IMPORTANT NOTE: This site is not official Red Hat documentation and is provided for informational purposes only. These guides may be experimental, proof of concept, or early adoption. Officially supported documentation is available at and

Work Around to fix the issue with the logging-addon on ROSA STS Clusters

Authors: Connor Wooley
Last Editor: Dustin Scott
Published Date: 2 November 2021
Modified Date: 25 May 2023

Currently, the logging-addon is not working on ROSA STS clusters. This is due to permissions missing from the Operator itself. This is a work around to provide credentials to the addon.

Note: Please see the official Red Hat KCS for more information.


  1. An STS based ROSA Cluster


  1. Uninstall the logging-addon from the cluster

    rosa uninstall addon -c <mycluster> cluster-logging-operator -y
  2. Create a IAM Trust Policy document

    cat << EOF > /tmp/trust-policy.json
        "Version": "2012-10-17",
        "Statement": [
                "Effect": "Allow",
                "Action": [
                "Resource": "arn:aws:logs:*:*:*"
  3. Create IAM Policy

    POLICY_ARN=$(aws iam create-policy --policy-name "RosaCloudWatchAddon" --policy-document file:///tmp/trust-policy.json --query Policy.Arn --output text)
    echo $POLICY_ARN
  4. Create service account

    aws iam create-user --user-name RosaCloudWatchAddon  \
      --query User.Arn --output text
  5. Attach policy to user

    aws iam attach-user-policy --user-name RosaCloudWatchAddon \
      --policy-arn ${POLICY_ARN}
  6. Create access key and save the output (Paste the AccessKeyId and SecretAccessKey into values.yaml)

    aws iam create-access-key --user-name RosaCloudWatchAddon
    export AWS_ID=<from above>
    export AWS_KEY=<from above>
  7. Create a secret for the addon to use

    cat << EOF | kubectl apply -f -
    apiVersion: v1
    kind: Secret
     name: instance
     namespace: openshift-logging
      aws_access_key_id: ${AWS_ID}
      aws_secret_access_key: ${AWS_KEY}
  8. Install the logging-addon from the cluster

    rosa install addon -c <mycluster> cluster-logging-operator -y

    Accept the defaults (or change them as appropriate)

    ? Use AWS CloudWatch: Yes
    ? Collect Applications logs: Yes
    ? Collect Infrastructure logs: Yes
    ? Collect Audit logs (optional): No
    ? CloudWatch region (optional):
    I: Add-on 'cluster-logging-operator' is now installing. To check the status run 'rosa list addons -c mycluster'