Troubleshoot ROSA enablement errors in the ROSA console

ROSA uses AWS Marketplace to facilitate subscription management, billing, and metering. When you enable ROSA, the AWS ROSA console page subscribes to a ROSA listing on AWS Marketplace. If your IAM principal is missing required aws-marketplace subscription permissions when you enable ROSA in the ROSA console, the console generates an error message.

This section covers how to troubleshoot AWS Marketplace subscription permission issues that you might encounter when you choose Enable ROSA in the ROSA console.

With ROSA, you can also receive troubleshooting support from AWS Support and the Red Hat support teams. For more information, see Support for ROSA.

AWS Organizations service control policy (SCP) is denying required AWS Marketplace permissions

Description

If your AWS Organizations service control policy (SCP) isn’t configured to allow the required aws-marketplace:Subscribe permission when you choose Enable ROSA , the ROSA console generates the following error message: An error occurred while enabling Red Hat OpenShift Service on AWS (ROSA), because an AWS Organizations Service Control Policy (SCP) is denying required permissions. Contact your AWS Organizations management account administrator, and consult the documentation for troubleshooting.

Solution

Your organization’s management account administrator can enable ROSA in the organization’s management account. Then, they can use AWS License Manager to grant and activate ROSA subscriptions for other accounts within the organization.

Contact your account administrator and request that they take the following actions to grant ROSA entitlement and activate your license.

Grant entitlement through AWS License Manager

1. Log in to your organization’s management account.

2. Navigate to the ROSA console.

3. Choose Get started.

4. On the Verify ROSA prerequisites page, select I agree to share my contact information with Red Hat.

5. Choose Enable ROSA .

6. In the Enable ROSA across your AWS organization dialog, choose Grant entitlements. This action creates the service-linked roles that are needed for the account to share subscriptions with other accounts, and launches the AWS License Manager console.

7. From the AWS License Manager console, select the ROSA granted license to view the product details page.

8. Under Grants, choose Create grant.

9. To grant the ROSA license to an individual AWS account in your organization, enter a grant name and the account ID. If you want to grant the license to all organization accounts at once, enter your organization ID or ARN.

10. Select the Auto acceptance checkbox and choose Create grant.

    

11. If the Link AWS Organizations accounts dialog box appears, choose Link to enable auto-acceptance for managed entitlement distributions.

12. Choose Create grant.

Activate account licenses

Before individuals can start using the distributed ROSA license, the license needs to be activated. After this is done, application owners can deploy ROSA clusters using the ROSA CLI.

In License Manager, licenses can be activated in bulk by the organization administrator. Or, licenses can be activated individually by either the administrator or an individual user. Follow these steps to bulk activate licenses on multiple accounts at once.

1. Go to your organization’s parent grant page in License Manager.

2. On the left menu, choose Granted licenses.

3. Choose the ROSA granted license.

4. Under Grants, choose the ROSA grant.

5. Choose Activate.

6. In the Activate grant dialog box, enter activate and choose Activate.

After the grant is activated, ROSA is enabled and can be used among all organization users who received the ROSA entitlement.

User or role does not have the required AWS Marketplace permissions

Description

If your IAM principal doesn’t have the required aws-marketplace:Subscribe permission when you choose Enable ROSA , the ROSA console generates the following error message: An error occurred while enabling Red Hat OpenShift Service on AWS (ROSA), because your user or role does not have the required permissions.

Solution

1. Navigate to the ROSA console and attach the AWS managed policy ROSAManageSubscription to your IAM identity. For more information about ROSAManageSubscription, see AWS managed policy: ROSAManageSubscription.

   Note

   ROSAManageSubscription does not yet grant permission to subscribe to the ROSA with hosted control planes Marketplace product. If you would like to enable ROSA with hosted control planes, ensure that your user or role has permission to call aws-marketplace:Subscribe for ProductId: "bfdca560-2c78-4e64-8193-794c159e6d30".

2. Choose Get started.

3. On the Verify ROSA prerequisites page, select I agree to share my contact information with Red Hat.

4. Choose Enable ROSA .

If you don’t have permission to view or to update your permission set in IAM, contact your AWS account administrator and ask them to enable ROSA for your account.

Required AWS Marketplace permissions blocked by an administrator

Description

If your account administrator blocked the required aws-marketplace:Subscribe permission, the ROSA console generates the following error message when you choose Enable ROSA : An error occurred while enabling Red Hat OpenShift Service on AWS (ROSA), because required permissions have been blocked by an administrator. ROSAManageSubscription, an AWS managed policy, includes the permissions required to enable ROSA. Consult the documentation and try again.

Solution

Contact your AWS account administrator and ask them to take the following action:

1. Navigate to the ROSA console.

2. Choose Get started.

3. On the Verify ROSA prerequisites page, select I agree to share my contact information with Red Hat.

4. Choose Enable ROSA . This action enables ROSA for all IAM identities under the AWS account.