# ROSAInstallerPolicy
**Description**: Allows the Red Hat OpenShift Service on AWS (ROSA) installer to manage AWS resources that support ROSA cluster installation. This includes managing instance profiles for ROSA worker nodes.
`ROSAInstallerPolicy` is an [AWS managed policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html#aws-managed-policies).
## Using this policy
You can attach `ROSAInstallerPolicy` to your users, groups, and roles.
## Policy details
+ **Type**: Service role policy
+ **Creation time**: June 06, 2023, 21:00 UTC
+ **Edited time:** February 12, 2026, 18:00 UTC
+ **ARN**: `arn:aws:iam::aws:policy/service-role/ROSAInstallerPolicy`
## Policy version
**Policy version:** v10 (default)
The policy's default version is the version that defines the permissions for the policy. When a user or role with the policy makes a request to access an AWS resource, AWS checks the default version of the policy to determine whether to allow the request.
## JSON policy document
```
{
"Version" : "2012-10-17",
"Statement" : [
{
"Sid" : "ReadPermissions",
"Effect" : "Allow",
"Action" : [
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInternetGateways",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeRegions",
"ec2:DescribeReservedInstancesOfferings",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:DescribeSecurityGroupRules",
"ec2:DescribeSubnets",
"ec2:DescribeVpcAttribute",
"ec2:DescribeVpcs",
"ec2:DescribeInstanceTypeOfferings",
"ec2:DescribeCapacityReservations",
"elasticloadbalancing:DescribeAccountLimits",
"elasticloadbalancing:DescribeLoadBalancers",
"iam:GetOpenIDConnectProvider",
"iam:GetRole",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListHostedZonesByName",
"route53:ListResourceRecordSets",
"route53:GetAccountLimit",
"servicequotas:GetServiceQuota"
],
"Resource" : "*"
},
{
"Sid" : "PassRoleToEC2",
"Action" : [
"iam:PassRole"
],
"Resource" : [
"arn:*:iam::*:role/*-ROSA-Worker-Role"
],
"Effect" : "Allow",
"Condition" : {
"StringEquals" : {
"iam:PassedToService" : [
"ec2.amazonaws.com"
]
}
}
},
{
"Sid" : "ManageInstanceProfiles",
"Effect" : "Allow",
"Action" : [
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetInstanceProfile"
],
"Resource" : [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
]
},
{
"Sid" : "CreateInstanceProfiles",
"Effect" : "Allow",
"Action" : [
"iam:CreateInstanceProfile",
"iam:TagInstanceProfile"
],
"Resource" : [
"arn:aws:iam::*:instance-profile/rosa-service-managed-*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "GetSecretValue",
"Effect" : "Allow",
"Action" : [
"secretsmanager:GetSecretValue"
],
"Resource" : [
"*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "Route53ManageRecords",
"Effect" : "Allow",
"Action" : [
"route53:ChangeResourceRecordSets"
],
"Resource" : "*",
"Condition" : {
"ForAllValues:StringLike" : {
"route53:ChangeResourceRecordSetsNormalizedRecordNames" : [
"*.openshiftapps.com",
"*.devshift.org",
"*.hypershift.local",
"*.openshiftusgov.com",
"*.devshiftusgov.com"
]
}
}
},
{
"Sid" : "Route53Manage",
"Effect" : "Allow",
"Action" : [
"route53:ChangeTagsForResource",
"route53:CreateHostedZone",
"route53:DeleteHostedZone"
],
"Resource" : "*"
},
{
"Sid" : "CreateTags",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : [
"RunInstances"
]
}
}
},
{
"Sid" : "RunInstancesNoCondition",
"Effect" : "Allow",
"Action" : "ec2:RunInstances",
"Resource" : [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:snapshot/*"
]
},
{
"Sid" : "RunInstancesRestrictedRequestTag",
"Effect" : "Allow",
"Action" : "ec2:RunInstances",
"Resource" : [
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "RunInstancesRedHatOwnedAMIs",
"Effect" : "Allow",
"Action" : [
"ec2:RunInstances"
],
"Resource" : [
"arn:aws:ec2:*:*:image/*"
],
"Condition" : {
"StringEquals" : {
"ec2:Owner" : [
"531415883065",
"251351625822",
"210686502322"
]
}
}
},
{
"Sid" : "ManageInstancesRestrictedResourceTag",
"Effect" : "Allow",
"Action" : [
"ec2:TerminateInstances",
"ec2:GetConsoleOutput"
],
"Resource" : "arn:aws:ec2:*:*:instance/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "CreateGrantRestrictedResourceTag",
"Effect" : "Allow",
"Action" : [
"kms:CreateGrant"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat" : "true"
},
"StringLike" : {
"kms:ViaService" : "ec2.*.amazonaws.com"
},
"Bool" : {
"kms:GrantIsForAWSResource" : true
}
}
},
{
"Sid" : "ManagedKMSRestrictedResourceTag",
"Effect" : "Allow",
"Action" : [
"kms:DescribeKey",
"kms:GenerateDataKeyWithoutPlaintext"
],
"Resource" : "*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat" : "true"
}
}
},
{
"Sid" : "CreateSecurityGroups",
"Effect" : "Allow",
"Action" : [
"ec2:CreateSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition" : {
"StringEquals" : {
"aws:RequestTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "DeleteSecurityGroup",
"Effect" : "Allow",
"Action" : [
"ec2:DeleteSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "SecurityGroupIngressEgress",
"Effect" : "Allow",
"Action" : [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RevokeSecurityGroupEgress"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group*/*"
],
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
},
{
"Sid" : "CreateSecurityGroupsVPCNoCondition",
"Effect" : "Allow",
"Action" : [
"ec2:CreateSecurityGroup"
],
"Resource" : [
"arn:aws:ec2:*:*:vpc/*"
]
},
{
"Sid" : "CreateTagsRestrictedActions",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:security-group/*"
],
"Condition" : {
"StringEquals" : {
"ec2:CreateAction" : [
"CreateSecurityGroup"
]
}
}
},
{
"Sid" : "CreateTagsK8sSubnet",
"Effect" : "Allow",
"Action" : [
"ec2:CreateTags"
],
"Resource" : [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition" : {
"ForAllValues:StringLike" : {
"aws:TagKeys" : [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid" : "DeleteTagsK8sSubnet",
"Effect" : "Allow",
"Action" : [
"ec2:DeleteTags"
],
"Resource" : [
"arn:aws:ec2:*:*:subnet/*"
],
"Condition" : {
"Null" : {
"aws:TagKeys" : "false"
},
"ForAllValues:StringLike" : {
"aws:TagKeys" : [
"kubernetes.io/cluster/*"
]
}
}
},
{
"Sid" : "ListPoliciesAttachedToRoles",
"Effect" : "Allow",
"Action" : [
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies"
],
"Resource" : "arn:aws:iam::*:role/*",
"Condition" : {
"StringEquals" : {
"aws:ResourceTag/red-hat-managed" : "true"
}
}
}
]
}
```
## Learn more
+ [Create a permission set using AWS managed policies in IAM Identity Center](https://docs.aws.amazon.com/singlesignon/latest/userguide/howtocreatepermissionset.html)
+ [Adding and removing IAM identity permissions](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html)
+ [Understand versioning for IAM policies](https://docs.aws.amazon.com//IAM/latest/UserGuide/access_policies_managed-versioning.html)
+ [Get started with AWS managed policies and move toward least-privilege permissions](https://docs.aws.amazon.com//IAM/latest/UserGuide/best-practices.html#bp-use-aws-defined-policies)