa login --use-auth-code
```
Copy to Clipboard
Running this command will redirect you to the Red Hat SSO login. Log in with your Red Hat login or email.
Table 8.1. Optional arguments inherited from parent commands
Option Definition
--help
Shows help for this command.
--debug
Enables debug mode.
To switch accounts, logout fromhttps://sso.redhat.com and run therosa logout command in your terminal before attempting to login again.

8.1.3.1.2. login with a single sign-on device code

If you are working with containers, remote hosts, and other environments without a web browser, you can use a Red Hat single sign-on (SSO) device code for secure authentication. To do this, you must use a second device that has a web browser to approve the login.

Note

Single sign-on authorization is supported with ROSA CLI (rosa) version 1.2.36 or later.

To log in to ROSA CLI (rosa) with a Red Hat single sign-on device code, run the following command:
Syntax
```
rosa login --use-device-code
```
```
$rosa login --use-device-code
```
Copy to Clipboard
Running this command will redirect you to the Red Hat SSO login and provide a log in code.
Table 8.2. Optional arguments inherited from parent commands
Option Definition
--help
Shows help for this command.
--debug
Enables debug mode.
To switch accounts, logout fromhttps://sso.redhat.com and run therosa logout command in your terminal before attempting to login again.

8.1.3.1.3. login with an offline token

To use offline tokens for automation purposes, you can download the OpenShift Cluster Manager API token from theOpenShift Cluster Manager API Token page.

To use service accounts for automation purposes, see theService Accounts page.

Note

Red Hat recommends using service accounts for automation purposes.

To log in to ROSA CLI (rosa) with a Red Hat offline token, run the following command:

Syntax

rosa login [arguments]

$rosa login[arguments]

Copy to Clipboard

Table 8.3. Arguments
Option	Definition
--client-id	The OpenID client identifier (string). Default:`cloud-services`
--client-secret	The OpenID client secret (string).
--insecure	Enables insecure communication with the server. This disables verification of TLS certificates and host names.
--scope	The OpenID scope (string). If this option is used, it replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default:`openid`
--token	Accesses or refreshes the token (string).
--token-url	The OpenID token URL (string). Default:`https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token`

Table 8.4. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.1.3.2. logout

Log out ofrosa. Logging out also removes therosa configuration file.

Syntax

rosa logout [arguments]

$rosalogout[arguments]

Copy to Clipboard

Table 8.5. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.1.3.3. verify permissions

Verify that the AWS permissions required to create a ROSA cluster are configured correctly:

Syntax

rosa verify permissions [arguments]

$rosa verify permissions[arguments]

Copy to Clipboard

Note

This command verifies permissions only for clusters that do not use the AWS Security Token Service (STS).

Table 8.6. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--region	The AWS region (string) in which to run the command. This value overrides the`AWS_REGION` environment variable.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Verify that the AWS permissions are configured correctly:

rosa verify permissions

$rosa verify permissions

Copy to Clipboard

Verify that the AWS permissions are configured correctly in a specific region:

rosa verify permissions --region=us-west-2

$rosa verify permissions--region=us-west-2

Copy to Clipboard

8.1.3.4. verify quota

Verifies that AWS quotas are configured correctly for your default region.

Syntax

rosa verify quota [arguments]

$rosa verifyquota[arguments]

Copy to Clipboard

Table 8.7. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--region	The AWS region (string) in which to run the command. This value overrides the`AWS_REGION` environment variable.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Verify that the AWS quotas are configured correctly for the default region:

rosa verify quota

$rosa verifyquota

Copy to Clipboard

Verify that the AWS quotas are configured correctly in a specific region:

rosa verify quota --region=us-west-2

$rosa verifyquota--region=us-west-2

Copy to Clipboard

8.1.3.5. download rosa

Download the latest compatible version of therosa CLI.

After you downloadrosa, extract the contents of the archive and add it to your path.

Syntax

rosa download rosa [arguments]

$rosa download rosa[arguments]

Copy to Clipboard

Table 8.8. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

8.1.3.6. download oc

Download the latest compatible version of the OpenShift Container Platform CLI (oc).

After you downloadoc, you must extract the contents of the archive and add it to your path.

Syntax

rosa download oc [arguments]

$rosa download oc[arguments]

Copy to Clipboard

Table 8.9. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

Example

Downloadoc client tools:

rosa download oc

$rosa download oc

Copy to Clipboard

8.1.3.7. verify oc

Verifies that the OpenShift Container Platform CLI (oc) is installed correctly.

Syntax

rosa verify oc [arguments]

$rosa verify oc[arguments]

Copy to Clipboard

Table 8.10. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

Example

Verifyoc client tools:

rosa verify oc

$rosa verify oc

Copy to Clipboard

Additional resources

8.1.4. Initializing ROSA

Use theinit command to initialize Red Hat OpenShift Service on AWS (ROSA) only if you are using non-STS.

8.1.4.1. init

Perform a series of checks to verify that you are ready to deploy a ROSA cluster.

The list of checks includes the following:

Checks to see that you have logged in (seelogin)
Checks that your AWS credentials are valid
Checks that your AWS permissions are valid (seeverify permissions)
Checks that your AWS quota levels are high enough (seeverify quota)
Runs a cluster simulation to ensure cluster creation will perform as expected
Checks that theosdCcsAdmin user has been created in your AWS account
Checks that the OpenShift Container Platform command-line tool is available on your system

Syntax

rosa init [arguments]

$rosa init[arguments]

Copy to Clipboard

Table 8.11. Arguments
Option	Definition
--region	The AWS region (string) in which to verify quota and permissions. This value overrides the`AWS_REGION` environment variable only when running the`init` command, but it does not change your AWS CLI configuration.
--delete	Deletes the stack template that is applied to your AWS account during the`init` command.
--client-id	The OpenID client identifier (string). Default:`cloud-services`
--client-secret	The OpenID client secret (string).
--insecure	Enables insecure communication with the server. This disables verification of TLS certificates and host names.
--scope	The OpenID scope (string). If this option is used, it completely replaces the default scopes. This can be repeated multiple times to specify multiple scopes. Default:`openid`
--token	Accesses or refreshes the token (string).
--token-url	The OpenID token URL (string). Default:`https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token`

Table 8.12. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Configure your AWS account to allow ROSA clusters:

rosa init

$rosa init

Copy to Clipboard

Configure a new AWS account using pre-existing OpenShift Cluster Manager credentials:

rosa init --token=$OFFLINE_ACCESS_TOKEN

$rosa init--token=$OFFLINE_ACCESS_TOKEN

Copy to Clipboard

8.1.5. Using a Bash script

This is an example workflow of how to use a Bash script with the Red Hat OpenShift Service on AWS (ROSA) CLI,rosa.

Prerequisites

Make sure that AWS credentials are available as one of the following options:

AWS profile
Environment variables (AWS_ACCESS_KEY_ID,AWS_SECRET_ACCESS_KEY)

Procedure

Initializerosa using an Red Hat OpenShift Cluster Manager offline tokenfrom Red Hat:
```
rosa init --token=<token>
```
```
$rosa init--token=<token>
```
Copy to Clipboard

Create the ROSA cluster:

rosa create cluster --cluster-name=<cluster_name>

$rosa create cluster --cluster-name=<cluster_name>

Copy to Clipboard

Add an identity provider (IDP):

rosa create idp --cluster=<cluster_name> --type=<identity_provider> [arguments]

$rosa create idp--cluster=<cluster_name>--type=<identity_provider>[arguments]

Copy to Clipboard

Add adedicated-admin user:

rosa grant user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>

$rosa grant user dedicated-admin--user=<idp_user_name>--cluster=<cluster_name>

Copy to Clipboard

8.1.6. Updating the ROSA CLI

Update to the latest compatible version of the ROSA CLI (rosa).

Procedure

Confirm that a new version of the ROSA CLI (rosa) is available:

rosa version

$rosa version

Copy to Clipboard

Example output

1.2.12There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/

1.2.12There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/

Copy to Clipboard

Download the latest compatible version of the ROSA CLI:
```
rosa download rosa
```
```
$rosa download rosa
```
Copy to Clipboard
This command downloads an archive calledrosa-*.tar.gz into the current directory. The exact name of the file depends on your operating system and system architecture.
Extract the contents of the archive:
```
tar -xzf rosa-linux.tar.gz
```
```
$tar-xzf rosa-linux.tar.gz
```
Copy to Clipboard
Install the new version of the ROSA CLI by moving the extracted file into your path. In the following example, the/usr/local/bin directory is included in the path of the user:
```
sudo mv rosa /usr/local/bin/rosa
```
```
$sudomv rosa /usr/local/bin/rosa
```
Copy to Clipboard

Verification

Verify that the new version of ROSA is installed.
```
rosa version
```
```
$rosa version
```
Copy to Clipboard
Example output
```
1.2.15Your ROSA CLI is up to date.
```
```
1.2.15Your ROSA CLI is up to date.
```
Copy to Clipboard

8.2. Managing objects with the ROSA CLI

Managing objects with the Red Hat OpenShift Service on AWS (ROSA) CLI,rosa, such as addingdedicated-admin users, managing clusters, and scheduling cluster upgrades.

Note

To access a cluster that is accessible only over an HTTP proxy server, you can set theHTTP_PROXY,HTTPS_PROXY, andNO_PROXY variables. These environment variables are respected by therosa CLI so that all communication with the cluster goes through the HTTP proxy.

8.2.1. Common commands and arguments

These common commands and arguments are available for the Red Hat OpenShift Service on AWS (ROSA) CLI,rosa.

8.2.1.1. debug

Enables debug mode for the parent command to help with troubleshooting.

Example

rosa create cluster --cluster-name=<cluster_name> --debug

$rosa create cluster --cluster-name=<cluster_name>--debug

Copy to Clipboard

8.2.1.2. download

Downloads the latest compatible version of the specified software to the current directory in an archive file. Extract the contents of the archive and add the contents to your path to use the software. To download the latest ROSA CLI, specifyrosa. To download the latest OpenShift CLI, specifyoc.

Example

rosa download <software>

$rosa download<software>

Copy to Clipboard

8.2.1.3. help

Displays general help information for the ROSA CLI (rosa) and a list of available commands. This option can also be used as an argument to display help information for a parent command, such asversion orcreate.

Examples

Displays general help for the ROSA CLI.

rosa --help

$rosa--help

Copy to Clipboard

Displays general help forversion.

rosa version --help

$rosa version--help

Copy to Clipboard

8.2.1.4. interactive

Enables interactive mode.

Example

rosa create cluster --cluster-name=<cluster_name> --interactive

$rosa create cluster --cluster-name=<cluster_name>--interactive

Copy to Clipboard

8.2.1.5. profile

Specifies an AWS profile from your credential file.

Example

rosa create cluster --cluster-name=<cluster_name> --profile=myAWSprofile

$rosa create cluster --cluster-name=<cluster_name>--profile=myAWSprofile

Copy to Clipboard

8.2.1.6. version

Displays therosa version and checks whether a newer version is available.

Example

rosa version [arguments]

$rosa version[arguments]

Copy to Clipboard

Example output

Displayed when a newer version of the ROSA CLI is available.

1.2.12There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/

1.2.12There is a newer release version '1.2.15', please consider updating: https://mirror.openshift.com/pub/openshift-v4/clients/rosa/latest/

Copy to Clipboard

8.2.2. Parent commands

The Red Hat OpenShift Service on AWS (ROSA) CLI,rosa, uses parent commands with child commands to manage objects. The parent commands arecreate,edit,delete,list, anddescribe. Not all parent commands can be used with all child commands. For more information, see the specific reference topics that describes the child commands.

8.2.2.1. create

Creates an object or resource when paired with a child command.

Example

rosa create cluster --cluster-name=mycluster

$rosa create cluster --cluster-name=mycluster

Copy to Clipboard

8.2.2.2. edit

Edits options for an object, such as making a cluster private.

Example

rosa edit cluster --cluster=mycluster --private

$rosa edit cluster--cluster=mycluster--private

Copy to Clipboard

8.2.2.3. delete

Deletes an object or resource when paired with a child command.

Example

rosa delete ingress --cluster=mycluster

$rosa delete ingress--cluster=mycluster

Copy to Clipboard

8.2.2.4. list

Lists clusters or resources for a specific cluster.

Example

rosa list users --cluster=mycluster

$rosa listusers--cluster=mycluster

Copy to Clipboard

8.2.2.5. describe

Shows the details for a cluster.

Example

rosa describe cluster --cluster=mycluster

$rosa describe cluster--cluster=mycluster

Copy to Clipboard

8.2.3. Create objects

This section describes thecreate commands for clusters and resources.

8.2.3.1. create account-roles

Create the required account-wide role and policy resources for your cluster.

Syntax

rosa create account-roles [flags]

$rosa create account-roles[flags]

Copy to Clipboard

Table 8.13. Flags
Option	Definition
--debug	Enable debug mode.
-i, --interactive	Enable interactive mode.
-m, --mode string	How to perform the operation. Valid options are: `auto` Resource changes will be automatically applied using the current AWS account. `manual` Commands necessary to modify AWS resources will be output to be run manually.
--path string	The Amazon Resource Name (ARN) path for the account-wide roles and policies, including the Operator policies.
--permissions-boundary string	The ARN of the policy that is used to set the permissions boundary for the account roles.
--prefix string	User-defined prefix for all generated AWS resources. The default is`ManagedOpenShift`.
--profile string	Use a specific AWS profile from your credential file.
-y, --yes	Automatically answer yes to confirm operations.

8.2.3.2. create admin

Create a cluster administrator with an automatically generated password that can log in to a cluster.

Syntax

rosa create admin --cluster=<cluster_name>|<cluster_id>

$rosa create admin--cluster=<cluster_name>|<cluster_id>

Copy to Clipboard

Table 8.14. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID (string) of the cluster to add to the identity provider (IDP).

Table 8.15. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile string	Specifies an AWS profile from your credentials file.

Example

Create a cluster administrator that can log in to a cluster namedmycluster.

rosa create admin --cluster=mycluster

$rosa create admin--cluster=mycluster

Copy to Clipboard

8.2.3.3. create break glass credential

Create a break glass credential for a hosted control plane cluster with external authentication enabled.

Syntax

rosa create break-glass-credential --cluster=<cluster_name> [arguments]

$rosa create break-glass-credential--cluster=<cluster_name>[arguments]

Copy to Clipboard

Table 8.16. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the break glass credential will be added.
--expiration	Optional: How long a break glass credential can be used before expiring. The expiration duration must be a minimum of 10 minutes and a maximum of 24 hours. If you do not enter a value, the expiration duration defaults to 24 hours.
--username	Optional. The username for the break glass credential. If you do not enter a value, a random username is generated for you.

Table 8.17. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--region	Specifies an AWS region, overriding the`AWS_REGION` environment variable.
--yes	Automatically answers`yes` to confirm the operation.

Examples

Add a break glass credential to a cluster namedmycluster.

Syntax

rosa create break-glass-credential --cluster=mycluster

$rosa create break-glass-credential--cluster=mycluster

Copy to Clipboard

Add a break glass credential to a cluster namedmycluster using the interactive mode.

Syntax

rosa create break-glass-credential --cluster=mycluster -i

$rosa create break-glass-credential--cluster=mycluster-i

Copy to Clipboard

8.2.3.4. create cluster

Create a new cluster.

Syntax

rosa create cluster --cluster-name=<cluster_name> [arguments]

$rosa create cluster --cluster-name=<cluster_name>[arguments]

Copy to Clipboard

Table 8.18. Arguments
Option	Definition
--additional-compute-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups that are used with the standard machine pool created alongside the cluster. For more information on additional security groups, see the requirements forSecurity groups underAdditional resources.
--additional-infra-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups that are used with the infra nodes created alongside the cluster. For more information on additional security groups, see the requirements forSecurity groups underAdditional resources.
--additional-control-plane-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups that are used with the control plane nodes created alongside the cluster. For more information on additional security groups, see the requirements forSecurity groups underAdditional resources.
--additional-allowed-principals <arn>	A comma-separated list of additional allowed principal ARNs to be added to the hosted control plane’s VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted.
--cluster-name <cluster_name>	Required. The name of the cluster. When used with the`create cluster` command, this argument is used to set the cluster name and can hold up to 54 characters. The value for this argument must be unique within your organization.
--compute-machine-type <instance_type>	The instance type for compute nodes in the cluster. This determines the amount of memory and vCPU that is allocated to each compute node. For more information on valid instance types, seeAWS Instance types inROSA service definition.
--controlplane-iam-role <arn>	The ARN of the IAM role to attach to control plane instances.
--create-cluster-admin	Optional. As part of cluster creation, create a local administrator user (`cluster-admin`) for your cluster. This automatically configures an htpasswd identity provider for the`cluster-admin` user. Optionally, use the`--cluster-admin-user` and`--cluster-admin-password` options to specify the username and password for the administrator user. Omitting these options automatically generates the credentials and displays their values as terminal output.
--cluster-admin-user	Optional. Specifies the user name of the cluster administrator user created when used in conjunction with the`--create-cluster-admin` option.
--cluster-admin-password	Optional. Specifies the password of the cluster administrator user created when used in conjunction with the`--create-cluster-admin` option.
--disable-scp-checks	Indicates whether cloud permission checks are disabled when attempting to install a cluster.
--dry-run	Simulates creating the cluster.
--domain-prefix	Optional: When used with the`create cluster` command, this argument sets the subdomain for your cluster on`*.openshiftapps.com`. The value for this argument must be unique within your organization, cannot be longer than 15 characters, and cannot be changed after cluster creation. If the argument is not supplied, an autogenerated value is created that depends on the length of the cluster name. If the cluster name is fewer than or equal to 15 characters, that name is used for the domain prefix. If the cluster name is longer than 15 characters, the domain prefix is randomly generated to a 15 character string.
--ec2-metadata-http-tokens string	Configures the use of IMDSv2 for EC2 instances. Valid values are`optional` (default) or`required`.
--enable-autoscaling	Enables autoscaling of compute nodes. By default, autoscaling is set to`2` nodes. To set non-default node limits, use this argument with the`--min-replicas` and`--max-replicas` arguments.
--etcd-encryption	Enables encryption of ETCD key-values on Red Hat OpenShift Service on AWS (classical architecture) clusters.
--etcd-encryption-kms-arn	Enables encryption of ETCD storage using the customer-managed key managed in AWS Key Management Service.
--external-id <arn_string>	An optional unique identifier that might be required when you assume a role in another account.
--host-prefix <subnet>	The subnet prefix length to assign to each individual node, as an integer. For example, if host prefix is set to`23`, then each node is assigned a`/23` subnet out of the given CIDR.
--machine-cidr <address_block>	Block of IP addresses (ipNet) used by ROSA while installing the cluster, for example,`10.0.0.0/16`. Important OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the`100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the`100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
--max-replicas <number_of_nodes>	Specifies the maximum number of compute nodes when enabling autoscaling. Default:`2`
--min-replicas <number_of_nodes>	Specifies the minimum number of compute nodes when enabling autoscaling. Default:`2`
--multi-az	Deploys to multiple data centers.
--no-cni	Creates a cluster without a Container Network Interface (CNI) plugin. Customers can then bring their own CNI plugin and install it after cluster creation.
--operator-roles-prefix <string>	Prefix that are used for all IAM roles used by the operators needed in the OpenShift installer. A prefix is generated automatically if you do not specify one.
--pod-cidr <address_block>	Block of IP addresses (ipNet) from which pod IP addresses are allocated, for example,`10.128.0.0/14`. Important OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the`100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the`100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
--private	Restricts primary API endpoint and application routes to direct, private connectivity.
--private-link	Specifies to use AWS PrivateLink to provide private connectivity between VPCs and services. The`--subnet-ids` argument is required when using`--private-link`.
--region <region_name>	The name of the AWS region where your worker pool will be located, for example,`us-east-1`. This argument overrides the`AWS_REGION` environment variable.
--replicas n	The number of worker nodes to provision per availability zone. Single-zone clusters require at least 2 nodes. Multi-zone clusters require at least 3 nodes. Default:`2` for single-zone clusters;`3` for multi-zone clusters.
--role-arn <arn>	The ARN of the installer role that OpenShift Cluster Manager uses to create the cluster. This is required if you have not already created account roles.
--service-cidr <address_block>	Block of IP addresses (ipNet) for services, for example,`172.30.0.0/16`. Important OVN-Kubernetes, the default network provider in ROSA 4.11 and later, uses the`100.64.0.0/16` IP address range internally. If your cluster uses OVN-Kubernetes, do not include the`100.64.0.0/16` IP address range in any other CIDR definitions in your cluster.
--sts \| --non-sts	Specifies whether to use AWS Security Token Service (STS) or IAM credentials (non-STS) to deploy your cluster.
--subnet-ids <aws_subnet_id>	The AWS subnet IDs that are used when installing the cluster, for example,`subnet-01abc234d5678ef9a`. Subnet IDs must be in pairs with one private subnet ID and one public subnet ID per availability zone. Subnets are comma-delimited, for example,`--subnet-ids=subnet-1,subnet-2`. Leave the value empty for installer-provisioned subnet IDs. When using`--private-link`, the`--subnet-ids` argument is required and only one private subnet is allowed per zone.
--support-role-arn string	The ARN of the role used by Red Hat Site Reliability Engineers (SREs) to enable access to the cluster account to provide support.
--tags	Tags that are used on resources created by Red Hat OpenShift Service on AWS in AWS. Tags can help you manage, identify, organize, search for, and filter resources within AWS. Tags are comma separated, for example: "key value, foo bar". Important Red Hat OpenShift Service on AWS only supports custom tags to Red Hat OpenShift resources during cluster creation. Once added, the tags cannot be removed or edited. Tags that are added by Red Hat are required for clusters to stay in compliance with Red Hat production service level agreements (SLAs). These tags must not be removed. Red Hat OpenShift Service on AWS does not support adding additional tags outside of ROSA cluster-managed resources. These tags can be lost when AWS resources are managed by the ROSA cluster. In these cases, you might need custom solutions or tools to reconcile the tags and keep them intact.
--version string	The version of ROSA that will be used to install the cluster or cluster resources. For`cluster` use an`X.Y.Z` format, for example,`4.18.0`. For`account-role` use an`X.Y` format, for example,`4.18`.
--worker-iam-role string	The ARN of the IAM role that will be attached to compute instances.

Table 8.19. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Create a cluster namedmycluster.

rosa create cluster --cluster-name=mycluster

$rosa create cluster --cluster-name=mycluster

Copy to Clipboard

Create a cluster with a specific AWS region.

rosa create cluster --cluster-name=mycluster --region=us-east-2

$rosa create cluster --cluster-name=mycluster--region=us-east-2

Copy to Clipboard

Create a cluster with autoscaling enabled on the default worker machine pool.

rosa create cluster --cluster-name=mycluster -region=us-east-1 --enable-autoscaling --min-replicas=2 --max-replicas=5

$rosa create cluster --cluster-name=mycluster-region=us-east-1 --enable-autoscaling --min-replicas=2 --max-replicas=5

Copy to Clipboard

8.2.3.5. create external-auth-provider

Add an external identity provider instead of the OpenShift OAuth2 server.

Important

You can only use external authentication providers on ROSA with HCP clusters.

Syntax

rosa create external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa create external-auth-provider--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.20. Arguments
Option	Definition
--claim-mapping-groups-claim <string>	Required. Describes rules on how to transform information from an ID token into a cluster identity.
--claim-validation-rule <strings>	Rules that are applied to validate token claims to authenticate users. The input will be in a`<claim>:<required_value>` format. To have multiple claim validation rules, you can separate the values by`,`. For example,`<claim>:<required_value>,<claim>:<required_value>`.
--claim-mapping-username-claim <string>	The name of the claim that should be used to construct user names for the cluster identity.
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the IDP will be added.
--console-client-id <string>	The identifier of the OIDC client from the OIDC provider for theOpenShift Cluster Manager web console.
--console-client-secret <string>	The secret that is associated with the console application registration.
--issuer-audiences <strings>	An array of audiences to check the incoming tokens against. Valid tokens must include at least one of these values in their audience claim.
--issuer-ca-file <string>	The path to the PEM-encoded certificate file to use when making requests to the server.
--issuer-url <string>	The serving URL of the token issuer.
--name <string>	A name that is used to refer to the external authentication provider.

Table 8.21. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile string from your credentials file.

Examples

Add a Microsoft Entra ID identity provider to a cluster namedmycluster.

rosa create external-auth-provider --cluster=mycluster --name <provider_name> --issuer-audiences <audience_id> --issuer-url <issuing id> --claim-mapping-username-claim email --claim-mapping-groups-claim groups

$rosa create external-auth-provider--cluster=mycluster--name<provider_name> --issuer-audiences<audience_id> --issuer-url<issuing id> --claim-mapping-username-claim email --claim-mapping-groups-claimgroups

Copy to Clipboard

8.2.3.6. create idp

Add an identity provider (IDP) to define how users log in to a cluster.

Syntax

rosa create idp --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa create idp--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.22. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the IDP will be added.
--ca <path_to_file>	The path to the PEM-encoded certificate file to use when making requests to the server, for example,`/usr/share/cert.pem`.
--client-id	The client ID (string) from the registered application.
--client-secret	The client secret (string) from the registered application.
--mapping-method	Specifies how new identities (string) are mapped to users when they log in. Default:`claim`
--name	The name (string) for the identity provider.
--type	The type (string) of identity provider. Options:`github`,`gitlab`,`google`,`ldap`,`openid`

Table 8.23. GitHub arguments
Option	Definition
--hostname	The optional domain (string) that are used with a hosted instance of GitHub Enterprise.
--organizations	Specifies the organizations for login access. Only users that are members of at least one of the listed organizations (string) are allowed to log in.
--teams	Specifies the teams for login access. Only users that are members of at least one of the listed teams (string) are allowed to log in. The format is`<org>/<team>`.

Table 8.24. GitLab arguments
Option	Definition
--host-url	The host URL (string) of a GitLab provider. Default:`https://gitlab.com`

Table 8.25. Google arguments
Option	Definition
--hosted-domain	Restricts users to a Google Apps domain (string).

Table 8.26. LDAP arguments
Option	Definition
--bind-dn	The domain name (string) to bind with during the search phase.
--bind-password	The password (string) to bind with during the search phase.
--email-attributes	The list (string) of attributes whose values should be used as the email address.
--id-attributes	The list (string) of attributes whose values should be used as the user ID. Default:`dn`
--insecure	Does not make TLS connections to the server.
--name-attributes	The list (string) of attributes whose values should be used as the display name. Default:`cn`
--url	An RFC 2255 URL (string) which specifies the LDAP search parameters that are used.
--username-attributes	The list (string) of attributes whose values should be used as the preferred username. Default:`uid`

Table 8.27. OpenID arguments
Option	Definition
--email-claims	The list (string) of claims that are used as the email address.
--extra-scopes	The list (string) of scopes to request, in addition to the`openid` scope, during the authorization token request.
--issuer-url	The URL (string) that the OpenID provider asserts as the issuer identifier. It must use the HTTPS scheme with no URL query parameters or fragment.
--name-claims	The list (string) of claims that are used as the display name.
--username-claims	The list (string) of claims that are used as the preferred username when provisioning a user.
--groups-claims	The list (string) of claims that are used as the groups names.

Table 8.28. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Add a GitHub identity provider to a cluster namedmycluster.

rosa create idp --type=github --cluster=mycluster

$rosa create idp--type=github--cluster=mycluster

Copy to Clipboard

Add an identity provider following interactive prompts.

rosa create idp --cluster=mycluster --interactive

$rosa create idp--cluster=mycluster--interactive

Copy to Clipboard

8.2.3.7. create ingress

Add an ingress endpoint to enable API access to the cluster.

Syntax

rosa create ingress --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa create ingress--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.29. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required: The name or ID of the cluster to which the ingress will be added.
--label-match	The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers.
--private	Restricts application route to direct, private connectivity.

Table 8.30. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Add an internal ingress to a cluster namedmycluster.

rosa create ingress --private --cluster=mycluster

$rosa create ingress--private--cluster=mycluster

Copy to Clipboard

Add a public ingress to a cluster namedmycluster.

rosa create ingress --cluster=mycluster

$rosa create ingress--cluster=mycluster

Copy to Clipboard

Add an ingress with a route selector label match.

rosa create ingress --cluster=mycluster --label-match=foo=bar,bar=baz

$rosa create ingress--cluster=mycluster --label-match=foo=bar,bar=baz

Copy to Clipboard

8.2.3.8. create kubeletconfig

Create a customKubeletConfig object to allow custom configuration of nodes in a

Syntax

rosa create kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]

$rosa create kubeletconfig--cluster=<cluster_name|cluster_id>--name=<kubeletconfig_name> --pod-pids-limit=<number>[flags]

Copy to Clipboard

Table 8.31. Flags
Option	Definition
--pod-pids-limit <number>	Required. The maximum number of PIDs for each node in the
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster in which to create the`KubeletConfig` object.
--name	Specifies a name for the`KubeletConfig` object.
-i, --interactive	Enable interactive mode.
-h, --help	Shows help for this command.

For more information about setting the PID limit for the cluster, seeConfiguring PID limits.

8.2.3.9. create machinepool

Add a machine pool to an existing cluster.

Syntax

rosa create machinepool --cluster=<cluster_name> | <cluster_id> --replicas=<number> --name=<machinepool_name> [arguments]

$rosa create machinepool--cluster=<cluster_name>|<cluster_id>--replicas=<number>--name=<machinepool_name>[arguments]

Copy to Clipboard

Table 8.32. Arguments
Option	Definition
--additional-security-group-ids <sec_group_id>	The identifier of one or more additional security groups to use along with the default security groups for this machine pool. For more information on additional security groups, see the requirements forSecurity groups underAdditional resources.
--cluster <cluster_name>\|<cluster_id>	Required: The name or ID of the cluster to which the machine pool will be added.
--disk-size	Set the disk volume size for the machine pool, in Gib or TiB. The default is 300 GiB. For ROSA (classic architecture) clusters version 4.13 or earlier, the minimum disk size is 128 GiB, and the maximum is 1 TiB. For cluster version 4.14 and later, the minimum is 128 GiB, and the maximum is 16 TiB. For ROSA with HCP clusters, the minimum disk size is 75 GiB, and the maximum is 16,384 GiB.
--enable-autoscaling	Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the`--min-replicas` and`--max-replicas` arguments. To disable autoscaling, use`--enable-autoscaling=false` with the`--replicas` argument.
--instance-type	The instance type (string) that should be used. Default:`m5.xlarge`
--kubelet-configs <kubeletconfig_name>	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any`KubeletConfig` objects to apply to nodes in a machine pool.
--labels	The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. This list overwrites any modifications made to node labels on an ongoing basis.
--max-replicas	Specifies the maximum number of compute nodes when enabling autoscaling.
--min-replicas	Specifies the minimum number of compute nodes when enabling autoscaling.
--max-surge	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the`max-surge` parameter defines the number of new nodes that can be provisioned in excess of the desired number of replicas for the machine pool, as configured using the`--replicas` parameter, or as determined by the autoscaler when autoscaling is enabled. This can be an absolute number (for example,`2`) or a percentage of the machine pool size (for example,`20%`), but must use the same unit as the`max-unavailable` parameter. The default value is`1`, meaning that the maximum number of nodes in the machine pool during an upgrade is 1 plus the desired number of replicas for the machine pool. In this situation, one excess node can be provisioned before existing nodes need to be made unavailable. The number of nodes that can be provisioned simultaneously during an upgrade is`max-surge` plus`max-unavailable`.
--max-unavailable	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the`max-unavailable` parameter defines the number of nodes that can be made unavailable in a machine pool during an upgrade, before new nodes are provisioned. This can be an absolute number (for example,`2`) or a percentage of the current replica count in the machine pool (for example,`20%`), but must use the same unit as the`max-surge` parameter. The default value is`0`, meaning that no outdated nodes are removed before new nodes are provisioned. The valid range for this value is from`0` to the current machine pool size, or from`0%` to`100%`. The total number of nodes that can be upgraded simultaneously during an upgrade is`max-surge` plus`max-unavailable`.
--name	Required: The name (string) for the machine pool.
--replicas	Required when autoscaling is not configured. The number (integer) of machines for this machine pool.
--tags	Apply user defined tags to all resources created by ROSA in AWS. Tags are comma separated, for example:`'key value, foo bar'`.
--taints	Taints for the machine pool. This string value should be formatted as a comma-separated list of`key=value:ScheduleType`. This list will overwrite any modifications made to Node taints on an ongoing basis.
--autorepair	AutoRepair setting for the machine pool represented as the boolean`true` or`false`.

Table 8.33. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Interactively add a machine pool to a cluster namedmycluster.

rosa create machinepool --cluster=mycluster --interactive

$rosa create machinepool--cluster=mycluster--interactive

Copy to Clipboard

Add a machine pool that is namedmp-1 to a cluster with autoscaling enabled.

rosa create machinepool --cluster=mycluster --enable-autoscaling --min-replicas=2 --max-replicas=5 --name=mp-1

$rosa create machinepool--cluster=mycluster --enable-autoscaling --min-replicas=2 --max-replicas=5--name=mp-1

Copy to Clipboard

Add a machine pool that is namedmp-1 with 3 replicas ofm5.xlarge to a cluster.

rosa create machinepool --cluster=mycluster --replicas=3 --instance-type=m5.xlarge --name=mp-1

$rosa create machinepool--cluster=mycluster--replicas=3 --instance-type=m5.xlarge--name=mp-1

Copy to Clipboard

Add a machine pool (mp-1) to a Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) cluster, configuring 6 replicas and the following upgrade behavior:

Allow up to 2 excess nodes to be provisioned during an upgrade.
Ensure that no more than 3 nodes are unavailable during an upgrade.

rosa create machinepool --cluster=mycluster --replicas=6 --name=mp-1 --max-surge=2 --max-unavailable=3

$rosa create machinepool--cluster=mycluster--replicas=6--name=mp-1 --max-surge=2 --max-unavailable=3

Copy to Clipboard

Add a machine pool with labels to a cluster.

rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --labels=foo=bar,bar=baz --name=mp-1

$rosa create machinepool--cluster=mycluster--replicas=2 --instance-type=r5.2xlarge--labels=foo=bar,bar=baz--name=mp-1

Copy to Clipboard

Add a machine pool with tags to a cluster.

rosa create machinepool --cluster=mycluster --replicas=2 --instance-type=r5.2xlarge --tags='foo bar,bar baz' --name=mp-1

$rosa create machinepool--cluster=mycluster--replicas=2 --instance-type=r5.2xlarge--tags='foo bar,bar baz'--name=mp-1

Copy to Clipboard

8.2.3.10. create network

Create a network that creates any necessary AWS resources through AWS CloudFormation templates. This helper command is intended to help create and configure a VPC for use with ROSA with HCP. This command also supports zero egress clusters.

Important

Running this command creates resources within your AWS account.

Note

For custom or advanced configurations, it is highly recommended to use the AWS CLI directly using theaws cloudformation command or create a new custom template with the required configurations. If you use a custom CloudFormation template with the ROSA CLI, the minimum required version is 1.2.47 or later.

Syntax

rosa create network [flags]

$rosa create network[flags]

Copy to Clipboard

Table 8.34. Arguments
Option	Definition
<template-name>	Allows you to use a custom template. Templates must be in the template folder, structured as`templates/<template-name>/cloudformation.yaml`. If no template name is provided, the command uses the default template. For binary builds, this template directory must be referenced manually after it is downloaded.

Default CloudFormation template

AWSTemplateFormatVersion: '2010-09-09'Description: CloudFormation template to create a ROSA Quickstart default VPC.  This CloudFormation template may not work with rosa CLI versions later than 1.2.48.  Please ensure that you are using the compatible CLI version before deploying this template.Parameters:  AvailabilityZoneCount:    Type: Number    Description: "Number of Availability Zones to use"    Default: 1    MinValue: 1    MaxValue: 4  AZ1:    Type: String    Description: "First availability zone to use"    Default: ""  AZ2:    Type: String    Description: "Second availability zone to use"    Default: ""  AZ3:    Type: String    Description: "Third availability zone to use"    Default: ""  AZ4:    Type: String    Description: "Fourth availability zone to use"    Default: ""  Region:    Type: String    Description: "AWS Region"    Default: "us-west-2"  Name:    Type: String    Description: "Name prefix for resources"  VpcCidr:    Type: String    Description: CIDR block for the VPC    Default: '10.0.0.0/16'Conditions:  AZ1Explicit: !Not [!Equals [!Ref AZ1, ""]]  AZ2Explicit: !Not [!Equals [!Ref AZ2, ""]]  AZ3Explicit: !Not [!Equals [!Ref AZ3, ""]]  AZ4Explicit: !Not [!Equals [!Ref AZ4, ""]]  ExplicitAZs:   !Or [!Condition AZ1Explicit, !Condition AZ2Explicit, !Condition AZ3Explicit, !Condition AZ4Explicit]  NoExplicitAZs: !Not [!Condition ExplicitAZs]  AZ4Implicit: !Equals [!Ref AvailabilityZoneCount, 4]  AZ3Implicit: !Or [!Equals [!Ref AvailabilityZoneCount, 3], !Condition AZ4Implicit]  AZ2Implicit: !Or [!Equals [!Ref AvailabilityZoneCount, 2], !Condition AZ3Implicit]  AZ1Implicit: !Or [!Equals [!Ref AvailabilityZoneCount, 1], !Condition AZ2Implicit]  One:   !Or [!And [!Condition ExplicitAZs, !Condition AZ1Explicit], !And [!Condition NoExplicitAZs, !Condition AZ1Implicit]]  Two:   !Or [!And [!Condition ExplicitAZs, !Condition AZ2Explicit], !And [!Condition NoExplicitAZs, !Condition AZ2Implicit]]  Three: !Or [!And [!Condition ExplicitAZs, !Condition AZ3Explicit], !And [!Condition NoExplicitAZs, !Condition AZ3Implicit]]  Four:  !Or [!And [!Condition ExplicitAZs, !Condition AZ4Explicit], !And [!Condition NoExplicitAZs, !Condition AZ4Implicit]]Resources:  VPC:    Type: AWS::EC2::VPC    Properties:      CidrBlock: !Ref VpcCidr      EnableDnsSupport: true      EnableDnsHostnames: true      Tags:        - Key: Name          Value: !Ref Name        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  S3VPCEndpoint:    Type: AWS::EC2::VPCEndpoint    Properties:      VpcId: !Ref VPC      ServiceName: !Sub "com.amazonaws.${Region}.s3"      VpcEndpointType: Gateway      RouteTableIds:        - !Ref PublicRouteTable        - !Ref PrivateRouteTable  SubnetPublic1:    Type: AWS::EC2::Subnet    Condition: One    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ1, !Select [0, !GetAZs '']]      MapPublicIpOnLaunch: true      Tags:        - Key: Name          Value: !Sub "${Name}-Public-Subnet-1"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/elb'          Value: '1'  SubnetPrivate1:    Type: AWS::EC2::Subnet    Condition: One    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ1, !Select [0, !GetAZs '']]      MapPublicIpOnLaunch: false      Tags:        - Key: Name          Value: !Sub "${Name}-Private-Subnet-1"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/internal-elb'          Value: '1'  SubnetPublic2:    Type: AWS::EC2::Subnet    Condition: Two    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ2, !Select [1, !GetAZs '']]      MapPublicIpOnLaunch: true      Tags:        - Key: Name          Value: !Sub "${Name}-Public-Subnet-2"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/elb'          Value: '1'  SubnetPrivate2:    Type: AWS::EC2::Subnet    Condition: Two    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ2, !Select [1, !GetAZs '']]      MapPublicIpOnLaunch: false      Tags:        - Key: Name          Value: !Sub "${Name}-Private-Subnet-2"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/internal-elb'          Value: '1'  SubnetPublic3:    Type: AWS::EC2::Subnet    Condition: Three    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ3, !Select [2, !GetAZs '']]      MapPublicIpOnLaunch: true      Tags:        - Key: Name          Value: !Sub "${Name}-Public-Subnet-3"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/elb'          Value: '1'  SubnetPrivate3:    Type: AWS::EC2::Subnet    Condition: Three    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ3, !Select [2, !GetAZs '']]      MapPublicIpOnLaunch: false      Tags:        - Key: Name          Value: !Sub "${Name}-Private-Subnet-3"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/internal-elb'          Value: '1'  SubnetPublic4:    Type: AWS::EC2::Subnet    Condition: Four    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [6, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ4, !Select [3, !GetAZs '']]      MapPublicIpOnLaunch: true      Tags:        - Key: Name          Value: !Sub "${Name}-Public-Subnet-4"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/elb'          Value: '1'  SubnetPrivate4:    Type: AWS::EC2::Subnet    Condition: Four    Properties:      VpcId: !Ref VPC      CidrBlock: !Select [7, !Cidr [!Ref VpcCidr, 8, 8]]      AvailabilityZone: !If [ExplicitAZs, !Ref AZ4, !Select [3, !GetAZs '']]      MapPublicIpOnLaunch: false      Tags:        - Key: Name          Value: !Sub "${Name}-Private-Subnet-4"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'        - Key: 'kubernetes.io/role/internal-elb'          Value: '1'  InternetGateway:    Type: AWS::EC2::InternetGateway    Properties:      Tags:        - Key: Name          Value: !Ref Name        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  AttachGateway:    Type: AWS::EC2::VPCGatewayAttachment    Properties:      VpcId: !Ref VPC      InternetGatewayId: !Ref InternetGateway  ElasticIP1:    Condition: One    Type: AWS::EC2::EIP    Properties:      Domain: vpc      Tags:        - Key: Name          Value: !Ref Name        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  ElasticIP2:    Condition: Two    Type: AWS::EC2::EIP    Properties:      Domain: vpc      Tags:        - Key: Name          Value: !Ref Name        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  ElasticIP3:    Condition: Three    Type: AWS::EC2::EIP    Properties:      Domain: vpc      Tags:        - Key: Name          Value: !Ref Name        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  ElasticIP4:    Condition: Four    Type: AWS::EC2::EIP    Properties:      Domain: vpc      Tags:        - Key: Name          Value: !Ref Name        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  NATGateway1:    Condition: One    Type: 'AWS::EC2::NatGateway'    Properties:      AllocationId: !GetAtt ElasticIP1.AllocationId      SubnetId: !Ref SubnetPublic1      Tags:        - Key: Name          Value: !Sub "${Name}-NAT-1"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  NATGateway2:    Condition: Two    Type: 'AWS::EC2::NatGateway'    Properties:      AllocationId: !GetAtt ElasticIP2.AllocationId      SubnetId: !Ref SubnetPublic2      Tags:        - Key: Name          Value: !Sub "${Name}-NAT-2"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  NATGateway3:    Condition: Three    Type: 'AWS::EC2::NatGateway'    Properties:      AllocationId: !GetAtt ElasticIP3.AllocationId      SubnetId: !Ref SubnetPublic3      Tags:        - Key: Name          Value: !Sub "${Name}-NAT-3"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  NATGateway4:    Condition: Four    Type: 'AWS::EC2::NatGateway'    Properties:      AllocationId: !GetAtt ElasticIP4.AllocationId      SubnetId: !Ref SubnetPublic4      Tags:        - Key: Name          Value: !Sub "${Name}-NAT-4"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  PublicRouteTable:    Type: AWS::EC2::RouteTable    Properties:      VpcId: !Ref VPC      Tags:        - Key: Name          Value: !Ref Name        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  PublicRoute:    Type: AWS::EC2::Route    DependsOn: AttachGateway    Properties:      RouteTableId: !Ref PublicRouteTable      DestinationCidrBlock: 0.0.0.0/0      GatewayId: !Ref InternetGateway  PrivateRouteTable:    Type: AWS::EC2::RouteTable    Properties:      VpcId: !Ref VPC      Tags:        - Key: Name          Value: !Sub "${Name}-Private-Route-Table"        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'        - Key: 'service'          Value: 'ROSA'  PrivateRoute:    Type: AWS::EC2::Route    Properties:      RouteTableId: !Ref PrivateRouteTable      DestinationCidrBlock: 0.0.0.0/0      NatGatewayId: !If        - One        - !Ref NATGateway1        - !If          - Two          - !Ref NATGateway2          - !If            - Three            - !Ref NATGateway3            - !If              - Four              - !Ref NATGateway4              - !Ref "AWS::NoValue"  PublicSubnetRouteTableAssociation1:    Condition: One    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPublic1      RouteTableId: !Ref PublicRouteTable  PublicSubnetRouteTableAssociation2:    Condition: Two    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPublic2      RouteTableId: !Ref PublicRouteTable  PublicSubnetRouteTableAssociation3:    Condition: Three    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPublic3      RouteTableId: !Ref PublicRouteTable  PublicSubnetRouteTableAssociation4:    Condition: Four    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPublic4      RouteTableId: !Ref PublicRouteTable  PrivateSubnetRouteTableAssociation1:    Condition: One    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPrivate1      RouteTableId: !Ref PrivateRouteTable  PrivateSubnetRouteTableAssociation2:    Condition: Two    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPrivate2      RouteTableId: !Ref PrivateRouteTable  PrivateSubnetRouteTableAssociation3:    Condition: Three    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPrivate3      RouteTableId: !Ref PrivateRouteTable  PrivateSubnetRouteTableAssociation4:    Condition: Four    Type: AWS::EC2::SubnetRouteTableAssociation    Properties:      SubnetId: !Ref SubnetPrivate4      RouteTableId: !Ref PrivateRouteTable  SecurityGroup:    Type: AWS::EC2::SecurityGroup    Properties:      GroupDescription: "Authorize inbound VPC traffic"      VpcId: !Ref VPC      SecurityGroupIngress:        - IpProtocol: -1          FromPort: 0          ToPort: 0          CidrIp: "10.0.0.0/16"      SecurityGroupEgress:        - IpProtocol: -1          FromPort: 0          ToPort: 0          CidrIp: 0.0.0.0/0      Tags:        - Key: Name          Value: !Ref Name        - Key: 'service'          Value: 'ROSA'        - Key: 'rosa_managed_policies'          Value: 'true'        - Key: 'rosa_hcp_policies'          Value: 'true'  EC2VPCEndpoint:    Type: AWS::EC2::VPCEndpoint    Properties:      VpcId: !Ref VPC      ServiceName: !Sub "com.amazonaws.${Region}.ec2"      PrivateDnsEnabled: true      VpcEndpointType: Interface      SubnetIds:        - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]        - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]        - !If [Three, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]        - !If [Four, !Ref SubnetPrivate4, !Ref "AWS::NoValue"]      SecurityGroupIds:        - !Ref SecurityGroup  KMSVPCEndpoint:    Type: AWS::EC2::VPCEndpoint    Properties:      VpcId: !Ref VPC      ServiceName: !Sub "com.amazonaws.${Region}.kms"      PrivateDnsEnabled: true      VpcEndpointType: Interface      SubnetIds:        - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]        - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]        - !If [Three, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]        - !If [Four, !Ref SubnetPrivate4, !Ref "AWS::NoValue"]      SecurityGroupIds:        - !Ref SecurityGroup  STSVPCEndpoint:    Type: AWS::EC2::VPCEndpoint    Properties:      VpcId: !Ref VPC      ServiceName: !Sub "com.amazonaws.${Region}.sts"      PrivateDnsEnabled: true      VpcEndpointType: Interface      SubnetIds:        - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]        - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]        - !If [Three, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]        - !If [Four, !Ref SubnetPrivate4, !Ref "AWS::NoValue"]      SecurityGroupIds:        - !Ref SecurityGroup  EcrApiVPCEndpoint:    Type: AWS::EC2::VPCEndpoint    Properties:      VpcId: !Ref VPC      ServiceName: !Sub "com.amazonaws.${Region}.ecr.api"      PrivateDnsEnabled: true      VpcEndpointType: Interface      SubnetIds:        - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]        - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]        - !If [Three, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]        - !If [Four, !Ref SubnetPrivate4, !Ref "AWS::NoValue"]      SecurityGroupIds:        - !Ref SecurityGroup  EcrDkrVPCEndpoint:    Type: AWS::EC2::VPCEndpoint    Properties:      VpcId: !Ref VPC      ServiceName: !Sub "com.amazonaws.${Region}.ecr.dkr"      PrivateDnsEnabled: true      VpcEndpointType: Interface      SubnetIds:        - !If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"]        - !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"]        - !If [Three, !Ref SubnetPrivate3, !Ref "AWS::NoValue"]        - !If [Four, !Ref SubnetPrivate4, !Ref "AWS::NoValue"]      SecurityGroupIds:        - !Ref SecurityGroupOutputs:  VPCId:    Description: "VPC Id"    Value: !Ref VPC    Export:      Name: !Sub "${Name}-VPCId"  VPCEndpointId:    Description: The ID of the VPC Endpoint    Value: !Ref S3VPCEndpoint    Export:      Name: !Sub "${Name}-VPCEndpointId"  PublicSubnets:    Description: "Public Subnet Ids"    Value: !Join [",", [!If [One, !Ref SubnetPublic1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPublic2, !Ref "AWS::NoValue"], !If [Three, !Ref SubnetPublic3, !Ref "AWS::NoValue"], !If [Four, !Ref SubnetPublic4, !Ref "AWS::NoValue"]]]    Export:      Name: !Sub "${Name}-PublicSubnets"  PrivateSubnets:    Description: "Private Subnet Ids"    Value: !Join [",", [!If [One, !Ref SubnetPrivate1, !Ref "AWS::NoValue"], !If [Two, !Ref SubnetPrivate2, !Ref "AWS::NoValue"], !If [Three, !Ref SubnetPrivate3, !Ref "AWS::NoValue"], !If [Four, !Ref SubnetPublic4, !Ref "AWS::NoValue"]]]    Export:      Name: !Sub "${Name}-PrivateSubnets"  EIP1AllocationId:    Condition: One    Description: Allocation ID for ElasticIP1    Value: !GetAtt ElasticIP1.AllocationId    Export:      Name: !Sub "${Name}-EIP1-AllocationId"  EIP2AllocationId:    Condition: Two    Description: Allocation ID for ElasticIP2    Value: !GetAtt ElasticIP2.AllocationId    Export:      Name: !Sub "${Name}-EIP2-AllocationId"  EIP3AllocationId:    Condition: Three    Description: Allocation ID for ElasticIP3    Value: !GetAtt ElasticIP3.AllocationId    Export:      Name: !Sub "${Name}-EIP3-AllocationId"  EIP4AllocationId:    Condition: Four    Description: Allocation ID for ElasticIP4    Value: !GetAtt ElasticIP4.AllocationId    Export:      Name: !Sub "${Name}-EIP4-AllocationId"  NatGatewayId:    Description: The NAT Gateway IDs    Value: !Join [",", [!If [One, !Ref NATGateway1, !Ref "AWS::NoValue"], !If [Two, !Ref NATGateway2, !Ref "AWS::NoValue"], !If [Three, !Ref NATGateway3, !Ref "AWS::NoValue"], !If [Four, !Ref NATGateway4, !Ref "AWS::NoValue"]]]    Export:      Name: !Sub "${Name}-NatGatewayId"  InternetGatewayId:    Description: The ID of the Internet Gateway    Value: !Ref InternetGateway    Export:      Name: !Sub "${Name}-InternetGatewayId"  PublicRouteTableId:    Description: The ID of the public route table    Value: !Ref PublicRouteTable    Export:      Name: !Sub "${Name}-PublicRouteTableId"  PrivateRouteTableId:    Description: The ID of the private route table    Value: !Ref PrivateRouteTable    Export:      Name: !Sub "${Name}-PrivateRouteTableId"  EC2VPCEndpointId:    Description: The ID of the EC2 VPC Endpoint    Value: !Ref EC2VPCEndpoint    Export:      Name: !Sub "${Name}-EC2VPCEndpointId"  KMSVPCEndpointId:    Description: The ID of the KMS VPC Endpoint    Value: !Ref KMSVPCEndpoint    Export:      Name: !Sub "${Name}-KMSVPCEndpointId"  STSVPCEndpointId:    Description: The ID of the STS VPC Endpoint    Value: !Ref STSVPCEndpoint    Export:      Name: !Sub "${Name}-STSVPCEndpointId"  EcrApiVPCEndpointId:    Description: The ID of the ECR API VPC Endpoint    Value: !Ref EcrApiVPCEndpoint    Export:      Name: !Sub "${Name}-EcrApiVPCEndpointId"  EcrDkrVPCEndpointId:    Description: The ID of the ECR DKR VPC Endpoint    Value: !Ref EcrDkrVPCEndpoint    Export:      Name: !Sub "${Name}-EcrDkrVPCEndpointId"

AWSTemplateFormatVersion:'2010-09-09'Description: CloudFormation template to create a ROSA Quickstart default VPC.  This CloudFormation template may not work with rosa CLI versions later than 1.2.48.  Please ensure that you are using the compatible CLI version before deploying this template.Parameters:AvailabilityZoneCount:Type: NumberDescription:"Number of Availability Zones to use"Default:1MinValue:1MaxValue:4AZ1:Type: StringDescription:"First availability zone to use"Default:""AZ2:Type: StringDescription:"Second availability zone to use"Default:""AZ3:Type: StringDescription:"Third availability zone to use"Default:""AZ4:Type: StringDescription:"Fourth availability zone to use"Default:""Region:Type: StringDescription:"AWS Region"Default:"us-west-2"Name:Type: StringDescription:"Name prefix for resources"VpcCidr:Type: StringDescription: CIDR block for the VPCDefault:'10.0.0.0/16'Conditions:AZ1Explicit:!Not[!Equals[!Ref AZ1,""]]AZ2Explicit:!Not[!Equals[!Ref AZ2,""]]AZ3Explicit:!Not[!Equals[!Ref AZ3,""]]AZ4Explicit:!Not[!Equals[!Ref AZ4,""]]ExplicitAZs:!Or[!Condition AZ1Explicit,!Condition AZ2Explicit,!Condition AZ3Explicit,!Condition AZ4Explicit]NoExplicitAZs:!Not[!Condition ExplicitAZs]AZ4Implicit:!Equals[!Ref AvailabilityZoneCount,4]AZ3Implicit:!Or[!Equals[!Ref AvailabilityZoneCount,3],!Condition AZ4Implicit]AZ2Implicit:!Or[!Equals[!Ref AvailabilityZoneCount,2],!Condition AZ3Implicit]AZ1Implicit:!Or[!Equals[!Ref AvailabilityZoneCount,1],!Condition AZ2Implicit]One:!Or[!And[!Condition ExplicitAZs,!Condition AZ1Explicit],!And[!Condition NoExplicitAZs,!Condition AZ1Implicit]]Two:!Or[!And[!Condition ExplicitAZs,!Condition AZ2Explicit],!And[!Condition NoExplicitAZs,!Condition AZ2Implicit]]Three:!Or[!And[!Condition ExplicitAZs,!Condition AZ3Explicit],!And[!Condition NoExplicitAZs,!Condition AZ3Implicit]]Four:!Or[!And[!Condition ExplicitAZs,!Condition AZ4Explicit],!And[!Condition NoExplicitAZs,!Condition AZ4Implicit]]Resources:VPC:Type: AWS::EC2::VPCProperties:CidrBlock:!Ref VpcCidrEnableDnsSupport:trueEnableDnsHostnames:trueTags:-Key: NameValue:!Ref Name-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'S3VPCEndpoint:Type: AWS::EC2::VPCEndpointProperties:VpcId:!Ref VPCServiceName:!Sub"com.amazonaws.${Region}.s3"VpcEndpointType: GatewayRouteTableIds:-!Ref PublicRouteTable-!Ref PrivateRouteTableSubnetPublic1:Type: AWS::EC2::SubnetCondition: OneProperties:VpcId:!Ref VPCCidrBlock:!Select[0,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ1,!Select[0,!GetAZs'']]MapPublicIpOnLaunch:trueTags:-Key: NameValue:!Sub"${Name}-Public-Subnet-1"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/elb'Value:'1'SubnetPrivate1:Type: AWS::EC2::SubnetCondition: OneProperties:VpcId:!Ref VPCCidrBlock:!Select[1,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ1,!Select[0,!GetAZs'']]MapPublicIpOnLaunch:falseTags:-Key: NameValue:!Sub"${Name}-Private-Subnet-1"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/internal-elb'Value:'1'SubnetPublic2:Type: AWS::EC2::SubnetCondition: TwoProperties:VpcId:!Ref VPCCidrBlock:!Select[2,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ2,!Select[1,!GetAZs'']]MapPublicIpOnLaunch:trueTags:-Key: NameValue:!Sub"${Name}-Public-Subnet-2"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/elb'Value:'1'SubnetPrivate2:Type: AWS::EC2::SubnetCondition: TwoProperties:VpcId:!Ref VPCCidrBlock:!Select[3,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ2,!Select[1,!GetAZs'']]MapPublicIpOnLaunch:falseTags:-Key: NameValue:!Sub"${Name}-Private-Subnet-2"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/internal-elb'Value:'1'SubnetPublic3:Type: AWS::EC2::SubnetCondition: ThreeProperties:VpcId:!Ref VPCCidrBlock:!Select[4,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ3,!Select[2,!GetAZs'']]MapPublicIpOnLaunch:trueTags:-Key: NameValue:!Sub"${Name}-Public-Subnet-3"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/elb'Value:'1'SubnetPrivate3:Type: AWS::EC2::SubnetCondition: ThreeProperties:VpcId:!Ref VPCCidrBlock:!Select[5,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ3,!Select[2,!GetAZs'']]MapPublicIpOnLaunch:falseTags:-Key: NameValue:!Sub"${Name}-Private-Subnet-3"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/internal-elb'Value:'1'SubnetPublic4:Type: AWS::EC2::SubnetCondition: FourProperties:VpcId:!Ref VPCCidrBlock:!Select[6,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ4,!Select[3,!GetAZs'']]MapPublicIpOnLaunch:trueTags:-Key: NameValue:!Sub"${Name}-Public-Subnet-4"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/elb'Value:'1'SubnetPrivate4:Type: AWS::EC2::SubnetCondition: FourProperties:VpcId:!Ref VPCCidrBlock:!Select[7,!Cidr[!Ref VpcCidr,8,8]]AvailabilityZone:!If[ExplicitAZs,!Ref AZ4,!Select[3,!GetAZs'']]MapPublicIpOnLaunch:falseTags:-Key: NameValue:!Sub"${Name}-Private-Subnet-4"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'-Key:'kubernetes.io/role/internal-elb'Value:'1'InternetGateway:Type: AWS::EC2::InternetGatewayProperties:Tags:-Key: NameValue:!Ref Name-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'AttachGateway:Type: AWS::EC2::VPCGatewayAttachmentProperties:VpcId:!Ref VPCInternetGatewayId:!Ref InternetGatewayElasticIP1:Condition: OneType: AWS::EC2::EIPProperties:Domain: vpcTags:-Key: NameValue:!Ref Name-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'ElasticIP2:Condition: TwoType: AWS::EC2::EIPProperties:Domain: vpcTags:-Key: NameValue:!Ref Name-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'ElasticIP3:Condition: ThreeType: AWS::EC2::EIPProperties:Domain: vpcTags:-Key: NameValue:!Ref Name-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'ElasticIP4:Condition: FourType: AWS::EC2::EIPProperties:Domain: vpcTags:-Key: NameValue:!Ref Name-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'NATGateway1:Condition: OneType:'AWS::EC2::NatGateway'Properties:AllocationId:!GetAtt ElasticIP1.AllocationIdSubnetId:!Ref SubnetPublic1Tags:-Key: NameValue:!Sub"${Name}-NAT-1"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'NATGateway2:Condition: TwoType:'AWS::EC2::NatGateway'Properties:AllocationId:!GetAtt ElasticIP2.AllocationIdSubnetId:!Ref SubnetPublic2Tags:-Key: NameValue:!Sub"${Name}-NAT-2"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'NATGateway3:Condition: ThreeType:'AWS::EC2::NatGateway'Properties:AllocationId:!GetAtt ElasticIP3.AllocationIdSubnetId:!Ref SubnetPublic3Tags:-Key: NameValue:!Sub"${Name}-NAT-3"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'NATGateway4:Condition: FourType:'AWS::EC2::NatGateway'Properties:AllocationId:!GetAtt ElasticIP4.AllocationIdSubnetId:!Ref SubnetPublic4Tags:-Key: NameValue:!Sub"${Name}-NAT-4"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'PublicRouteTable:Type: AWS::EC2::RouteTableProperties:VpcId:!Ref VPCTags:-Key: NameValue:!Ref Name-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'PublicRoute:Type: AWS::EC2::RouteDependsOn: AttachGatewayProperties:RouteTableId:!Ref PublicRouteTableDestinationCidrBlock: 0.0.0.0/0GatewayId:!Ref InternetGatewayPrivateRouteTable:Type: AWS::EC2::RouteTableProperties:VpcId:!Ref VPCTags:-Key: NameValue:!Sub"${Name}-Private-Route-Table"-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'-Key:'service'Value:'ROSA'PrivateRoute:Type: AWS::EC2::RouteProperties:RouteTableId:!Ref PrivateRouteTableDestinationCidrBlock: 0.0.0.0/0NatGatewayId:!If- One-!Ref NATGateway1-!If- Two-!Ref NATGateway2-!If- Three-!Ref NATGateway3-!If- Four-!Ref NATGateway4-!Ref"AWS::NoValue"PublicSubnetRouteTableAssociation1:Condition: OneType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPublic1RouteTableId:!Ref PublicRouteTablePublicSubnetRouteTableAssociation2:Condition: TwoType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPublic2RouteTableId:!Ref PublicRouteTablePublicSubnetRouteTableAssociation3:Condition: ThreeType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPublic3RouteTableId:!Ref PublicRouteTablePublicSubnetRouteTableAssociation4:Condition: FourType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPublic4RouteTableId:!Ref PublicRouteTablePrivateSubnetRouteTableAssociation1:Condition: OneType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPrivate1RouteTableId:!Ref PrivateRouteTablePrivateSubnetRouteTableAssociation2:Condition: TwoType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPrivate2RouteTableId:!Ref PrivateRouteTablePrivateSubnetRouteTableAssociation3:Condition: ThreeType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPrivate3RouteTableId:!Ref PrivateRouteTablePrivateSubnetRouteTableAssociation4:Condition: FourType: AWS::EC2::SubnetRouteTableAssociationProperties:SubnetId:!Ref SubnetPrivate4RouteTableId:!Ref PrivateRouteTableSecurityGroup:Type: AWS::EC2::SecurityGroupProperties:GroupDescription:"Authorize inbound VPC traffic"VpcId:!Ref VPCSecurityGroupIngress:-IpProtocol:-1FromPort:0ToPort:0CidrIp:"10.0.0.0/16"SecurityGroupEgress:-IpProtocol:-1FromPort:0ToPort:0CidrIp: 0.0.0.0/0Tags:-Key: NameValue:!Ref Name-Key:'service'Value:'ROSA'-Key:'rosa_managed_policies'Value:'true'-Key:'rosa_hcp_policies'Value:'true'EC2VPCEndpoint:Type: AWS::EC2::VPCEndpointProperties:VpcId:!Ref VPCServiceName:!Sub"com.amazonaws.${Region}.ec2"PrivateDnsEnabled:trueVpcEndpointType: InterfaceSubnetIds:-!If[One,!Ref SubnetPrivate1,!Ref"AWS::NoValue"]-!If[Two,!Ref SubnetPrivate2,!Ref"AWS::NoValue"]-!If[Three,!Ref SubnetPrivate3,!Ref"AWS::NoValue"]-!If[Four,!Ref SubnetPrivate4,!Ref"AWS::NoValue"]SecurityGroupIds:-!Ref SecurityGroupKMSVPCEndpoint:Type: AWS::EC2::VPCEndpointProperties:VpcId:!Ref VPCServiceName:!Sub"com.amazonaws.${Region}.kms"PrivateDnsEnabled:trueVpcEndpointType: InterfaceSubnetIds:-!If[One,!Ref SubnetPrivate1,!Ref"AWS::NoValue"]-!If[Two,!Ref SubnetPrivate2,!Ref"AWS::NoValue"]-!If[Three,!Ref SubnetPrivate3,!Ref"AWS::NoValue"]-!If[Four,!Ref SubnetPrivate4,!Ref"AWS::NoValue"]SecurityGroupIds:-!Ref SecurityGroupSTSVPCEndpoint:Type: AWS::EC2::VPCEndpointProperties:VpcId:!Ref VPCServiceName:!Sub"com.amazonaws.${Region}.sts"PrivateDnsEnabled:trueVpcEndpointType: InterfaceSubnetIds:-!If[One,!Ref SubnetPrivate1,!Ref"AWS::NoValue"]-!If[Two,!Ref SubnetPrivate2,!Ref"AWS::NoValue"]-!If[Three,!Ref SubnetPrivate3,!Ref"AWS::NoValue"]-!If[Four,!Ref SubnetPrivate4,!Ref"AWS::NoValue"]SecurityGroupIds:-!Ref SecurityGroupEcrApiVPCEndpoint:Type: AWS::EC2::VPCEndpointProperties:VpcId:!Ref VPCServiceName:!Sub"com.amazonaws.${Region}.ecr.api"PrivateDnsEnabled:trueVpcEndpointType: InterfaceSubnetIds:-!If[One,!Ref SubnetPrivate1,!Ref"AWS::NoValue"]-!If[Two,!Ref SubnetPrivate2,!Ref"AWS::NoValue"]-!If[Three,!Ref SubnetPrivate3,!Ref"AWS::NoValue"]-!If[Four,!Ref SubnetPrivate4,!Ref"AWS::NoValue"]SecurityGroupIds:-!Ref SecurityGroupEcrDkrVPCEndpoint:Type: AWS::EC2::VPCEndpointProperties:VpcId:!Ref VPCServiceName:!Sub"com.amazonaws.${Region}.ecr.dkr"PrivateDnsEnabled:trueVpcEndpointType: InterfaceSubnetIds:-!If[One,!Ref SubnetPrivate1,!Ref"AWS::NoValue"]-!If[Two,!Ref SubnetPrivate2,!Ref"AWS::NoValue"]-!If[Three,!Ref SubnetPrivate3,!Ref"AWS::NoValue"]-!If[Four,!Ref SubnetPrivate4,!Ref"AWS::NoValue"]SecurityGroupIds:-!Ref SecurityGroupOutputs:VPCId:Description:"VPC Id"Value:!Ref VPCExport:Name:!Sub"${Name}-VPCId"VPCEndpointId:Description: The ID of the VPC EndpointValue:!Ref S3VPCEndpointExport:Name:!Sub"${Name}-VPCEndpointId"PublicSubnets:Description:"Public Subnet Ids"Value:!Join[",",[!If[One,!Ref SubnetPublic1,!Ref"AWS::NoValue"],!If[Two,!Ref SubnetPublic2,!Ref"AWS::NoValue"],!If[Three,!Ref SubnetPublic3,!Ref"AWS::NoValue"],!If[Four,!Ref SubnetPublic4,!Ref"AWS::NoValue"]]]Export:Name:!Sub"${Name}-PublicSubnets"PrivateSubnets:Description:"Private Subnet Ids"Value:!Join[",",[!If[One,!Ref SubnetPrivate1,!Ref"AWS::NoValue"],!If[Two,!Ref SubnetPrivate2,!Ref"AWS::NoValue"],!If[Three,!Ref SubnetPrivate3,!Ref"AWS::NoValue"],!If[Four,!Ref SubnetPublic4,!Ref"AWS::NoValue"]]]Export:Name:!Sub"${Name}-PrivateSubnets"EIP1AllocationId:Condition: OneDescription: Allocation ID for ElasticIP1Value:!GetAtt ElasticIP1.AllocationIdExport:Name:!Sub"${Name}-EIP1-AllocationId"EIP2AllocationId:Condition: TwoDescription: Allocation ID for ElasticIP2Value:!GetAtt ElasticIP2.AllocationIdExport:Name:!Sub"${Name}-EIP2-AllocationId"EIP3AllocationId:Condition: ThreeDescription: Allocation ID for ElasticIP3Value:!GetAtt ElasticIP3.AllocationIdExport:Name:!Sub"${Name}-EIP3-AllocationId"EIP4AllocationId:Condition: FourDescription: Allocation ID for ElasticIP4Value:!GetAtt ElasticIP4.AllocationIdExport:Name:!Sub"${Name}-EIP4-AllocationId"NatGatewayId:Description: The NAT Gateway IDsValue:!Join[",",[!If[One,!Ref NATGateway1,!Ref"AWS::NoValue"],!If[Two,!Ref NATGateway2,!Ref"AWS::NoValue"],!If[Three,!Ref NATGateway3,!Ref"AWS::NoValue"],!If[Four,!Ref NATGateway4,!Ref"AWS::NoValue"]]]Export:Name:!Sub"${Name}-NatGatewayId"InternetGatewayId:Description: The ID of the Internet GatewayValue:!Ref InternetGatewayExport:Name:!Sub"${Name}-InternetGatewayId"PublicRouteTableId:Description: The ID of the public route tableValue:!Ref PublicRouteTableExport:Name:!Sub"${Name}-PublicRouteTableId"PrivateRouteTableId:Description: The ID of the private route tableValue:!Ref PrivateRouteTableExport:Name:!Sub"${Name}-PrivateRouteTableId"EC2VPCEndpointId:Description: The ID of the EC2 VPC EndpointValue:!Ref EC2VPCEndpointExport:Name:!Sub"${Name}-EC2VPCEndpointId"KMSVPCEndpointId:Description: The ID of the KMS VPC EndpointValue:!Ref KMSVPCEndpointExport:Name:!Sub"${Name}-KMSVPCEndpointId"STSVPCEndpointId:Description: The ID of the STS VPC EndpointValue:!Ref STSVPCEndpointExport:Name:!Sub"${Name}-STSVPCEndpointId"EcrApiVPCEndpointId:Description: The ID of the ECR API VPC EndpointValue:!Ref EcrApiVPCEndpointExport:Name:!Sub"${Name}-EcrApiVPCEndpointId"EcrDkrVPCEndpointId:Description: The ID of the ECR DKR VPC EndpointValue:!Ref EcrDkrVPCEndpointExport:Name:!Sub"${Name}-EcrDkrVPCEndpointId"

Copy to Clipboard

Table 8.35. Flags
Option	Definition
--template-dir	Allows you to specify the path to the template directory. Overrides the`OCM_TEMPLATE_DIR` environment variable. Required if not running the command inside the template directory.
--param Name	Define the name of your network. A required parameter when using a custom template file.
--param Region	Define the region of your network. A required parameter when using a custom template file.
--param <various>	Available parameters depend on the template. Use`--help` when in the template directory to find available parameters.
--mode=manual	Provides AWS commands to create the network stack.

Example

Create a basic network with regular arguments and flags.

rosa create network rosa-quickstart-default-vpc --param Tags=key1=value1,key2=value2 --param Name=example-stack --param Region=us-west-2

$rosa create network rosa-quickstart-default-vpc--paramTags=key1=value1,key2=value2--paramName=example-stack--paramRegion=us-west-2

Copy to Clipboard

The full list of parameters is available in the default template.

Example template

Parameters:  AvailabilityZoneCount:    Type: Number    Description: "Number of Availability Zones to use"    Default: 1    MinValue: 1    MaxValue: 3  Region:    Type: String    Description: "AWS Region"    Default: "us-west-2"  Name:    Type: String    Description: "Name prefix for resources"  VpcCidr:    Type: String    Description: CIDR block for the VPC    Default: '10.0.0.0/16'

Parameters:AvailabilityZoneCount:Type: NumberDescription:"Number of Availability Zones to use"Default:1MinValue:1MaxValue:3Region:Type: StringDescription:"AWS Region"Default:"us-west-2"Name:Type: StringDescription:"Name prefix for resources"VpcCidr:Type: StringDescription: CIDR block for the VPCDefault:'10.0.0.0/16'

Copy to Clipboard

8.2.3.11. create ocm-role

Create the required ocm-role resources for your cluster.

Syntax

rosa create ocm-role [flags]

$rosa create ocm-role[flags]

Copy to Clipboard

Table 8.36. Flags
Option	Definition
--admin	Enable admin capabilities for the role.
--debug	Enable debug mode.
-i, --interactive	Enable interactive mode.
-m, --mode string	How to perform the operation. Valid options are: `auto`: Resource changes will be automatically applied using the current AWS account `manual`: Commands necessary to modify AWS resources will be output to be run manually
--path string	The ARN path for the OCM role and policies.
--permissions-boundary string	The ARN of the policy that is used to set the permissions boundary for the OCM role.
--prefix string	User-defined prefix for all generated AWS resources. The default is`ManagedOpenShift`.
--profile string	Use a specific AWS profile from your credential file.
-y, --yes	Automatically answer yes to confirm operation.

For more information about the OCM role created with therosa create ocm-role command, seeAccount-wide IAM role and policy reference.

8.2.3.12. create user-role

Create the required user-role resources for your cluster.

Syntax

rosa create user-role [flags]

$rosa create user-role[flags]

Copy to Clipboard

Table 8.37. Flags
Option	Definition
--debug	Enable debug mode.
-i, --interactive	Enable interactive mode.
-m, --mode string	How to perform the operation. Valid options are: `auto`: Resource changes will be automatically applied using the current AWS account `manual`: Commands necessary to modify AWS resources will be output to be run manually
--path string	The ARN path for the user role and policies.
--permissions-boundary string	The ARN of the policy that is used to set the permissions boundary for the user role.
--prefix string	User-defined prefix for all generated AWS resources The default is`ManagedOpenShift`.
--profile string	Use a specific AWS profile from your credential file.
-y, --yes	Automatically answer yes to confirm operation.

For more information about the user role created with therosa create user-role command, seeUnderstanding AWS account association.

8.2.4. Additional resources

See AWS Instance types for a list of supported instance types.
SeeAccount-wide IAM role and policy reference for a list of IAM roles needed for cluster creation.
SeeUnderstanding AWS account association for more information about the OCM role and user role.
SeeAdditional custom security groups for information about security group requirements.

8.2.5. Edit objects

This section describes theedit commands for clusters and resources.

8.2.5.1. edit cluster

Allows edits to an existing cluster.

Syntax

rosa edit cluster --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa edit cluster--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.38. Arguments
Option	Definition
--additional-allowed-principals <arn>	A comma-separated list of additional allowed principal ARNs to be added to the Hosted Control Plane’s VPC endpoint service to enable additional VPC endpoint connection requests to be automatically accepted.
--cluster	Required: The name or ID (string) of the cluster to edit.
--private	Restricts a primary API endpoint to direct, private connectivity.
--enable-delete-protection=true	Enables the delete protection feature.
--enable-delete-protection=false	Disables the delete protection feature.

Table 8.39. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Edit a cluster namedmycluster to make it private.

rosa edit cluster --cluster=mycluster --private

$rosa edit cluster--cluster=mycluster--private

Copy to Clipboard

Edit all cluster options interactively on a cluster namedmycluster.

rosa edit cluster --cluster=mycluster --interactive

$rosa edit cluster--cluster=mycluster--interactive

Copy to Clipboard

8.2.5.2. edit ingress

Edits the default application router for a cluster.

Note

For information about editing non-default application routers, seeAdditional resources.

Syntax

rosa edit ingress --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa edit ingress--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.40. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to which the ingress will be added.
--cluster-routes-hostname	Components route hostname for OAuth, console, and download.
--cluster-routes-tls-secret-ref	Components route TLS secret reference for OAuth, console, and download.
--excluded-namespaces	Excluded namespaces for ingress. Format is a comma-separated list`value1, value2…`. If no values are specified, all namespaces will be exposed.
--label-match	The label match (string) for ingress. The format must be a comma-delimited list of key=value pairs. If no label is specified, all routes are exposed on both routers.
--lb-type	Type of Load Balancer. Options are`classic`,`nlb`.
--namespace-ownership-policy	Namespace Ownership Policy for ingress. Options are`Strict` and`InterNamespaceAllowed`. Default is`Strict`.
--private	Restricts the application route to direct, private connectivity.
--route-selector	Route Selector for ingress. Format is a comma-separated list of key=value. If no label is specified, all routes will be exposed on both routers. For legacy ingress support these are inclusion labels, otherwise they are treated as exclusion label.
--wildcard-policy	Wildcard Policy for ingress. Options are`WildcardsDisallowed` and`WildcardsAllowed`. Default is`WildcardsDisallowed`.

Table 8.41. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Make an additional ingress with the IDa1b2 as a private connection on a cluster namedmycluster.

rosa edit ingress --private --cluster=mycluster a1b2

$rosa edit ingress--private--cluster=mycluster a1b2

Copy to Clipboard

Update the router selectors for the additional ingress with the IDa1b2 on a cluster namedmycluster.

rosa edit ingress --label-match=foo=bar --cluster=mycluster a1b2

$rosa edit ingress --label-match=foo=bar--cluster=mycluster a1b2

Copy to Clipboard

Update the default ingress using the sub-domain identifierapps on a cluster namedmycluster.

rosa edit ingress --private=false --cluster=mycluster apps

$rosa edit ingress--private=false--cluster=mycluster apps

Copy to Clipboard

Update the load balancer type of theapps2 ingress.

rosa edit ingress --lb-type=nlb --cluster=mycluster apps2

$rosa edit ingress --lb-type=nlb--cluster=mycluster apps2

Copy to Clipboard

8.2.5.3. edit kubeletconfig

Edit a customKubeletConfig object in a

Syntax

rosa edit kubeletconfig --cluster=<cluster_name|cluster_id> --name=<kubeletconfig_name> --pod-pids-limit=<number> [flags]

$rosa edit kubeletconfig--cluster=<cluster_name|cluster_id>--name=<kubeletconfig_name> --pod-pids-limit=<number>[flags]

Copy to Clipboard

Table 8.42. Flags
Option	Definition
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster for which the`KubeletConfig` object will be edited.
-i, --interactive	Enable interactive mode.
--pod-pids-limit <number>	Required. The maximum number of PIDs for each node in the
--name	Specifies a name for the`KubeletConfig` object.
-h, --help	Shows help for this command.

For more information about setting the PID limit for the cluster, seeConfiguring PID limits.

8.2.5.4. edit machinepool

Allows edits to the machine pool in a cluster.

Syntax

rosa edit machinepool --cluster=<cluster_name_or_id> <machinepool_name> [arguments]

$rosa edit machinepool--cluster=<cluster_name_or_id><machinepool_name>[arguments]

Copy to Clipboard

Table 8.43. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to edit on which the additional machine pool will be edited.
--enable-autoscaling	Enable or disable autoscaling of compute nodes. To enable autoscaling, use this argument with the`--min-replicas` and`--max-replicas` arguments. To disable autoscaling, use`--enable-autoscaling=false` with the`--replicas` argument.
--labels	The labels (string) for the machine pool. The format must be a comma-delimited list of key=value pairs. Editing this value only affects newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to node labels on an ongoing basis.
--kubelet-configs <kubeletconfig_name>	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the names of any`KubeletConfig` objects to apply to nodes in a machine pool.
--max-replicas	Specifies the maximum number of compute nodes when enabling autoscaling.
--min-replicas	Specifies the minimum number of compute nodes when enabling autoscaling.
--max-surge	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the`max-surge` parameter defines the number of new nodes that can be provisioned in excess of the desired number of replicas for the machine pool, as configured using the`--replicas` parameter, or as determined by the autoscaler when autoscaling is enabled. This can be an absolute number (for example,`2`) or a percentage of the machine pool size (for example,`20%`), but must use the same unit as the`max-unavailable` parameter. The default value is`1`, meaning that the maximum number of nodes in the machine pool during an upgrade is 1 plus the desired number of replicas for the machine pool. In this situation, one excess node can be provisioned before existing nodes need to be made unavailable. The number of nodes that can be provisioned simultaneously during an upgrade is`max-surge` plus`max-unavailable`.
--max-unavailable	For Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, the`max-unavailable` parameter defines the number of nodes that can be made unavailable in a machine pool during an upgrade, before new nodes are provisioned. This can be an absolute number (for example,`2`) or a percentage of the current replica count in the machine pool (for example,`20%`), but must use the same unit as the`max-surge` parameter. The default value is`0`, meaning that no outdated nodes are removed before new nodes are provisioned. The valid range for this value is from`0` to the current machine pool size, or from`0%` to`100%`. The total number of nodes that can be upgraded simultaneously during an upgrade is`max-surge` plus`max-unavailable`.
--node-drain-grace-period	Specifies the node drain grace period when upgrading or replacing the machine pool. (This is for ROSA with HCP clusters only.)
--replicas	Required when autoscaling is not configured. The number (integer) of machines for this machine pool.
--taints	Taints for the machine pool. This string value should be formatted as a comma-separated list of`key=value:ScheduleType`. Editing this value only affect newly created nodes of the machine pool, which are created by increasing the node number, and does not affect the existing nodes. This list overwrites any modifications made to Node taints on an ongoing basis.

Table 8.44. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Set 4 replicas on a machine pool namedmp1 on a cluster namedmycluster.

rosa edit machinepool --cluster=mycluster --replicas=4 mp1

$rosa edit machinepool--cluster=mycluster--replicas=4 mp1

Copy to Clipboard

Enable autoscaling on a machine pool namedmp1 on a cluster namedmycluster.

rosa edit machinepool --cluster=mycluster --enable-autoscaling --min-replicas=3 --max-replicas=5 mp1

$rosa edit machinepool--cluster=mycluster --enable-autoscaling --min-replicas=3 --max-replicas=5 mp1

Copy to Clipboard

Disable autoscaling on a machine pool namedmp1 on a cluster namedmycluster.

rosa edit machinepool --cluster=mycluster  --enable-autoscaling=false --replicas=3 mp1

$rosa edit machinepool--cluster=mycluster  --enable-autoscaling=false--replicas=3 mp1

Copy to Clipboard

Modify the autoscaling range on a machine pool namedmp1 on a cluster namedmycluster.

rosa edit machinepool --max-replicas=9 --cluster=mycluster mp1

$rosa edit machinepool --max-replicas=9--cluster=mycluster mp1

Copy to Clipboard

On Red Hat OpenShift Service on AWS (ROSA) with hosted control planes (HCP) clusters, edit themp1 machine pool to add the following behavior during upgrades:

Allow up to 2 excess nodes to be provisioned during an upgrade.
Ensure that no more than 3 nodes are unavailable during an upgrade.

rosa edit machinepool --cluster=mycluster mp1 --max-surge=2 --max-unavailable=3

$rosa edit machinepool--cluster=mycluster mp1 --max-surge=2 --max-unavailable=3

Copy to Clipboard

Associate aKubeletConfig object with an existinghigh-pid-pool machine pool on a ROSA with HCP cluster.

rosa edit machinepool -c mycluster --kubelet-configs=set-high-pids high-pid-pool

$rosa edit machinepool-c mycluster --kubelet-configs=set-high-pids high-pid-pool

Copy to Clipboard

8.2.6. Additional resources

See Configuring the Ingress Controller for information regarding editing non-default application routers.

8.2.7. Delete objects

This section describes thedelete commands for clusters and resources.

8.2.7.1. delete admin

Deletes a cluster administrator from a specified cluster.

Syntax

rosa delete admin --cluster=<cluster_name> | <cluster_id>

$rosa delete admin--cluster=<cluster_name>|<cluster_id>

Copy to Clipboard

Table 8.45. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to add to the identity provider (IDP).

Table 8.46. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Delete a cluster administrator from a cluster namedmycluster.

rosa delete admin --cluster=mycluster

$rosa delete admin--cluster=mycluster

Copy to Clipboard

8.2.7.2. delete cluster

Deletes a cluster.

Syntax

rosa delete cluster --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa delete cluster--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.47. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to delete.
--watch	Watches the cluster uninstallation logs.
--best-effort	Skips steps in the cluster destruction chain that are known to cause the cluster deletion process to fail. You should use this option with care and it is recommended that you manually check your AWS account for any resources that might be left over after using`--best-effort`.

Table 8.48. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Examples

Delete a cluster namedmycluster.

rosa delete cluster --cluster=mycluster

$rosa delete cluster--cluster=mycluster

Copy to Clipboard

8.2.7.3. delete external-auth-provider

Deletes an external authentication provider from a cluster.

Syntax

rosa delete external-auth-provider <name_of_external_auth_provider> --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa delete external-auth-provider<name_of_external_auth_provider>--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.49. Arguments
Option	Definition
--cluster	Required. The name or ID string of the cluster the external auth provider will be deleted from.

Table 8.50. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile string from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Example

Delete an identity provider namedexauth-1 from a cluster namedmycluster.

rosa delete external-auth-provider exauth-1 --cluster=mycluster

$rosa delete external-auth-provider exauth-1--cluster=mycluster

Copy to Clipboard

8.2.7.4. delete idp

Deletes a specific identity provider (IDP) from a cluster.

Syntax

rosa delete idp --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa delete idp--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.51. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster from which the IDP will be deleted.

Table 8.52. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Example

Delete an identity provider namedgithub from a cluster namedmycluster.

rosa delete idp github --cluster=mycluster

$rosa delete idp github--cluster=mycluster

Copy to Clipboard

8.2.7.5. delete ingress

Deletes a non-default application router (ingress) from a cluster.

Syntax

rosa delete ingress --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa delete ingress--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.53. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster from which the ingress will be deleted.

Table 8.54. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Examples

Delete an ingress with the IDa1b2 from a cluster namedmycluster.

rosa delete ingress --cluster=mycluster a1b2

$rosa delete ingress--cluster=mycluster a1b2

Copy to Clipboard

Delete a secondary ingress with the subdomain nameapps2 from a cluster namedmycluster.

rosa delete ingress --cluster=mycluster apps2

$rosa delete ingress--cluster=mycluster apps2

Copy to Clipboard

8.2.7.6. delete kubeletconfig

Delete a customKubeletConfig object from a cluster.

Syntax

rosa delete kubeletconfig --cluster=<cluster_name|cluster_id> [flags]

$rosa delete kubeletconfig--cluster=<cluster_name|cluster_id>[flags]

Copy to Clipboard

Table 8.55. Flags
Option	Definition
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster for which you want to delete the`KubeletConfig` object.
-h, --help	Shows help for this command.
--name	Specifies a name for the`KubeletConfig` object.
-y, --yes	Automatically answers`yes` to confirm the operation.

8.2.7.7. delete machinepool

Deletes a machine pool from a cluster.

Syntax

rosa delete machinepool --cluster=<cluster_name> | <cluster_id> <machine_pool_id>

$rosa delete machinepool--cluster=<cluster_name>|<cluster_id><machine_pool_id>

Copy to Clipboard

Table 8.56. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the machine pool will be deleted from.

Table 8.57. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--interactive	Enables interactive mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Example

Delete the machine pool with the IDmp-1 from a cluster namedmycluster.

rosa delete machinepool --cluster=mycluster mp-1

$rosa delete machinepool--cluster=mycluster mp-1

Copy to Clipboard

8.2.8. Install and uninstall add-ons

This section describes how to install and uninstall Red Hat managed service add-ons to a cluster.

8.2.8.1. install addon

Installs a managed service add-on on a cluster.

Syntax

rosa install addon --cluster=<cluster_name> | <cluster_id> [arguments]

$rosainstall addon--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.58. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster where the add-on will be installed.

Table 8.59. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Uses a specific AWS profile (string) from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Example

Add thedbaas-operator add-on installation to a cluster namedmycluster.

rosa install addon --cluster=mycluster dbaas-operator

$rosainstall addon--cluster=mycluster dbaas-operator

Copy to Clipboard

8.2.8.2. uninstall addon

Uninstalls a managed service add-on from a cluster.

Syntax

rosa uninstall addon --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa uninstall addon--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.60. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the add-on will be uninstalled from.

Table 8.61. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Uses a specific AWS profile (string) from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Example

Remove thedbaas-operator add-on installation from a cluster namedmycluster.

rosa uninstall addon --cluster=mycluster dbaas-operator

$rosa uninstall addon--cluster=mycluster dbaas-operator

Copy to Clipboard

8.2.9. List and describe objects

This section describes thelist anddescribe commands for clusters and resources.

8.2.9.1. list addon

List the managed service add-on installations.

Syntax

rosa list addons --cluster=<cluster_name> | <cluster_id>

$rosa list addons--cluster=<cluster_name>|<cluster_id>

Copy to Clipboard

Table 8.62. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to list the add-ons for.

Table 8.63. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.9.2. List break glass credentials

List all of the break glass credentials for a cluster.

Syntax

rosa list break-glass-credential [arguments]

$rosa list break-glass-credential[arguments]

Copy to Clipboard

Table 8.64. Arguments
Option	Definition
--cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster to which the break glass credentials have been added.

Table 8.65. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the break glass credentials for a cluster namedmycluster.

rosa list break-glass-credential --cluster=mycluster

$rosa list break-glass-credential--cluster=mycluster

Copy to Clipboard

8.2.9.3. list clusters

List all of your clusters.

Syntax

rosa list clusters [arguments]

$rosa list clusters[arguments]

Copy to Clipboard

Table 8.66. Arguments
Option	Definition
--count	The number (integer) of clusters to display. Default:`100`

Table 8.67. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.9.4. list external-auth-provider

List any external authentication providers for a cluster.

Syntax

rosa list external-auth-provider --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa list external-auth-provider--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.68. Arguments
Option	Definition
--cluster	Required: The name or ID string of the cluster that the external authentication provider will be listed for.

Table 8.69. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile string from your credentials file.

Example

List any external authentication providers for a cluster namedmycluster.

rosa list external-auth-provider --cluster=mycluster

$rosa list external-auth-provider--cluster=mycluster

Copy to Clipboard

8.2.9.5. list idps

List all of the identity providers (IDPs) for a cluster.

Syntax

rosa list idps --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa list idps--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.70. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the IDPs will be listed for.

Table 8.71. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all identity providers (IDPs) for a cluster namedmycluster.

rosa list idps --cluster=mycluster

$rosa list idps--cluster=mycluster

Copy to Clipboard

8.2.9.6. list ingresses

List all of the API and ingress endpoints for a cluster.

Syntax

rosa list ingresses --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa list ingresses--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.72. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the IDPs will be listed for.

Table 8.73. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all API and ingress endpoints for a cluster namedmycluster.

rosa list ingresses --cluster=mycluster

$rosa list ingresses--cluster=mycluster

Copy to Clipboard

8.2.9.7. list instance-types

List all of the available instance types for use with ROSA. Availability is based on the account’s AWS quota.

Syntax

rosa list instance-types [arguments]

$rosa list instance-types[arguments]

Copy to Clipboard

Table 8.74. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--output	The output format. Allowed formats are`json` or`yaml`.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all instance types.

rosa list instance-types

$rosa list instance-types

Copy to Clipboard

8.2.9.8. list kubeletconfigs

List theKubeletConfig objects configured on a cluster.

Syntax

rosa list kubeletconfigs --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa list kubeletconfigs--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.75. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the machine pools will be listed for.

Table 8.76. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.

Example

List all of theKubeletConfig objects on a cluster namedmycluster.

rosa list kubeletconfigs --cluster=mycluster

$rosa list kubeletconfigs--cluster=mycluster

Copy to Clipboard

8.2.9.9. list machinepools

List the machine pools configured on a cluster.

Syntax

rosa list machinepools --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa list machinepools--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.77. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the machine pools will be listed for.

Table 8.78. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the machine pools on a cluster namedmycluster.

rosa list machinepools --cluster=mycluster

$rosa list machinepools--cluster=mycluster

Copy to Clipboard

8.2.9.10. list regions

List all of the available regions for the current AWS account.

Syntax

rosa list regions [arguments]

$rosa list regions[arguments]

Copy to Clipboard

Table 8.79. Arguments
Option	Definition
--multi-az	Lists regions that provide support for multiple availability zones.

Table 8.80. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the available regions.

rosa list regions

$rosa list regions

Copy to Clipboard

8.2.9.11. list upgrades

List all available and scheduled cluster version upgrades.

Syntax

rosa list upgrades --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa list upgrades--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.81. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the available upgrades will be listed for.

Table 8.82. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the available upgrades for a cluster namedmycluster.

rosa list upgrades --cluster=mycluster

$rosa list upgrades--cluster=mycluster

Copy to Clipboard

8.2.9.12. list users

List the cluster administrator and dedicated administrator users for a specified cluster.

Syntax

rosa list users --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa listusers--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.83. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the cluster administrators will be listed for.

Table 8.84. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the cluster administrators and dedicated administrators for a cluster namedmycluster.

rosa list users --cluster=mycluster

$rosa listusers--cluster=mycluster

Copy to Clipboard

8.2.9.13. list versions

List all of the OpenShift versions that are available for creating a cluster.

Syntax

rosa list versions [arguments]

$rosa list versions[arguments]

Copy to Clipboard

Table 8.85. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

List all of the OpenShift Container Platform versions.

rosa list versions

$rosa list versions

Copy to Clipboard

8.2.9.14. describe admin

Show the details of a specifiedcluster-admin user and a command to log in to the cluster.

Syntax

rosa describe admin --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa describe admin--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.86. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to which the cluster-admin belongs.

Table 8.87. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Describe thecluster-admin user for a cluster namedmycluster.

rosa describe admin --cluster=mycluster

$rosa describe admin--cluster=mycluster

Copy to Clipboard

8.2.9.15. describe addon

Show the details of a managed service add-on.

Syntax

rosa describe addon <addon_id> | <addon_name> [arguments]

$rosa describe addon<addon_id>|<addon_name>[arguments]

Copy to Clipboard

Table 8.88. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Describe an add-on nameddbaas-operator.

rosa describe addon dbaas-operator

$rosa describe addon dbaas-operator

Copy to Clipboard

8.2.9.16. describe break glass credential

Shows the details for a break glass credential for a specific cluster.

Syntax

rosa describe break-glass-credential --id=<break_glass_credential_id> --cluster=<cluster_name>| <cluster_id> [arguments]

$rosa describe break-glass-credential--id=<break_glass_credential_id>--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.89. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.
--id	Required: The ID (string) of the break glass credential.
--kubeconfig	Optional: Retrieves the kubeconfig from the break glass credential.

Table 8.90. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.9.17. describe cluster

Shows the details for a cluster.

Syntax

rosa describe cluster --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa describe cluster--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.91. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.

Table 8.92. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--external-id <arn_string>	An optional unique identifier that might be required when you assume a role in another account.
--profile	Specifies an AWS profile (string) from your credentials file.
--get-role-policy-bindings	Lists the policies that are attached to the STS roles assigned to the cluster.

Example

Describe a cluster namedmycluster.

rosa describe cluster --cluster=mycluster

$rosa describe cluster--cluster=mycluster

Copy to Clipboard

8.2.9.18. describe kubeletconfig

Show the details of a customKubeletConfig object.

Syntax

rosa describe kubeletconfig --cluster=<cluster_name|cluster_id> [flags]

$rosa describe kubeletconfig--cluster=<cluster_name|cluster_id>[flags]

Copy to Clipboard

Table 8.93. Flags
Option	Definition
-c, --cluster <cluster_name>\|<cluster_id>	Required. The name or ID of the cluster for which you want to view the`KubeletConfig` object.
-h, --help	Shows help for this command.
--name	Optional. Specifies the name of the`KubeletConfig` object to describe.
-o, --output string	-o, --output string

8.2.9.19. describe machinepool

Describes a specific machine pool configured on a cluster.

Syntax

rosa describe machinepool --cluster=[<cluster_name>|<cluster_id>] --machinepool=<machinepool_name> [arguments]

$rosa describe machinepool--cluster=[<cluster_name>|<cluster_id>]--machinepool=<machinepool_name>[arguments]

Copy to Clipboard

Table 8.94. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.
--machinepool	Required: The name or ID (string) of the machinepool.

Table 8.95. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Describe a machine pool namedmymachinepool on a cluster namedmycluster.

rosa describe machinepool --cluster=mycluster --machinepool=mymachinepool

$rosa describe machinepool--cluster=mycluster--machinepool=mymachinepool

Copy to Clipboard

8.2.10. Revoke objects

This section describes therevoke commands for clusters and resources.

8.2.10.1. revoke-break-glass-credential

Revokes all break glass credentials from a specified hosted control plane cluster with external authentication enabled.

Syntax

rosa revoke break-glass-credential --cluster=<cluster_name> | <cluster_id>

$rosa revoke break-glass-credential--cluster=<cluster_name>|<cluster_id>

Copy to Clipboard

Table 8.96. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster from which the break glass credentials will be deleted.

Table 8.97. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.
--yes	Automatically answers`yes` to confirm the operation.

Example

Revoke the break glass credentials from a cluster namedmycluster.

rosa revoke break-glass-credential --cluster=mycluster

$rosa revoke break-glass-credential--cluster=mycluster

Copy to Clipboard

8.2.11. Upgrade and delete upgrade for objects

This section describes theupgrade command usage for objects.

8.2.11.1. upgrade cluster

Schedule a cluster upgrade.

Syntax

rosa upgrade cluster --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa upgrade cluster--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.98. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the upgrade will be scheduled for.
--interactive	Enables interactive mode.
--version	The version (string) of OpenShift Container Platform that the cluster will be upgraded to.
--schedule-date	The next date (string) when the upgrade will run at the specified time in Coordinated Universal Time (UTC). Format:`yyyy-mm-dd`
--schedule-time	The next time the upgrade will run on the specified date in Coordinated Universal Time (UTC). Format:`HH:mm`
--node-drain-grace-period^[1]	Sets a grace period (string) for how long the pod disruption budget-protected workloads are respected during upgrades. After this grace period, any workloads protected by pod disruption budgets that have not been successfully drained from a node will be forcibly evicted. Default:`1 hour`
--control-plane^[2]	Upgrades the cluster’s hosted control plane.

Classic clusters only
ROSA with HCP clusters only

Table 8.99. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.

Examples

Interactively schedule an upgrade on a cluster namedmycluster.

rosa upgrade cluster --cluster=mycluster --interactive

$rosa upgrade cluster--cluster=mycluster--interactive

Copy to Clipboard

Schedule a cluster upgrade within the hour on a cluster namedmycluster.

rosa upgrade cluster --cluster=mycluster --version 4.5.20

$rosa upgrade cluster--cluster=mycluster--version4.5.20

Copy to Clipboard

8.2.11.2. delete cluster upgrade

Cancel a scheduled cluster upgrade.

Syntax

rosa delete upgrade --cluster=<cluster_name> | <cluster_id>

$rosa delete upgrade--cluster=<cluster_name>|<cluster_id>

Copy to Clipboard

Table 8.100. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster that the upgrade will be cancelled for.

Table 8.101. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--yes	Automatically answers`yes` to confirm the operation.

8.2.11.3. upgrade machinepool

Upgrades a specific machine pool configured on a ROSA with HCP cluster.

Note

Theupgrade command for machinepools applies to ROSA with HCP clusters only.

Syntax

rosa upgrade machinepool --cluster=<cluster_name> <machinepool_name>

$rosa upgrade machinepool--cluster=<cluster_name><machinepool_name>

Copy to Clipboard

Table 8.102. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.
--schedule-date	The next date (string) when the upgrade will run at the specified time in Coordinated Universal Time (UTC). Format:`yyyy-mm-dd`
--schedule-time	The next time the upgrade will run on the specified date in Coordinated Universal Time (UTC). Format:`HH:mm`

Table 8.103. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Upgrade a machine pool on a cluster namedmycluster.

rosa upgrade machinepool --cluster=mycluster

$rosa upgrade machinepool--cluster=mycluster

Copy to Clipboard

8.2.11.4. delete machinepool upgrade

Cancel a scheduled machinepool upgrade.

Syntax

rosa delete upgrade --cluster=<cluster_name> <machinepool_name>

$rosa delete upgrade--cluster=<cluster_name><machinepool_name>

Copy to Clipboard

Table 8.104. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.

Table 8.105. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

8.2.11.5. upgrade roles

Upgrades roles configured on a cluster.

Syntax

rosa upgrade roles --cluster=<cluster_id>

$rosa upgrade roles--cluster=<cluster_id>

Copy to Clipboard

Table 8.106. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster.

Table 8.107. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Upgrade roles on a cluster namedmycluster.

rosa upgrade roles --cluster=mycluster

$rosa upgrade roles--cluster=mycluster

Copy to Clipboard

8.3. Checking account and version information with the ROSA CLI

Use the following commands to check your account and version information.

8.3.1. whoami

Display information about your AWS and Red Hat accounts by using the following command syntax:

Syntax

rosa whoami [arguments]

$rosawhoami[arguments]

Copy to Clipboard

Table 8.108. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

rosa whoami

$rosawhoami

Copy to Clipboard

8.3.2. version

Display the version of yourrosa CLI by using the following command syntax:

Syntax

rosa version [arguments]

$rosa version[arguments]

Copy to Clipboard

Table 8.109. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

rosa version

$rosa version

Copy to Clipboard

8.4. Checking logs with the ROSA CLI

Use the following commands to check your install and uninstall logs.

8.4.1. logs install

Show the cluster install logs by using the following command syntax:

Syntax

rosa logs install --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa logsinstall--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.110. Arguments
Option	Definition
--cluster	Required: The name or ID (string) of the cluster to get logs for.
--tail	The number (integer) of lines to get from the end of the log. Default:`2000`
--watch	Watches for changes after getting the logs.

Table 8.111. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Examples

Show the last 100 install log lines for a cluster namedmycluster:

rosa logs install mycluster --tail=100

$rosa logsinstall mycluster--tail=100

Copy to Clipboard

Show the install logs for a cluster namedmycluster:

rosa logs install --cluster=mycluster

$rosa logsinstall--cluster=mycluster

Copy to Clipboard

8.4.2. logs uninstall

Show the cluster uninstall logs by using the following command syntax:

Syntax

rosa logs uninstall --cluster=<cluster_name> | <cluster_id> [arguments]

$rosa logs uninstall--cluster=<cluster_name>|<cluster_id>[arguments]

Copy to Clipboard

Table 8.112. Arguments
Option	Definition
--cluster	The name or ID (string) of the cluster to get logs for.
--tail	The number (integer) of lines to get from the end of the log. Default:`2000`
--watch	Watches for changes after getting the logs.

Table 8.113. Optional arguments inherited from parent commands
Option	Definition
--help	Shows help for this command.
--debug	Enables debug mode.
--profile	Specifies an AWS profile (string) from your credentials file.

Example

Show the last 100 uninstall logs for a cluster namedmycluster:

rosa logs uninstall --cluster=mycluster --tail=100

$rosa logs uninstall--cluster=mycluster--tail=100

Copy to Clipboard

8.5. Least privilege permissions for ROSA CLI commands

You can create roles with permissions that adhere to the principal of least privilege, in which the users assigned the roles have no other permissions assigned to them outside the scope of the specific action they need to perform. These policies contain only the minimum required permissions needed to perform specific actions by using the Red Hat OpenShift Service on AWS (ROSA) command-line interface (CLI).

Important

Although the policies and commands presented in this topic will work in conjunction with one another, you might have other restrictions within your AWS environment that make the policies for these commands insufficient for your specific needs. Red Hat provides these examples as a baseline, assuming no other AWS Identity and Access Management (IAM) restrictions are present.

For more information about configuring permissions, policies, and roles in the AWS console, seeAWS Identity and Access Management in the AWS documentation.

8.5.1. Least privilege permissions for common ROSA CLI commands

The following required minimum permissions for the listed ROSA CLI commands are applicable for hosted control plane (HCP) and Classic clusters.

8.5.1.1. Create a managed OpenID Connect (OIDC) provider

Run the following command with the specified permissions to create your managed OIDC provider by usingauto mode.

Input

rosa create oidc-config --mode auto

$rosa create oidc-config--mode auto

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateOidcConfig",            "Effect": "Allow",            "Action": [                "iam:TagOpenIDConnectProvider",                "iam:CreateOpenIDConnectProvider"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateOidcConfig",            "Effect": "Allow",            "Action": [                "iam:TagOpenIDConnectProvider",                "iam:CreateOpenIDConnectProvider"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.1.2. Create an unmanaged OpenID Connect provider

Run the following command with the specified permissions to create your unmanaged OIDC provider by usingauto mode.

Input

rosa create oidc-config --mode auto --managed=false

$rosa create oidc-config--mode auto--managed=false

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:TagOpenIDConnectProvider",                "iam:ListRoleTags",                "iam:ListRoles",                "iam:CreateOpenIDConnectProvider",                "s3:CreateBucket",                "s3:PutObject",                "s3:PutBucketTagging",                "s3:PutBucketPolicy",                "s3:PutObjectTagging",                "s3:PutBucketPublicAccessBlock",                "secretsmanager:CreateSecret",                "secretsmanager:TagResource"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:TagOpenIDConnectProvider",                "iam:ListRoleTags",                "iam:ListRoles",                "iam:CreateOpenIDConnectProvider",                "s3:CreateBucket",                "s3:PutObject",                "s3:PutBucketTagging",                "s3:PutBucketPolicy",                "s3:PutObjectTagging",                "s3:PutBucketPublicAccessBlock",                "secretsmanager:CreateSecret",                "secretsmanager:TagResource"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.1.3. List your account roles

Run the following command with the specified permissions to list your account roles.

Input

rosa list account-roles

$rosa list account-roles

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "ListAccountRoles",            "Effect": "Allow",            "Action": [                "iam:ListRoleTags",                "iam:ListRoles"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "ListAccountRoles",            "Effect": "Allow",            "Action": [                "iam:ListRoleTags",                "iam:ListRoles"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.1.4. List your Operator roles

Run the following command with the specified permissions to list your Operator roles.

Input

rosa list operator-roles

$rosa list operator-roles

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "ListOperatorRoles",            "Effect": "Allow",            "Action": [                "iam:ListRoleTags",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:ListPolicyTags"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "ListOperatorRoles",            "Effect": "Allow",            "Action": [                "iam:ListRoleTags",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:ListPolicyTags"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.1.5. List your OIDC providers

Run the following command with the specified permissions to list your OIDC providers.

Input

rosa list oidc-providers

$rosa list oidc-providers

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "ListOidcProviders",            "Effect": "Allow",            "Action": [                "iam:ListOpenIDConnectProviders",                "iam:ListOpenIDConnectProviderTags"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "ListOidcProviders",            "Effect": "Allow",            "Action": [                "iam:ListOpenIDConnectProviders",                "iam:ListOpenIDConnectProviderTags"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.1.6. Verify your quota

Run the following command with the specified permissions to verify your quota.

Input

rosa verify quota

$rosa verifyquota

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VerifyQuota",            "Effect": "Allow",            "Action": [                "elasticloadbalancing:DescribeAccountLimits",                "servicequotas:ListServiceQuotas"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VerifyQuota",            "Effect": "Allow",            "Action": [                "elasticloadbalancing:DescribeAccountLimits",                "servicequotas:ListServiceQuotas"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.1.7. Delete your managed OIDC configuration

Run the following command with the specified permissions to delete your managed OIDC configuration by usingauto mode.

Input

rosa delete oidc-config -–mode auto

$rosa delete oidc-config -–mode auto

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "DeleteOidcConfig",            "Effect": "Allow",            "Action": [                "iam:ListOpenIDConnectProviders",                "iam:DeleteOpenIDConnectProvider"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "DeleteOidcConfig",            "Effect": "Allow",            "Action": [                "iam:ListOpenIDConnectProviders",                "iam:DeleteOpenIDConnectProvider"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.1.8. Delete your unmanaged OIDC configuration

Run the following command with the specified permissions to delete your unmanaged OIDC configuration by usingauto mode.

Input

rosa delete oidc-config -–mode auto

$rosa delete oidc-config -–mode auto

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:ListOpenIDConnectProviders",                "iam:DeleteOpenIDConnectProvider",                "secretsmanager:DeleteSecret",                "s3:ListBucket",                "s3:DeleteObject",                "s3:DeleteBucket"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:ListOpenIDConnectProviders",                "iam:DeleteOpenIDConnectProvider",                "secretsmanager:DeleteSecret",                "s3:ListBucket",                "s3:DeleteObject",                "s3:DeleteBucket"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.2. Least privilege permissions for common ROSA with HCP CLI commands

The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA with hosted control plane (HCP) clusters.

8.5.2.1. Create a cluster

Run the following command with the specified permissions to create ROSA with HCP clusters.

Input

rosa create cluster --hosted-cp

$rosa create cluster --hosted-cp

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateCluster",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListRoleTags",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "ec2:DescribeSubnets",                "ec2:DescribeRouteTables",                "ec2:DescribeAvailabilityZones"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateCluster",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListRoleTags",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "ec2:DescribeSubnets",                "ec2:DescribeRouteTables",                "ec2:DescribeAvailabilityZones"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.2.2. Create your account roles and Operator roles

Run the following command with the specified permissions to create account and Operator roles by usingauto mode.

Input

rosa create account-roles --mode auto --hosted-cp

$rosa create account-roles--mode auto --hosted-cp

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateAccountRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:UpdateAssumeRolePolicy",                "iam:ListRoleTags",                "iam:GetPolicy",                "iam:TagRole",                "iam:ListRoles",                "iam:CreateRole",                "iam:AttachRolePolicy",                "iam:ListPolicyTags"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateAccountRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:UpdateAssumeRolePolicy",                "iam:ListRoleTags",                "iam:GetPolicy",                "iam:TagRole",                "iam:ListRoles",                "iam:CreateRole",                "iam:AttachRolePolicy",                "iam:ListPolicyTags"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.2.3. Delete your account roles

Run the following command with the specified permissions to delete the account roles inauto mode.

Input

rosa delete account-roles -–mode auto

$rosa delete account-roles -–mode auto

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "DeleteAccountRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListInstanceProfilesForRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole",                "iam:ListRolePolicies"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "DeleteAccountRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListInstanceProfilesForRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole",                "iam:ListRolePolicies"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.2.4. Delete your Operator roles

Run the following command with the specified permissions to delete your Operator roles inauto mode.

Input

rosa delete operator-roles -–mode auto

$rosa delete operator-roles -–mode auto

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "DeleteOperatorRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "DeleteOperatorRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.3. Least privilege permissions for common ROSA Classic CLI commands

The following examples show the least privilege permissions needed for the most common ROSA CLI commands when building ROSA Classic clusters.

8.5.3.1. Create a cluster

Run the following command with the specified permissions to create a ROSA Classic cluster with least privilege permissions.

Input

rosa create cluster

$rosa create cluster

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateCluster",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListRoleTags",                "iam:ListRoles"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateCluster",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListRoleTags",                "iam:ListRoles"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.3.2. Create account roles and Operator roles

Run the following command with the specified permissions to create account and Operator roles in `auto' mode.

Input

rosa create account-roles --mode auto --classic

$rosa create account-roles--mode auto--classic

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateAccountOperatorRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:UpdateAssumeRolePolicy",                "iam:ListRoleTags",                "iam:GetPolicy",                "iam:TagRole",                "iam:ListRoles",                "iam:CreateRole",                "iam:AttachRolePolicy",                "iam:TagPolicy",                "iam:CreatePolicy",                "iam:ListPolicyTags"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "CreateAccountOperatorRoles",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:UpdateAssumeRolePolicy",                "iam:ListRoleTags",                "iam:GetPolicy",                "iam:TagRole",                "iam:ListRoles",                "iam:CreateRole",                "iam:AttachRolePolicy",                "iam:TagPolicy",                "iam:CreatePolicy",                "iam:ListPolicyTags"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.3.3. Delete your account roles

Run the following command with the specified permissions to delete the account roles inauto mode.

Input

rosa delete account-roles -–mode auto

$rosa delete account-roles -–mode auto

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListInstanceProfilesForRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole",                "iam:ListRolePolicies",                "iam:GetPolicy",                "iam:ListPolicyVersions",                "iam:DeletePolicy"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListInstanceProfilesForRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole",                "iam:ListRolePolicies",                "iam:GetPolicy",                "iam:ListPolicyVersions",                "iam:DeletePolicy"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.3.4. Delete your Operator roles

Run the following command with the specified permissions to delete the Operator roles inauto mode.

Input

rosa delete operator-roles -–mode auto

$rosa delete operator-roles -–mode auto

Copy to Clipboard

Policy

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListInstanceProfilesForRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole",                "iam:ListRolePolicies",                "iam:GetPolicy",                "iam:ListPolicyVersions",                "iam:DeletePolicy"            ],            "Resource": "*"        }    ]}

{    "Version": "2012-10-17",    "Statement": [        {            "Sid": "VisualEditor0",            "Effect": "Allow",            "Action": [                "iam:GetRole",                "iam:ListInstanceProfilesForRole",                "iam:DetachRolePolicy",                "iam:ListAttachedRolePolicies",                "iam:ListRoles",                "iam:DeleteRole",                "iam:ListRolePolicies",                "iam:GetPolicy",                "iam:ListPolicyVersions",                "iam:DeletePolicy"            ],            "Resource": "*"        }    ]}

Copy to Clipboard

8.5.4. ROSA CLI commands with no required permissions

The following ROSA CLI commands do not require permissions or policies to run. Instead, they require an access key and configured secret key or an attached role.

Table 8.114. Commands
Command	Input
list cluster	`$ rosa list cluster`
list versions	`$ rosa list versions`
describe cluster	`$ rosa describe cluster -c <cluster name>`
create admin	`$ rosa create admin -c <cluster name>`
list users	`$ rosa list users -c <cluster-name>`
list upgrades	`$ rosa list upgrades`
list OIDC configuration	`$ rosa list oidc-config`
list identity providers	`$ rosa list idps -c <cluster-name>`
list ingresses	`$ rosa list ingresses -c <cluster-name>`

8.5.5. Additional resources

For more information about AWS roles, see IAM roles.
For more information about AWS policies and permissions, seePolicies and permissions in IAM.

Format

Jump to section

Movatterモバイル変換

Red Hat OpenShift Service on AWS

Chapter 8. ROSA CLI

8.1. Getting started with the ROSA CLI

8.1.1. About the ROSA CLI

8.1.2. Setting up the ROSA CLI

8.1.3. Configuring the ROSA CLI

8.1.3.1. login

8.1.3.1.1. login with single sign-on (SSO) authorization code

8.1.3.1.2. login with a single sign-on device code

8.1.3.1.3. login with an offline token

8.1.3.2. logout

8.1.3.3. verify permissions

8.1.3.4. verify quota

8.1.3.5. download rosa

8.1.3.6. download oc

8.1.3.7. verify oc

8.1.4. Initializing ROSA

8.1.4.1. init

8.1.5. Using a Bash script

8.1.6. Updating the ROSA CLI

8.2. Managing objects with the ROSA CLI

8.2.1. Common commands and arguments

8.2.1.1. debug

8.2.1.2. download

8.2.1.3. help

8.2.1.4. interactive

8.2.1.5. profile

8.2.1.6. version

8.2.2. Parent commands

8.2.2.1. create

8.2.2.2. edit

8.2.2.3. delete

8.2.2.4. list

8.2.2.5. describe

8.2.3. Create objects

8.2.3.1. create account-roles

8.2.3.2. create admin

8.2.3.3. create break glass credential

8.2.3.4. create cluster

8.2.3.5. create external-auth-provider

8.2.3.6. create idp

8.2.3.7. create ingress

8.2.3.8. create kubeletconfig

8.2.3.9. create machinepool

8.2.3.10. create network

8.2.3.11. create ocm-role

8.2.3.12. create user-role

8.2.4. Additional resources

8.2.5. Edit objects

8.2.5.1. edit cluster

8.2.5.2. edit ingress

8.2.5.3. edit kubeletconfig

8.2.5.4. edit machinepool

8.2.6. Additional resources

8.2.7. Delete objects

8.2.7.1. delete admin

8.2.7.2. delete cluster

8.2.7.3. delete external-auth-provider

8.2.7.4. delete idp

8.2.7.5. delete ingress

8.2.7.6. delete kubeletconfig

8.2.7.7. delete machinepool

8.2.8. Install and uninstall add-ons

8.2.8.1. install addon

8.2.8.2. uninstall addon

8.2.9. List and describe objects

8.2.9.1. list addon

8.2.9.2. List break glass credentials

8.2.9.3. list clusters

8.2.9.4. list external-auth-provider

8.2.9.5. list idps

8.2.9.6. list ingresses

8.2.9.7. list instance-types

8.2.9.8. list kubeletconfigs

8.2.9.9. list machinepools

8.2.9.10. list regions

8.2.9.11. list upgrades

8.2.9.12. list users

8.2.9.13. list versions