Troubleshooting ROSA identity and access
Use the following information to help you diagnose and fix common issues that you might encounter when working with ROSA and IAM.
AWS Organizations service control policy denies required AWS Marketplace permissions
If your AWS Organizations service control policy (SCP) doesn’t allow the required AWS Marketplace subscription permissions when you attempt to enable ROSA, the following console error occurs:
An error occurred while enabling ROSA, because a service control policy (SCP) is denying required permissions. Contact your management account administrator, and consult the documentation for troubleshooting.
If you receive this error, then you must contact your administrator for assistance. Your administrator is the person that manages the accounts for your organization. Ask that person to do the following:
-
Configure the SCP to allow
aws-marketplace:Subscribe,aws-marketplace:Unsubscribe, andaws-marketplace:ViewSubscriptionspermissions. For more information, see Updating an SCP in the AWS Organizations User Guide. -
Enable ROSA in the organization’s management account.
-
Share the ROSA subscription to member accounts that require access within the organization. For more information, see Sharing subscriptions in an organization in the AWS Marketplace Buyer Guide.
User or role does not have the required AWS Marketplace permissions
If your IAM principal doesn’t have the required AWS Marketplace subscription permissions when you attempt to enable ROSA, the following console error occurs:
An error occurred while enabling ROSA, because your user or role does not have the required permissions.
To resolve this issue, follow these steps:
-
Go to the IAM console
and attach the AWS managed policy ROSAManageSubscriptionto your IAM identity. For more information, see ROSAManageSubscription in the AWS Managed Policy Reference Guide. -
Follow the procedure in Step 1: Enable ROSA and configure prerequisites.
If you don’t have permission to view or update your permission set in IAM or you receive an error, then you must contact your administrator for assistance. Ask that person to attach ROSAManageSubscription to your IAM identity and follow the procedure in Step 1: Enable ROSA and configure prerequisites. When an administrator performs this action, it enables ROSA by updating the permission set for all IAM identities under the AWS account.
Required AWS Marketplace permissions blocked by an administrator
If your account administrator blocked the required AWS Marketplace subscription permissions, the following console error occurs when you attempt to enable ROSA:
An error occurred while enabling ROSA because required permissions have been blocked by an administrator. ROSAManageSubscription includes the permissions required to enable ROSA. Consult the documentation and try again.
If you receive this error, then you must contact your administrator for assistance. Ask that person to do the following:
-
Go to the ROSA console
and attach the AWS managed policy ROSAManageSubscriptionto your IAM identity. For more information, see ROSAManageSubscription in the AWS Managed Policy Reference Guide. -
Follow the procedure in Step 1: Enable ROSA and configure prerequisites to enable ROSA. This procedure enables ROSA by updating the permission set for all IAM identities under the AWS account.
Error creating load balancer: AccessDenied
If you haven’t created a load balancer, the AWSServiceRoleForElasticLoadBalacing service-linked role may not exist in your account. The following error occurs if you attempt to create a ROSA
cluster without the AWSServiceRoleForElasticLoadBalacing role in your account:
Error creating network Load Balancer: AccessDenied
To resolve this issue, follow these steps:
-
Check if your account has the
AWSServiceRoleForElasticLoadBalancingrole.aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing" -
If you don’t have this role, follow the instructions to create the role found in Create the service-linked role in the Elastic Load Balancing User Guide.
