mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
76 lines
2.5 KiB
Plaintext
76 lines
2.5 KiB
Plaintext
// Module included in the following assemblies:
|
|
// * rosa_planning/rosa-hcp-prepare-iam-resources.adoc
|
|
// * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
|
|
|
|
|
|
ifeval::["{context}" == "rosa-hcp-egress-zero-install"]
|
|
:egress-lockdown:
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="rosa-sts-creating-account-wide-sts-roles-and-policies_{context}"]
|
|
= Creating the account-wide STS roles and policies
|
|
|
|
Before you create your {hcp-title-first} cluster, you must create the required account-wide roles and policies.
|
|
|
|
[NOTE]
|
|
====
|
|
Specific AWS-managed policies for {hcp-title} must be attached to each role. Customer-managed policies must not be used with these required account roles. For more information regarding AWS-managed policies for {hcp-title} clusters, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol-account-policies.html[AWS managed policies for ROSA].
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* You have completed the AWS prerequisites for {hcp-title}.
|
|
* You have available AWS service quotas.
|
|
* You have enabled the ROSA service in the AWS Console.
|
|
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
|
|
* You have logged in to your Red{nbsp}Hat account by using the ROSA CLI.
|
|
|
|
.Procedure
|
|
|
|
. If they do not exist in your AWS account, create the required account-wide STS roles and attach the policies by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rosa create account-roles --hosted-cp
|
|
----
|
|
|
|
ifdef::egress-lockdown[]
|
|
. Ensure that the your worker role has the correct AWS policy by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ aws iam attach-role-policy \
|
|
--role-name ManagedOpenShift-HCP-ROSA-Worker-Role \ <1>
|
|
--policy-arn "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
|
|
----
|
|
<1> This role needs to include the prefix that was created in the previous step.
|
|
endif::egress-lockdown[]
|
|
|
|
. Optional: Set your prefix as an environmental variable by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ export ACCOUNT_ROLES_PREFIX=<account_role_prefix>
|
|
----
|
|
|
|
** View the value of the variable by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ echo $ACCOUNT_ROLES_PREFIX
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
ManagedOpenShift
|
|
----
|
|
|
|
For more information regarding AWS managed IAM policies for ROSA, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol.html[AWS managed IAM policies for ROSA].
|
|
|
|
ifeval::["{context}" == "rosa-hcp-egress-zero-install"]
|
|
:!egress-lockdown:
|
|
endif::[]
|