rosa-sts-aws-prereqs.adoc

_attributes/attributes-openshift-dedicated.adoc :context: rosa-sts-aws-prereqs

AWS prerequisites for ROSA with STS

{product-title} (ROSA) provides a model that allows Red Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account.

snippets/rosa-sts.adoc

Ensure that the following AWS prerequisites are met before installing ROSA with STS.

modules/rosa-aws-understand.adoc

Important

When you create a ROSA cluster using AWS STS, an associated AWS OpenID Connect (OIDC) identity provider is created as well. This OIDC provider configuration relies on a public key that is located in the us-east-1 AWS region. Customers with AWS SCPs must allow the use of the us-east-1 AWS region, even if these clusters are deployed in a different region.

Customer requirements when using STS for deployment

The following prerequisites must be complete before you deploy a {product-title} (ROSA) cluster that uses the AWS Security Token Service (STS).

modules/rosa-sts-aws-requirements-account.adoc

Additional resources

• Limits and scalability

• Creating the service role for the elastic load balancer (ELB)

modules/rosa-sts-aws-requirements-association-concept.adoc modules/rosa-sts-aws-requirements-creating-association.adoc modules/rosa-sts-aws-requirements-creating-multi-association.adoc modules/rosa-sts-aws-requirements-access-req.adoc

Additional resources

• See Configuring custom domains for applications

modules/rosa-sts-aws-requirements-support-req.adoc modules/rosa-sts-aws-requirements-security-req.adoc

Additional resources

• AWS firewall prerequisites

modules/rosa-requirements-deploying-in-opt-in-regions.adoc modules/rosa-setting-the-aws-security-token-version.adoc modules/rosa-sts-aws-iam.adoc modules/rosa-aws-provisioned.adoc modules/osd-aws-privatelink-firewall-prerequisites.adoc

Next steps

• Review the required AWS service quotas

Additional resources

• SRE access to all Red Hat OpenShift Service on AWS clusters

• Configuring custom domains for applications