Cloud Experts Documentation

STS

Deploying ROSA in STS mode

Tip The official documentation for installing a ROSA cluster in STS mode can be found here .

Quick Introduction by Ryan Niksch (AWS) and Shaozen Ding (Red Hat) on YouTubeexternal link (opens in new tab)

STS allows us to deploy ROSA without needing a ROSA admin account, instead it uses roles and policies with Amazon STS (secure token service) to gain access to the AWS resources needed to install and operate the cluster.

Deploying OpenShift Virtualization on ROSA (CLI)

OpenShift Virtualization is a feature of OpenShift that allows you to run virtual machines alongside your containers. This is useful for running legacy applications that can’t be containerized, or for running applications that require special hardware or software that isn’t available in a container.

In this tutorial, I’ll show you how to deploy OpenShift Virtualization on Red Hat OpenShift on AWS (ROSA). I’ll show you how to create a ROSA cluster, deploy the OpenShift Virtualization operator, and create a virtual machine.

Deploying OpenShift Virtualization on ROSA (GUI)

OpenShift Virtualization is a feature of OpenShift that allows you to run virtual machines alongside your containers. This is useful for running legacy applications that can’t be containerized, or for running applications that require special hardware or software that isn’t available in a container.

In this tutorial, I’ll show you how to deploy OpenShift Virtualization on Red Hat OpenShift on AWS (ROSA) using the OpenShift Console. I’ll show you how to deploy the OpenShift Virtualization operator, and create a virtual machine all from inside the Red Hat Cluster Manager and OpenShift Console

Prerequisites Checklist to Deploy ROSA Cluster with STS

Background

This is a quick checklist of prerequisites needed to spin up a classic Red Hat OpenShift Service on AWS (ROSA) cluster with STSexternal link (opens in new tab) . Note that this is a high level checklist and your implementation may vary.

Before running the installation process, make sure that you deploy this from a machine that has access to:

Connect to RDS database with STS from ROSA

The Amazon Web Services Relational Database Service (AWS RDS) can be consumed from Red Hat OpenShift Service on AWS (ROSA) and authenticate to DB with Security Token Service (STS).

This is a guide to quickly connect to RDS Database (Postgres engine) from ROSA.

Amazon Web Services Relational Database Service

Amazon Web Services Relational Database Service (AWS RDS) is a distributed relational database service by Amazon Web Services. It is designed to simplify setup, operation, and scaling of a relational database for use in applications. It supports differents database engines such as Amazon Aurora, MySQL, MariaDB, Oracle, Microsoft SQL Server, and PostgreSQL.

Verify Permissions for ROSA STS Deployment

To proceed with the deployment of a ROSA cluster, an account must support the required roles and permissions. AWS Service Control Policies (SCPs) cannot block the API calls made by the installer or operator roles.

Details about the IAM resources required for an STS-enabled installation of ROSA can be found here: https://docs.openshift.com/rosa/rosa_architecture/rosa-sts-about-iam-resources.html

This guide is validated for ROSA v4.11.X.

Prerequisites

Verify ROSA Permissions

To verify the permissions required for ROSA we can run the script below without ever creating any AWS resources.

STS OIDC in ROSA : How it works!

If you prefer a more visual medium, you can watch this video on YouTubeexternal link (opens in new tab) .


This short video talks about how the STSexternal link (opens in new tab) OIDC flow work in ROSA (Red Hat OpenShift Service on AWS).

Deploying OpenShift API for Data Protection on a ROSA cluster

Prerequisites

Getting Started

  1. Create the following environment variables

    Change the cluster name to match your ROSA cluster and ensure you’re logged into the cluster as an Administrator. Ensure all fields are outputted correctly before moving on.

Prepare AWS Account

  1. Create an IAM Policy to allow for S3 Access

    Extending ROSA STS to include authentication with AWS Services

    In this example we will deploy the Amazon Ingress Controller that uses ALBs, and configure it to use STS authentication.

    Deployment

    Configure STS

    1. Make sure your cluster has the pod identity webhook

    2. Download the IAM Policy for the AWS Load Balancer Hooks

    3. Create AWS Role with inline policy

    4. Create AWS Policy and Service Account

      Integrating with AWS resources using Pod Identity

      Prerequisites

      Creating a ROSA cluster with PrivateLink enabled (custom VPC) and STS

      This is a combination of the private-link and sts setup documents to show the full picture

      architecture diagram showing privatelink with public subnet

      Prerequisites

      AWS Preparation

      1. If this is a brand new AWS account that has never had a AWS Load Balancer installed in it, you should run the following

Interested in contributing to these docs?

Collaboration drives progress. Help improve our documentation The Red Hat Way.

Red Hat logo LinkedIn YouTube Facebook Twitter

Products

Tools

Try, buy & sell

Communicate

About Red Hat

We’re the world’s leading provider of enterprise open source solutions—including Linux, cloud, container, and Kubernetes. We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Subscribe to our newsletter, Red Hat Shares

Sign up now
© 2026 Red Hat