Merge pull request #89134 from dfitzmau/OCPBUGS-45919-16

[enterprise-4.16] OCPBUGS-45919: Updated the service account in STS

Author: dfitzmau

modules/aws-installing-an-aws-load-balancer-operator.adoc

@@ -36,7 +36,7 @@ endif::openshift-rosa[]
 CLI (`rosa`).
 * You have installed the Amazon Web Services (AWS) CLI.
 * You have installed the OpenShift CLI (oc).
-* You are using OpenShift Container Platform (OCP) 4.13 or later.
+* You are using {product-title} 4.13 or later.
 
 [IMPORTANT]
 ====
@@ -103,14 +103,21 @@ cluster as a user with the `dedicated-admin` role and create a new project using
 ----
 $ oc new-project aws-load-balancer-operator
 ----
-
 +
 .. Assign the following trust policy to the newly-created AWS IAM role:
 +
 [source,terminal]
 ----
 $ IDP='{Cluster_OIDC_Endpoint}'
 $ IDP_ARN="arn:aws:iam::{AWS_AccountNo}:oidc-provider/${IDP}" <1>
+----
+<1> Replace `{AWS_AccountNo}` with your AWS account number and `{Cluster_OIDC_Endpoint}` with the OIDC DNS identified earlier in this procedure.
++
+.. Verify that the trust policy was assigned to the AWS IAM role.
++
+.Example output
+[source,terminal,subs="quotes,verbatim"]
+----
 $ cat <<EOF > albo-operator-trusted-policy.json
 {
     "Version": "2012-10-17",
@@ -131,20 +138,28 @@ $ cat <<EOF > albo-operator-trusted-policy.json
 }
 EOF
 ----
-<1> Replace '{AWS_AccountNo}' with your AWS account number and '{Cluster_OIDC_Endpoint}' with the OIDC DNS identified earlier in this procedure.
 +
 [IMPORTANT]
 ====
 Do not include the `https` portion of the OIDC DNS URL when replacing `{Cluster_OIDC_Endpoint}` with the OIDC DNS you identified earlier. Only the alphanumeric information that follows the `/` within the URL is needed.
 ====
 +
 For more information on assigning trust policies to AWS IAM roles, see link:https://aws.amazon.com/blogs/security/how-to-use-trust-policies-with-iam-roles/[How to use trust policies with IAM roles].
++
 .. Create and verify the role by using the generated trust policy:
 +
 [source, terminal]
 ----
 $ aws iam create-role --role-name albo-operator --assume-role-policy-document file://albo-operator-trusted-policy.json
+----
++
+[source, terminal]
+----
 $ OPERATOR_ROLE_ARN=$(aws iam get-role --role-name albo-operator --output json | jq -r '.Role.Arn')
+----
++
+[source, terminal]
+----
 $ echo $OPERATOR_ROLE_ARN
 ----
 +
@@ -155,6 +170,10 @@ For more information on creating AWS IAM roles, see link:https://docs.aws.amazon
 [source, terminal]
 ----
 $ curl -o albo-operator-permission-policy.json https://raw.githubusercontent.com/openshift/aws-load-balancer-operator/release-1.1/hack/operator-permission-policy.json
+----
++
+[source, terminal]
+----
 $ aws iam put-role-policy --role-name albo-operator --policy-name perms-policy-albo-operator --policy-document file://albo-operator-permission-policy.json
 ----
 +
@@ -200,7 +219,7 @@ $ cat <<EOF > albo-controller-trusted-policy.json
             "Action": "sts:AssumeRoleWithWebIdentity",
             "Condition": {
                 "StringEquals": {
-                    "${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"
+                    "${IDP}:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"
                 }
             }
         }
@@ -214,7 +233,15 @@ EOF
 [source, terminal]
 ----
 $ aws iam create-role --role-name albo-controller --assume-role-policy-document file://albo-controller-trusted-policy.json
+----
++
+[source,terminal]
+----
 $ CONTROLLER_ROLE_ARN=$(aws iam get-role --role-name albo-controller --output json | jq -r '.Role.Arn')
+----
++
+[source,terminal]
+----
 $ echo $CONTROLLER_ROLE_ARN
 ----
 +
@@ -223,6 +250,10 @@ $ echo $CONTROLLER_ROLE_ARN
 [source,terminal]
 ----
 $ curl -o albo-controller-permission-policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.7/docs/install/iam_policy.json
+----
++
+[source,terminal]
+----
 $ aws iam put-role-policy --role-name albo-controller --policy-name perms-policy-albo-controller --policy-document file://albo-controller-permission-policy.json
 ----
 +

modules/using-aws-cli-create-iam-role-alb-controller.adoc

@@ -30,7 +30,7 @@ $ cat <<EOF > albo-controller-trust-policy.json
             "Action": "sts:AssumeRoleWithWebIdentity",
             "Condition": {
                 "StringEquals": {
-                    "<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster" <2>
+                    "<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" <2>
                 }
             }
         }
@@ -54,7 +54,7 @@ $ aws iam create-role --role-name albo-controller --assume-role-policy-document
 ROLE	arn:aws:iam::<aws_account_number>:role/albo-controller	2023-08-02T12:13:22Z <1>
 ASSUMEROLEPOLICYDOCUMENT	2012-10-17
 STATEMENT	sts:AssumeRoleWithWebIdentity	Allow
-STRINGEQUALS	system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster
+STRINGEQUALS	system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager
 PRINCIPAL	arn:aws:iam:<aws_account_number>:oidc-provider/<cluster_oidc_endpoint>
 ----
 <1> Note the ARN of an {aws-short} IAM role for the {aws-short} Load Balancer Controller, such as `arn:aws:iam::777777777777:role/albo-controller`.

modules/using-aws-cli-create-iam-role-alb-operator.adoc

@@ -30,7 +30,7 @@ $ cat <<EOF > albo-operator-trust-policy.json
             "Action": "sts:AssumeRoleWithWebIdentity",
             "Condition": {
                 "StringEquals": {
-                    "<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster" <2>
+                    "<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager" <2>
                 }
             }
         }