mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
159 lines
6.4 KiB
Plaintext
159 lines
6.4 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
|
|
// * rosa_hcp/rosa-hcp-deleting-cluster.adoc
|
|
|
|
ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
|
|
:hcp:
|
|
endif::[]
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="rosa-unlinking-and-deleting-ocm-and-user-iam-roles_{context}"]
|
|
= Unlinking and deleting the {cluster-manager} and user IAM roles
|
|
|
|
When you install a
|
|
ifndef::hcp[]
|
|
{rosa-classic-short}
|
|
endif::hcp[]
|
|
ifdef::hcp[]
|
|
{rosa-short}
|
|
endif::hcp[]
|
|
cluster by using {cluster-manager-first}, you also create {cluster-manager} and user Identity and Access Management (IAM) roles that link to your Red{nbsp}Hat organization. After deleting your cluster, you can unlink and delete the roles by using the ROSA CLI (`rosa`).
|
|
|
|
[IMPORTANT]
|
|
====
|
|
The {cluster-manager} and user IAM roles are required if you want to use {cluster-manager} to install and manage other
|
|
ifndef::hcp[]
|
|
{rosa-classic-short} clusters
|
|
endif::hcp[]
|
|
ifdef::hcp[]
|
|
{rosa-short}
|
|
endif::hcp[]
|
|
in the same AWS account. Only remove the roles if you no longer need to use the {cluster-manager} to install
|
|
ifndef::hcp[]
|
|
{rosa-classic-short} clusters.
|
|
endif::hcp[]
|
|
ifdef::hcp[]
|
|
{rosa-short} clusters.
|
|
endif::hcp[]
|
|
====
|
|
|
|
.Prerequisites
|
|
|
|
* You created {cluster-manager} and user IAM roles and linked them to your Red{nbsp}Hat organization.
|
|
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
|
|
* You have organization administrator privileges in your Red{nbsp}Hat organization.
|
|
|
|
.Procedure
|
|
|
|
. Unlink the {cluster-manager} IAM role from your Red{nbsp}Hat organization and delete the role:
|
|
.. List the {cluster-manager} IAM roles in your AWS account:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rosa list ocm-roles
|
|
----
|
|
+
|
|
ifndef::hcp[]
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
I: Fetching ocm roles
|
|
ROLE NAME ROLE ARN LINKED ADMIN
|
|
ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> Yes Yes
|
|
----
|
|
+
|
|
endif::hcp[]
|
|
ifdef::hcp[]
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
I: Fetching ocm roles
|
|
ROLE NAME ROLE ARN LINKED ADMIN AWS Managed
|
|
ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id> Yes Yes Yes
|
|
----
|
|
endif::hcp[]
|
|
+
|
|
.. If your {cluster-manager} IAM role is listed as linked in the output of the preceding command, unlink the role from your Red{nbsp}Hat organization by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rosa unlink ocm-role --role-arn <arn> <1>
|
|
----
|
|
<1> Replace `<arn>` with the Amazon Resource Name (ARN) for your {cluster-manager} IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format `arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>`.
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
I: Unlinking OCM role
|
|
? Unlink the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' role from organization '<red_hat_organization_id>'? Yes
|
|
I: Successfully unlinked role-arn 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' from organization account '<red_hat_organization_id>'
|
|
----
|
|
+
|
|
.. Delete the {cluster-manager} IAM role and policies:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rosa delete ocm-role --role-arn <arn>
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
I: Deleting OCM role
|
|
? OCM Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>
|
|
? Delete 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-OCM-Role-<red_hat_organization_external_id>' ocm role? Yes
|
|
? OCM role deletion mode: auto <1>
|
|
I: Successfully deleted the OCM role
|
|
----
|
|
<1> Specifies the deletion mode. You can use `auto` mode to automatically delete the {cluster-manager} IAM role and policies. In `manual` mode, the ROSA CLI generates the `aws` commands needed to delete the role and policies. `manual` mode enables you to review the details before running the `aws` commands manually.
|
|
|
|
. Unlink the user IAM role from your Red{nbsp}Hat organization and delete the role:
|
|
.. List the user IAM roles in your AWS account:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rosa list user-roles
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
I: Fetching user roles
|
|
ROLE NAME ROLE ARN LINKED
|
|
ManagedOpenShift-User-<ocm_user_name>-Role arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role Yes
|
|
----
|
|
+
|
|
.. If your user IAM role is listed as linked in the output of the preceding command, unlink the role from your Red{nbsp}Hat organization:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rosa unlink user-role --role-arn <arn> <1>
|
|
----
|
|
<1> Replace `<arn>` with the Amazon Resource Name (ARN) for your user IAM role. The ARN is specified in the output of the preceding command. In the preceding example, the ARN is in the format `arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role`.
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
I: Unlinking user role
|
|
? Unlink the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' role from the current account '<ocm_user_account_id>'? Yes
|
|
I: Successfully unlinked role ARN 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' from account '<ocm_user_account_id>'
|
|
----
|
|
+
|
|
.. Delete the user IAM role:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ rosa delete user-role --role-arn <arn>
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
I: Deleting user role
|
|
? User Role ARN: arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role
|
|
? Delete the 'arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-User-<ocm_user_name>-Role' role from the AWS account? Yes
|
|
? User role deletion mode: auto <1>
|
|
I: Successfully deleted the user role
|
|
----
|
|
<1> Specifies the deletion mode. You can use `auto` mode to automatically delete the user IAM role. In `manual` mode, the ROSA CLI generates the `aws` command needed to delete the role. `manual` mode enables you to review the details before running the `aws` command manually. |