openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
b031f1f82b155c6853566e19ef94f3fe11e5fba7
openshift-docs/modules/rosa-deleting-account-wide-iam-roles-and-policies.adoc

116 lines
5.4 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc
// *rosa_hcp/rosa-hcp-deleting-cluster.adoc
ifeval::["{context}" == "rosa-hcp-deleting-cluster"]
:hcp:
endif::[]
ifeval::["{context}" == "rosa-sts-deleting-cluster"]
:sts:
endif::[]
:_mod-docs-content-type: PROCEDURE
[id="rosa-deleting-account-wide-iam-roles-and-policies_{context}"]
= Deleting the account-wide IAM roles and policies
This section provides steps to delete the account-wide IAM roles and policies that you created for {product-title} deployments, along with the account-wide Operator policies. You can delete the account-wide AWS Identity and Access Management (IAM) roles and policies only after deleting all of the {product-title} clusters that depend on them.
[IMPORTANT]
====
The account-wide IAM roles and policies might be used by other {product-title} clusters in the same AWS account. Only remove the roles if they are not required by other clusters.
====
.Prerequisites
* You have account-wide IAM roles that you want to delete.
* You have installed and configured the latest ROSA CLI (`rosa`) on your installation host.
.Procedure
. Delete the account-wide roles:
.. List the account-wide roles in your AWS account by using the ROSA CLI (`rosa`):
+
[source,terminal]
----
$ rosa list account-roles
----
+
.Example output
ifdef::sts[]
[source,terminal]
----
I: Fetching account roles
ROLE NAME ROLE TYPE ROLE ARN OPENSHIFT VERSION
ManagedOpenShift-ControlPlane-Role Control plane arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-ControlPlane-Role 4.21
ManagedOpenShift-Installer-Role Installer arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Installer-Role 4.21
ManagedOpenShift-Support-Role Support arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Support-Role 4.21
ManagedOpenShift-Worker-Role Worker arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role 4.21
----
endif::sts[]
ifdef::hcp[]
+
[source,terminal]
----
I: Fetching account roles
ROLE NAME ROLE TYPE ROLE ARN OPENSHIFT VERSION AWS Managed
ManagedOpenShift-HCP-ROSA-Installer-Role Installer arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Installer-Role 4.21 Yes
ManagedOpenShift-HCP-ROSA-Support-Role Support arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Support-Role 4.21 Yes
ManagedOpenShift-HCP-ROSA-Worker-Role Worker arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-HCP-ROSA-Worker-Role 4.21 Yes
----
endif::hcp[]
+
.. Delete the account-wide roles by running one of the following commands:
*** For clusters without a shared Virtual Private Cloud (VPC):
+
[source,terminal]
----
$ rosa delete account-roles --prefix <prefix> --mode auto <1>
----
<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
+
*** For clusters with a shared VPC:
+
[source,terminal]
----
$ rosa delete account-roles --prefix <prefix> --delete-hosted-shared-vpc-policies --mode auto <1>
----
<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
+
[IMPORTANT]
====
The account-wide IAM roles might be used by other {product-title} clusters in the same AWS account. Only remove the roles if they are not required by other clusters.
====
+
ifdef::hcp[]
.Example output
[source,terminal]
----
W: There are no classic account roles to be deleted
I: Deleting hosted CP account roles
? Delete the account role 'delete-rosa-HCP-ROSA-Installer-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Installer-Role'
? Delete the account role 'delete-rosa-HCP-ROSA-Support-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Support-Role'
? Delete the account role 'delete-rosa-HCP-ROSA-Worker-Role'? Yes
I: Deleting account role 'delete-rosa-HCP-ROSA-Worker-Role'
I: Successfully deleted the hosted CP account roles
----
endif::hcp[]
. Delete the account-wide in-line and Operator policies:
.. Under the *Policies* page in the link:https://console.aws.amazon.com/iamv2/home#/policies[AWS IAM Console], filter the list of policies by the prefix that you specified when you created the account-wide roles and policies.
+
[NOTE]
====
If you did not specify a custom prefix when you created the account-wide roles, search for the default prefix, `ManagedOpenShift`.
====
+
.. Delete the account-wide policies and Operator policies by using the link:https://console.aws.amazon.com/iamv2/home#/policies[AWS IAM Console]. For more information about deleting IAM policies by using the AWS IAM Console, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-delete.html[Deleting IAM policies] in the AWS documentation.
+
[IMPORTANT]
====
The account-wide and Operator IAM policies might be used by other {product-title} clusters in the same AWS account. Only remove the roles if they are not required by other clusters.
====
View Git Blame Copy Permalink