openshift
diff --git a/‎authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc
Lines changed: 4 additions & 6 deletions b/‎authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc
Lines changed: 4 additions & 6 deletions
diff --git a/‎authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc
Lines changed: 1 addition & 4 deletions b/‎authentication/managing_cloud_provider_credentials/cco-mode-sts.adoc
Lines changed: 1 addition & 4 deletions
diff --git a/‎images/142_OpenShift_credentials_STS_0221.png
-42.8 KB b/‎images/142_OpenShift_credentials_STS_0221.png
-42.8 KB
diff --git a/‎images/347_OpenShift_credentials_with_STS_updates_0623_AWS.png
89.2 KB b/‎images/347_OpenShift_credentials_with_STS_updates_0623_AWS.png
89.2 KB
diff --git a/‎images/347_OpenShift_credentials_with_STS_updates_0623_GCP.png
115 KB b/‎images/347_OpenShift_credentials_with_STS_updates_0623_GCP.png
115 KB
@@ -13,17 +13,15 @@ Manual mode with GCP Workload Identity is supported for Google Cloud Platform (G
 This credentials strategy is supported for only new {product-title} clusters and must be configured during installation. You cannot reconfigure an existing cluster that uses a different credentials strategy to use this feature.
 ====
 
+[id="gcp-workload-identity-mode-about_{context}"]
+== About manual mode with GCP Workload Identity
+
 In manual mode with GCP Workload Identity, the individual {product-title} cluster components can impersonate IAM service accounts using short-term, limited-privilege credentials.
 
 Requests for new and refreshed credentials are automated by using an appropriately configured OpenID Connect (OIDC) identity provider, combined with IAM service accounts. {product-title} signs service account tokens that are trusted by GCP, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour by default.
 
-////
-to-do: GCP diagram from https://github.com/openshift/cloud-credential-operator/blob/master/docs/gcp_workload_identity_flow.png?raw=true
-
 .Workload Identity authentication flow
-image::<new_filename_for_gcp_workload_id.svg[Detailed authentication flow between GCP and the cluster when using GCP Workload Identity]
-//to-do: improve alt-text
-////
+image::347_OpenShift_credentials_with_STS_updates_0623_GCP.png[Detailed authentication flow between GCP and the cluster when using GCP Workload Identity]
 
 Using manual mode with GCP Workload Identity changes the content of the GCP credentials that are provided to individual {product-title} components.
 
 
@@ -20,11 +20,8 @@ In manual mode with STS, the individual {product-title} cluster components use A
 
 Requests for new and refreshed credentials are automated by using an appropriately configured AWS IAM OpenID Connect (OIDC) identity provider, combined with AWS IAM roles. {product-title} signs service account tokens that are trusted by AWS IAM, and can be projected into a pod and used for authentication. Tokens are refreshed after one hour.
 
-//to-do: more detailed info on this flow
-
 .STS authentication flow
-image::142_OpenShift_credentials_STS_0221.png[Detailed authentication flow between AWS and the cluster when using AWS STS]
-//to-do: improve alt-text
+image::347_OpenShift_credentials_with_STS_updates_0623_AWS.png[Detailed authentication flow between AWS and the cluster when using AWS STS]
 
 Using manual mode with STS changes the content of the AWS credentials that are provided to individual {product-title} components.