From 8a31c10b07d4c8472ae5fcff304e588d01a455d5 Mon Sep 17 00:00:00 2001 From: EricPonvelle Date: Tue, 3 Mar 2026 14:06:25 -0600 Subject: [PATCH] Updated OCM-role requirements throughout the ROSA docs --- modules/rosa-sts-about-ocm-role.adoc | 3 ++- modules/rosa-sts-ocm-role-creation.adoc | 5 +++++ modules/rosa-sts-understanding-ocm-role.adoc | 2 +- rosa_architecture/rosa-sts-about-iam-resources.adoc | 12 ++++++------ rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc | 1 + rosa_hcp/rosa-hcp-cluster-no-cni.adoc | 2 ++ .../rosa-hcp-creating-cluster-with-aws-kms-key.adoc | 2 ++ rosa_hcp/rosa-hcp-egress-zero-install.adoc | 4 +++- rosa_hcp/rosa-hcp-quickstart-guide.adoc | 1 + .../rosa-hcp-sts-creating-a-cluster-ext-auth.adoc | 1 + .../rosa-hcp-sts-creating-a-cluster-quickly.adoc | 2 ++ .../rosa-aws-privatelink-creating-cluster.adoc | 1 + .../rosa-sts-creating-a-cluster-quickly.adoc | 1 + ...a-sts-creating-a-cluster-with-customizations.adoc | 1 + 14 files changed, 29 insertions(+), 9 deletions(-) diff --git a/modules/rosa-sts-about-ocm-role.adoc b/modules/rosa-sts-about-ocm-role.adoc index 8967770a2b09..edd98e5d398e 100644 --- a/modules/rosa-sts-about-ocm-role.adoc +++ b/modules/rosa-sts-about-ocm-role.adoc @@ -12,6 +12,7 @@ Some considerations for your `ocm-role` IAM resource are: * Only one `ocm-role` IAM role can be linked per Red{nbsp}Hat organization; however, you can have any number of `ocm-role` IAM roles per AWS account. The web UI requires that only one of these roles can be linked at a time. * Any user in a Red{nbsp}Hat organization may create and link an `ocm-role` IAM resource. +* You must create an `ocm-role` before you can create a {product-title} cluster. * Only the Red{nbsp}Hat Organization Administrator can unlink an `ocm-role` IAM resource. This limitation is to protect other Red{nbsp}Hat organization members from disturbing the interface capabilities of other users. + [NOTE] @@ -21,7 +22,7 @@ If you just created a Red{nbsp}Hat account that is not part of an existing organ + * See "Understanding the {cluster-manager} role" in the Additional resources of this section for a list of the AWS permissions policies for the basic and admin `ocm-role` IAM resources. -Using the ROSA CLI (`rosa`), you can link your IAM resource when you create it. +Using the {rosa-cli-first}, you can link your IAM resource when you create it. [NOTE] ==== diff --git a/modules/rosa-sts-ocm-role-creation.adoc b/modules/rosa-sts-ocm-role-creation.adoc index 60b2146040f9..3b7e9cd25708 100644 --- a/modules/rosa-sts-ocm-role-creation.adoc +++ b/modules/rosa-sts-ocm-role-creation.adoc @@ -10,6 +10,11 @@ [role="_abstract"] You create your `ocm-role` IAM roles by using the {rosa-cli-first}. +[IMPORTANT] +==== +You must create the `ocm-role` IAM role before you can create your {product-title} cluster. +==== + .Prerequisites * You have an AWS account. diff --git a/modules/rosa-sts-understanding-ocm-role.adoc b/modules/rosa-sts-understanding-ocm-role.adoc index a90048638357..d0a37fb444fe 100644 --- a/modules/rosa-sts-understanding-ocm-role.adoc +++ b/modules/rosa-sts-understanding-ocm-role.adoc @@ -6,7 +6,7 @@ [id="rosa-sts-understanding-ocm-role_{context}"] = Understanding the {cluster-manager} role -Creating ROSA clusters in {cluster-manager-url} require an `ocm-role` IAM role. The basic `ocm-role` IAM role permissions let you to perform cluster maintenance within {cluster-manager}. To automatically create the operator roles and OpenID Connect (OIDC) provider, you must add the `--admin` option to the `rosa create` command. This command creates an `ocm-role` resource with additional permissions needed for administrative tasks. +Creating {product-title} clusters in {cluster-manager-url} require an `ocm-role` IAM role. The basic `ocm-role` IAM role permissions let you to perform cluster maintenance within {cluster-manager}. To automatically create the operator roles and OpenID Connect (OIDC) provider, you must add the `--admin` option to the `rosa create` command. This command creates an `ocm-role` resource with additional permissions needed for administrative tasks. [NOTE] ==== diff --git a/rosa_architecture/rosa-sts-about-iam-resources.adoc b/rosa_architecture/rosa-sts-about-iam-resources.adoc index 01dedbf9798e..c298688bba7e 100644 --- a/rosa_architecture/rosa-sts-about-iam-resources.adoc +++ b/rosa_architecture/rosa-sts-about-iam-resources.adoc @@ -18,7 +18,7 @@ toc::[] [role="_abstract"] ifndef::openshift-rosa-hcp[] -To deploy a {product-title} (ROSA) cluster that uses the AWS Security Token Service (STS), +To deploy a {product-title} cluster that uses the AWS Security Token Service (STS), endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] {hcp-title-first} uses the AWS Security Token Service (STS) to provide temporary, limited-permission credentials for your cluster. This means that before you deploy your cluster, @@ -38,7 +38,7 @@ and compute functionality. This includes account-wide Operator policies. This document provides reference information about the IAM resources that you must deploy ifdef::openshift-rosa[] -when you create a ROSA cluster that uses STS. +when you create a {product-title} cluster that uses STS. endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] when you create a {hcp-title} cluster. @@ -58,12 +58,12 @@ endif::openshift-rosa-hcp[] [id="rosa-sts-ocm-roles-and-permissions_{context}"] == {cluster-manager} roles and permissions -If you create ROSA clusters by using {cluster-manager-url}, you must have the following AWS IAM roles linked to your AWS account to create and manage the clusters. For more information, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. +If you create {product-title} clusters by using {cluster-manager-url}, you must have the following AWS IAM roles linked to your AWS account to create and manage the clusters. For more information, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. These AWS IAM roles are as follows: -* The ROSA user role (`user-role`) is an AWS role used by Red{nbsp}Hat to verify the customer's AWS identity. This role has no additional permissions, and the role has a trust relationship with the Red{nbsp}Hat installer account. -* An `ocm-role` resource grants the required permissions for installation of ROSA clusters in {cluster-manager}. You can apply basic or administrative permissions to the `ocm-role` resource. If you create an administrative `ocm-role` resource, {cluster-manager} can create the needed AWS Operator roles and OpenID Connect (OIDC) provider. This IAM role also creates a trust relationship with the Red{nbsp}Hat installer account as well. +* The {product-title} user role (`user-role`) is an AWS role used by Red{nbsp}Hat to verify the customer's AWS identity. This role has no additional permissions, and the role has a trust relationship with the Red{nbsp}Hat installer account. +* An `ocm-role` resource grants the required permissions for installation of {product-title} clusters in {cluster-manager}. You can apply basic or administrative permissions to the `ocm-role` resource. If you create an administrative `ocm-role` resource, {cluster-manager} can create the needed AWS Operator roles and OpenID Connect (OIDC) provider. This IAM role also creates a trust relationship with the Red{nbsp}Hat installer account as well. + [NOTE] ==== @@ -136,7 +136,7 @@ endif::openshift-rosa[] [id="rosa-sts-oidc-provider-requirements-for-operators_{context}"] == Open ID Connect (OIDC) requirements for Operator authentication -For ROSA installations that use STS, you must create a cluster-specific OIDC provider that is used by the cluster Operators to authenticate or create your own OIDC configuration for your own OIDC provider. +For {product-title} installations that use STS, you must create a cluster-specific OIDC provider that is used by the cluster Operators to authenticate or create your own OIDC configuration for your own OIDC provider. include::modules/rosa-sts-oidc-provider-command.adoc[leveloffset=+2] diff --git a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc index 23cd555d8f22..c7da73aa667f 100644 --- a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc +++ b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc @@ -9,6 +9,7 @@ toc::[] [role="_abstract"] For {product-title} workloads that do not require public internet access, you can create a private cluster. +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1] include::modules/rosa-hcp-aws-private-create-cluster.adoc[leveloffset=+1] include::modules/rosa-hcp-aws-private-security-groups.adoc[leveloffset=+1] include::modules/rosa-additional-principals-overview.adoc[leveloffset=+1] diff --git a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc index 4f3f35defe98..901b6a0ed34f 100644 --- a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc +++ b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc @@ -29,6 +29,8 @@ If you choose to use your own CNI for {product-title} clusters, it is strongly r * Ensure that you have a configured xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc_rosa-hcp-sts-creating-a-cluster-quickly[virtual private cloud] (VPC). +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1] + include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1] include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1] diff --git a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc index 1074456c30e2..b5e710313e2d 100644 --- a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc +++ b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc @@ -58,6 +58,8 @@ include::modules/rosa-hcp-vpc-subnet-tagging.adoc[leveloffset=+3] * link:https://developer.hashicorp.com/terraform[HashiCorp Terraform documentation] * link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/subnet_discovery/[Subnet Auto Discovery] +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2] + include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2] include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2] diff --git a/rosa_hcp/rosa-hcp-egress-zero-install.adoc b/rosa_hcp/rosa-hcp-egress-zero-install.adoc index e37da5e20745..c523b0b5077b 100644 --- a/rosa_hcp/rosa-hcp-egress-zero-install.adoc +++ b/rosa_hcp/rosa-hcp-egress-zero-install.adoc @@ -43,7 +43,7 @@ include::modules/rosa-glossary-disconnected.adoc[leveloffset=+1] include::modules/rosa-hcp-set-environment-variables.adoc[leveloffset=+1] -include::modules/rosa-hcp-egress-zero-install-creating.adoc[leveloffset=+2] +include::modules/rosa-hcp-egress-zero-install-creating.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources @@ -98,6 +98,8 @@ include::modules/vpc-troubleshooting.adoc[leveloffset=+2] * xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting {product-title} cluster installations] * xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS] +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1] + include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1] include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1] diff --git a/rosa_hcp/rosa-hcp-quickstart-guide.adoc b/rosa_hcp/rosa-hcp-quickstart-guide.adoc index 52380ec39e6f..98954f9c7056 100644 --- a/rosa_hcp/rosa-hcp-quickstart-guide.adoc +++ b/rosa_hcp/rosa-hcp-quickstart-guide.adoc @@ -53,6 +53,7 @@ include::modules/rosa-hcp-vpc-subnet-tagging.adoc[leveloffset=+3] * link:https://developer.hashicorp.com/terraform[HashiCorp Terraform documentation] * link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/subnet_discovery/[Subnet Auto Discovery] +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1] include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1] include::modules/rosa-operator-config.adoc[leveloffset=+1] include::modules/rosa-hcp-sts-creating-a-cluster-cli.adoc[leveloffset=+1] diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc index 9105d01eda35..3664f3454b82 100644 --- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc +++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc @@ -32,6 +32,7 @@ To create a {product-title} cluster, you must have completed the following steps * xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc_rosa-hcp-sts-creating-a-cluster-quickly[Configured virtual private cloud (VPC)] * Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Account-wide roles] +* Created the xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-sts-ocm-roles-and-permissions-iam-basic-role_prepare-role-resources[ocm-role IAM role] * Created an xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-byo-oidc_rosa-hcp-sts-creating-a-cluster-quickly[OIDC configuration] * Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-operator-config_rosa-hcp-sts-creating-a-cluster-quickly[Operator roles] diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc index 41f6f67aa582..bbbc24d1bc09 100644 --- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc +++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc @@ -79,6 +79,8 @@ include::modules/rosa-hcp-vpc-subnet-tagging.adoc[leveloffset=+3] * link:https://developer.hashicorp.com/terraform[HashiCorp Terraform documentation] * link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/subnet_discovery/[Subnet Auto Discovery] +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2] + include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2] include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2] diff --git a/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc b/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc index e447a59c7224..ce1a4bd4ac66 100644 --- a/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc +++ b/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc @@ -10,6 +10,7 @@ This document describes how to create a ROSA cluster using AWS PrivateLink. include::modules/osd-aws-privatelink-about.adoc[leveloffset=+1] include::modules/osd-aws-privatelink-required-resources.adoc[leveloffset=+1] +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1] include::modules/rosa-aws-privatelink-create-cluster.adoc[leveloffset=+1] include::modules/osd-aws-privatelink-config-dns-forwarding.adoc[leveloffset=+1] diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc index d1a14b828ed4..07ec6820667e 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc @@ -54,6 +54,7 @@ If you need additional xref:../support/getting-support.adoc#getting-support[supp include::modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc[leveloffset=+1] include::modules/rosa-sts-associating-your-aws-account.adoc[leveloffset=+2] include::modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2] +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2] include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2] include::modules/rosa-sts-creating-a-cluster-using-defaults-ocm.adoc[leveloffset=+2] include::modules/rosa-sts-creating-a-cluster-quickly-cli.adoc[leveloffset=+1] diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc index be2ab1f0206a..74158e5e8524 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc @@ -12,6 +12,7 @@ With the procedures in this document, you can also choose between the `auto` and include::modules/rosa-understanding-deployment-modes.adoc[leveloffset=+1] include::modules/rosa-creating-operator-roles-and-oidc-manually-ocm.adoc[leveloffset=+2] +include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1] include::modules/rosa-sts-understanding-aws-account-association.adoc[leveloffset=+1] [role="_additional-resources"]