Upgrading a ROSA Cluster on AWS
5 min read | by Jordi Prats
Keeping your ROSA (Red Hat OpenShift Service on AWS) cluster up to date is essential for getting the latest features, performance improvements, and security patches. Fortunately, Red Hat provides a CLI tool (rosa) that allows you to handle upgrades.
- Login to ROSA
- Browser-based login
- Device code login (for headless environments)
- List Your Clusters
- Schedule the Upgrade
- Verify the Scheduled Upgrade
- Monitor Progress and Completion
- Upgrade Confirmation
Login to ROSA
You can authenticate to ROSA in two ways, depending on your environment:
Browser-based login
rosa login --use-auth-code
Device code login (for headless environments)
rosa login --use-device-code
After login, you'll see confirmation like:
$ rosa login --use-auth-code
I: You will now be redirected to Red Hat SSO login
I: Token received successfully
I: Logged in as 'jordiprats' on 'https://api.openshift.com'
I: To switch accounts, logout from https://sso.redhat.com and run `rosa logout` before attempting to login again
List Your Clusters
AWS_REGION="us-west-2" AWS_PROFILE=demo rosa list clusters
This gives you a list of available clusters and their status:
ID NAME STATE TOPOLOGY
123abcbeefcdef000000000000aaaaab demo-openshift ready Classic (STS)
Schedule the Upgrade
Now upgrade your cluster (in this example we are going from 4.15.48 to 4.16.43). You’ll be prompted to confirm IAM policy upgrades and provide acknowledgements for deprecated APIs:
$ AWS_REGION="us-west-2" AWS_PROFILE=demo rosa upgrade cluster -c demo-openshift
? IAM Roles/Policies upgrade mode: auto
? Version (default = '4.16.43'): 4.16.43
I: Ensuring account and operator role policies for cluster '123abcbeefcdef000000000000aaaaab' are compatible with upgrade.
I: Starting to upgrade the policies
? Upgrade the 'ManagedOpenShift-Installer-Role' role policy to latest version (4.19) ? Yes
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-Installer-Role-Policy' to role 'ManagedOpenShift-Installer-Role(https://console.aws.amazon.com/iam/home?#/roles/ManagedOpenShift-Installer-Role)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-Installer-Role-Policy' to version '4.19'
? Upgrade the 'ManagedOpenShift-ControlPlane-Role' role policy to latest version (4.19) ? Yes
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-ControlPlane-Role-Policy' to role 'ManagedOpenShift-ControlPlane-Role(https://console.aws.amazon.com/iam/home?#/roles/ManagedOpenShift-ControlPlane-Role)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-ControlPlane-Role-Policy' to version '4.19'
? Upgrade the 'ManagedOpenShift-Worker-Role' role policy to latest version (4.19) ? Yes
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-Worker-Role-Policy' to role 'ManagedOpenShift-Worker-Role(https://console.aws.amazon.com/iam/home?#/roles/ManagedOpenShift-Worker-Role)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-Worker-Role-Policy' to version '4.19'
? Upgrade the 'ManagedOpenShift-Support-Role' role policy to latest version (4.19) ? Yes
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-Support-Role-Policy' to role 'ManagedOpenShift-Support-Role(https://console.aws.amazon.com/iam/home?#/roles/ManagedOpenShift-Support-Role)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-Support-Role-Policy' to version '4.19'
? Upgrade each operator role policy to latest version (4.19)? Yes
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent' to role 'demo-openshift-b3o1-openshift-cluster-csi-drivers-ebs-cloud-cred(https://console.aws.amazon.com/iam/home?#/roles/demo-openshift-b3o1-openshift-cluster-csi-drivers-ebs-cloud-cred)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-cluster-csi-drivers-ebs-cloud-credent' to version '4.19'
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-cloud-network-config-controller-cloud' to role 'demo-openshift-b3o1-openshift-cloud-network-config-controller-cl(https://console.aws.amazon.com/iam/home?#/roles/demo-openshift-b3o1-openshift-cloud-network-config-controller-cl)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-cloud-network-config-controller-cloud' to version '4.19'
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials' to role 'demo-openshift-b3o1-openshift-machine-api-aws-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/demo-openshift-b3o1-openshift-machine-api-aws-cloud-credentials)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-machine-api-aws-cloud-credentials' to version '4.19'
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede' to role 'demo-openshift-b3o1-openshift-cloud-credential-operator-cloud-cr(https://console.aws.amazon.com/iam/home?#/roles/demo-openshift-b3o1-openshift-cloud-credential-operator-cloud-cr)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-cloud-credential-operator-cloud-crede' to version '4.19'
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden' to role 'demo-openshift-b3o1-openshift-image-registry-installer-cloud-cre(https://console.aws.amazon.com/iam/home?#/roles/demo-openshift-b3o1-openshift-image-registry-installer-cloud-cre)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-image-registry-installer-cloud-creden' to version '4.19'
I: Attached policy 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials' to role 'demo-openshift-b3o1-openshift-ingress-operator-cloud-credentials(https://console.aws.amazon.com/iam/home?#/roles/demo-openshift-b3o1-openshift-ingress-operator-cloud-credentials)'
I: Upgraded policy with ARN 'arn:aws:iam::123456789876:policy/ManagedOpenShift-openshift-ingress-operator-cloud-credentials' to version '4.19'
I: Account and operator roles for cluster 'demo-openshift' are compatible with upgrade
? Are you sure you want to upgrade cluster to version '4.16.43'? Yes
W: Missing required acknowledgements to schedule upgrade.
? Read the below description and acknowledge to proceed with upgrade
- Description: OpenShift removes several Kubernetes APIs, including flowschemas (flowcontrol.apiserver.k8s.io/v1beta2) and prioritylevelconfigurations (flowcontrol.apiserver.k8s.io/v1beta2) in OpenShift 4.16.
Warning: To prevent an outage on your cluster, review any APIs in use that will be removed, and migrate them to the appropriate new API version. Failure to evaluate and migrate components affected by this update can cause some types of workloads to stop functioning.
URL: https://access.redhat.com/articles/6955985
? I acknowledge Yes
I: Gate abc08218-17ef-11ef-9b4e-0a580a820515 acknowledged
I: Upgrade successfully scheduled for cluster 'demo-openshift'
Verify the Scheduled Upgrade
You can verify upgrade status in multiple ways:
Using rosa describe cluster:
$ AWS_REGION="us-west-2" AWS_PROFILE=demo rosa describe cluster -c demo-openshift | grep Sched
Scheduled Upgrade: scheduled 4.16.43 on 2025-07-09 03:39 UTC
Or using rosa describe upgrade:
$ AWS_REGION="us-west-2" AWS_PROFILE=demo rosa describe upgrade -c demo-openshift
ID: aaaaaaaa-bbbb-cccc-dddd-0a0a0a0a0a0e
Cluster ID: 123abcbeefcdef000000000000aaaaab
Next Run: 2025-07-09 03:39 UTC
Upgrade State: scheduled
Version: 4.16.43
Monitor Progress and Completion
Once the scheduled time is reached, you’ll see the state change to started:
Using rosa describe upgrade:
$ AWS_REGION="us-west-2" AWS_PROFILE=demo rosa describe upgrade -c demo-openshift
ID: aaaaaaaa-bbbb-cccc-dddd-0a0a0a0a0a0e
Cluster ID: 123abcbeefcdef000000000000aaaaab
Next Run: 2025-07-09 03:39 UTC
Upgrade State: started
Version: 4.16.43
Upgrade Confirmation
After completion, using rosa describe upgrade, we can check when the upgrade process finishes. With rosa describe cluster we can validate that is running with the new version:
$ AWS_REGION="us-west-2" AWS_PROFILE=demo rosa describe upgrade -c demo-openshift
I: No scheduled upgrades for cluster id '123abcbeefcdef000000000000aaaaab'
$ AWS_REGION="us-west-2" AWS_PROFILE=demo rosa describe cluster -c demo-openshift | grep Sched
$ AWS_REGION="us-west-2" AWS_PROFILE=demo rosa describe cluster -c demo-openshift | grep Version
OpenShift Version: 4.16.43
Posted on 10/07/2025