Merge pull request #37556 from codyhoag/aws-optional-permissions

BZ#2012324 Explain when specific "Create" IAM permissions are needed

Author: codyhoag

modules/installation-aws-permissions.adoc

@@ -247,8 +247,6 @@ If you use an existing VPC, your account does not require these permissions to d
 .Additional IAM and S3 permissions that are required to create manifests
 [%collapsible]
 ====
-* `iam:CreateAccessKey`
-* `iam:CreateUser`
 * `iam:DeleteAccessKey`
 * `iam:DeleteUser`
 * `iam:DeleteUserPolicy`
@@ -264,6 +262,11 @@ If you use an existing VPC, your account does not require these permissions to d
 * `s3:HeadBucket`
 * `s3:ListBucketMultipartUploads`
 * `s3:AbortMultipartUpload`
+
+[NOTE]
+=====
+If you are managing your cloud provider credentials with mint mode, the IAM user also requires the `iam:CreateAccessKey` and `iam:CreateUser` permissions.
+=====
 ====
 
 .Optional permissions for instance and quota checks for installation