Home GitHub

Disclaimer: Mobb.ninja is not official Red Hat documentation - These guides may be experimental, proof of concept or early adoption. Officially supported documentation is available at https://docs.openshift.com.

Work Around to fix the issue with the logging-addon on ROSA STS Clusters

Currently, the logging-addon is not working on ROSA STS clusters. This is due to permissions missing from the Operator itself. This is a work around to provide credentials to the addon.

Note: This is not a Red Hat SRE approved workaround, please consult Red Hat support before using this outside of testing purposes.


  1. An STS based ROSA Cluster


  1. Uninstall the logging-addon from the cluster

     rosa uninstall addon -c <mycluster> cluster-logging-operator -y
  2. Create a IAM Trust Policy document

    cat << EOF > /tmp/trust-policy.json
     "Version": "2012-10-17",
     "Statement": [
             "Effect": "Allow",
             "Action": [
             "Resource": "arn:aws:logs:*:*:*"
  3. Create IAM Policy

     POLICY_ARN=$(aws iam create-policy --policy-name "RosaCloudWatchAddon" --policy-document file:///tmp/trust-policy.json --query Policy.Arn --output text)
     echo $POLICY_ARN
  4. Create service account

     aws iam create-user --user-name RosaCloudWatchAddon  \
       --query User.Arn --output text
  5. Attach policy to user

     aws iam attach-user-policy --user-name RosaCloudWatchAddon \
       --policy-arn ${POLICY_ARN}
  6. Create access key and save the output (Paste the AccessKeyId and SecretAccessKey into values.yaml)

     aws iam create-access-key --user-name RosaCloudWatchAddon
     export AWS_ID=<from above>
     export AWS_KEY=<from above>
  7. Create a secret for the addon to use

    cat << EOF | kubectl apply -f -
    apiVersion: v1
    kind: Secret
     name: instance
     namespace: openshift-logging
      aws_access_key_id: ${AWS_ID}
      aws_secret_access_key: ${AWS_KEY}
      credentials: |
     aws_access_key_id = ${AWS_ID}
     aws_secret_access_key = ${AWS_KEY}
  8. Install the logging-addon from the cluster

     rosa install addon -c <mycluster> cluster-logging-operator -y

    Accept the defaults (or change them as appropriate)

     ? Use AWS CloudWatch: Yes
     ? Collect Applications logs: Yes
     ? Collect Infrastructure logs: Yes
     ? Collect Audit logs (optional): No
     ? CloudWatch region (optional):
     I: Add-on 'cluster-logging-operator' is now installing. To check the status run 'rosa list addons -c mycluster'