openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
enterprise-4.21
openshift-docs/modules/rosa-sts-about-ocm-role.adoc

32 lines
2.3 KiB
Plaintext
Raw Permalink Blame History

// Module included in the following assemblies:
//
// * rosa_planning/rosa-sts-ocm-role.adoc
:_mod-docs-content-type: CONCEPT
[id="rosa-sts-about-ocm-role_{context}"]
= About the ocm-role IAM resource
[role="_abstract"]
You must create the `ocm-role` IAM resource to enable a Red{nbsp}Hat organization of users to create {product-title} clusters. Within the context of linking to AWS, a Red{nbsp}Hat organization is a single user within {cluster-manager}.
Some considerations for your `ocm-role` IAM resource are:
* Only one `ocm-role` IAM role can be linked per Red{nbsp}Hat organization; however, you can have any number of `ocm-role` IAM roles per AWS account. The web UI requires that only one of these roles can be linked at a time.
* Any user in a Red{nbsp}Hat organization may create and link an `ocm-role` IAM resource.
* Only the Red{nbsp}Hat Organization Administrator can unlink an `ocm-role` IAM resource. This limitation is to protect other Red{nbsp}Hat organization members from disturbing the interface capabilities of other users.
+
[NOTE]
====
If you just created a Red{nbsp}Hat account that is not part of an existing organization, this account is also the Red{nbsp}Hat Organization Administrator.
====
+
* See "Understanding the {cluster-manager} role" in the Additional resources of this section for a list of the AWS permissions policies for the basic and admin `ocm-role` IAM resources.
Using the ROSA CLI (`rosa`), you can link your IAM resource when you create it.
[NOTE]
====
"Linking" or "associating" your IAM resources with your AWS account means creating a trust-policy with your `ocm-role` IAM role and the Red{nbsp}Hat {cluster-manager} AWS role. After creating and linking your IAM resource, you see a trust relationship from your `ocm-role` IAM resource in AWS with the `arn:aws:iam::7333:role/RH-Managed-OpenShift-Installer` resource.
====
After a Red{nbsp}Hat Organization Administrator has created and linked an `ocm-role` IAM resource, all organization members may want to create and link their own `user-role` IAM role. This IAM resource only needs to be created and linked only once per user. If another user in your Red{nbsp}Hat organization has already created and linked an `ocm-role` IAM resource, you need to ensure you have created and linked your own `user-role` IAM role.
View Git Blame Copy Permalink