Issues to deploy Portworx on AWS rosa using STS accounts

Hi, I’m trying to deploy Portworx on openshift in AWS ROSA, and I’m getting this error.

Normal PortworxMonitorImagePullInPrgress 9m24s portworx Portworx image /portworx/px-essentials:2.7.0 pull and extraction in progress
Warning Unhealthy 2m15s (x76250 over 8d) kubelet Readiness probe failed: HTTP probe failed with statuscode: 503
Warning NodeStartFailure 7s (x2956 over 8d) portworx (combined from similar events): Failed to start Portworx: Authentication error: AuthFailure: AWS was not able to validate the provided access credentials
status code: 401, request id: 1c7aaa2c-3476-403d-a27f-cc6e9bb1d304

I’m using assume role (STS) AWS account, I’ve tried run it with all px versions (2.6,2.8 and 2.9), I’m using Portworx essentials.

For Red Hat OpenShift on AWS (ROSA):

Modifications must be made to the storage cluster manifest when using Red Hat OpenShift on AWS to maintain compliance with the managed service agreement. It is necessary to make the following edits to the cluster spec file before applying it to create the Portworx Cluster.

  1. Change the ‘namespace’ Portworx is deployed to from the default (kube-system) to a different namespace. In this validation process, the namespace ‘portworx’ was created and used.
  2. Add an annotation to prevent the creation of Portworx related objects in the kube-system namespace. The needed annotation is in bold below.

Before applying the manifests take the following steps in the AWS management console.

  1. Log into your AWS Console, navigate to the IAM console and attach the Portworx IAM Policy to the Worker Node IAM Role.

  2. Navigate to the VPC your ROSA Cluster is in and add 2 Inbound rules to the worker security group. They will be named based on your cluster name and include ‘worker’ in the security group name.

  3. Add a rule allowing inbound TCP traffic on ports 17001 - 17022 from your Machine CIDR, in this example.

  4. Add a rule allowing inbound UDP traffic on port 17002 from your Machine CIDR, in this example.

Once these steps are completed, apply the StorageCluster configuration manifest in the OpenShift Portworx Operator Interface to create the Portworx cluster.

Example StorageCluster Yaml for ROSA:kind: StorageCluster

  name: px-cluster-01bd27e1-fa3d-4324-8df3-3d20ee3a6a7a
  namespace: portworx #ROSA requires using a different namespace
  annotations: "true"
      ** "false"** #ROSA specific to prevent Proxies in kube-system, do not include "*"
  image: portworx/oci-monitor:
  imagePullPolicy: Always
    internal: true
    provider: aws
    - type=gp2,size=150
    kvdbDeviceSpec: type=gp2,size=150
  secretsProvider: k8s
    enabled: true
      webhook-controller: "false"
    enabled: true
    - name: default
      type: prometheus
        url: http://px-prometheus:9090
      enabled: true
      enabled: true
      exportMetrics: true
    CSI: "true"

NOTE: This is a Portworx Enterprise deployment. You will need to add the additional info needed to use Essentials.