OSDOCS-4383: BYOKMS for ROSA Clusters

bmcelvee · bmcelvee · commit e42ff7964985 · 2023-01-09T14:55:44.000-05:00
diff --git a/modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc b/modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc
@@ -33,7 +33,17 @@ link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html[AWS Share
 ====
 To successfully install ROSA clusters, use latest version of the ROSA CLI.
 ====
-* If you are using a customer-managed AWS Key Management Service (KMS) key for encryption, you have created a symmetric KMS key and you have the key ID and Amazon Resource Name (ARN). For more information about creating AWS KMS keys, see link:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html[the AWS documentation].
+* If you want to use a customer managed AWS Key Management Service (KMS) key for encryption, you must create a symmetric KMS key. You must provide the Amazon Resource Name (ARN) when creating your cluster. To create a customer managed KMS key, follow the procedure for link:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk[Creating symmetric encryption KMS keys].
++
+[IMPORTANT]
+====
+The EBS operator role is required in addition to the account roles to successfully create your cluster.
+
+.Example EBS Operator role
+`"arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent"`
+
+After you create your Operator Roles, you must edit the _Key Policy_ in the link:https://console.aws.amazon.com/kms[*Key Management Service (KMS)* page of the AWS Console] to add the roles.
+====
 
 .Procedure
 
@@ -138,7 +148,8 @@ $ aws kms get-key-policy --key-id <key_id_or_arn> --policy-name default --output
                     "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Support-Role", <1>
                     "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Installer-Role",
                     "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Worker-Role",
-                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role"
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role",
+                    "arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent" <2>
                 ]
             },
             "Action": [
@@ -158,7 +169,8 @@ $ aws kms get-key-policy --key-id <key_id_or_arn> --policy-name default --output
                     "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Support-Role", <1>
                     "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Installer-Role",
                     "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-Worker-Role",
-                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role"
+                    "arn:aws:iam::<aws-account-id>:role/ManagedOpenShift-ControlPlane-Role",
+                    "arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent" <2>
                 ]
             },
             "Action": [
@@ -177,6 +189,7 @@ $ aws kms get-key-policy --key-id <key_id_or_arn> --policy-name default --output
 }
 ----
 <1> You must specify the ARN for the account-wide role that will be used when you create the ROSA cluster. The ARNs listed in the section must be comma-separated.
+<2> You must specify the ARN for the operator role that will be used when you create the ROSA cluster. The ARNs listed in the section must be comma-separated.
 
 .. Apply the changes to your KMS key policy:
 +
@@ -286,6 +299,15 @@ A custom prefix is applied to the Operator role names if you specified the prefi
 
 If you specified custom ARN paths when you created the associated account-wide roles, the custom path is automatically detected and applied to the Operator roles.
 ====
++
+[IMPORTANT]
+====
+The EBS operator role is required in addition to the account roles to successfully create your cluster.
+.Example EBS Operator role
+`"arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent"`
+
+After you create your Operator Roles, you must edit the _Key Policy_ in the link:https://console.aws.amazon.com/kms[*Key Management Service (KMS)* page of the AWS Console] to add the roles.
+====
 
 . Create the OpenID Connect (OIDC) provider that the cluster Operators use to authenticate:
 +
@@ -332,10 +354,10 @@ Instance IAM Roles:
  - Worker:                  arn:aws:iam::<aws_account_id>:role/ManagedOpenShift-Worker-Role
 Operator IAM Roles:
  - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-ingress-operator-cloud-credentials
- - arn:aws:iam::<aws_account_id>:role/<cluster_name-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent
- - arn:aws:iam::<aws_account_id>:role/<cluster_name-xxxx-openshift-machine-api-aws-cloud-credentials
- - arn:aws:iam::<aws_account_id>:role/<cluster_name-xxxx-openshift-cloud-credential-operator-cloud-crede
- - arn:aws:iam::<aws_account_id>:role/<cluster_name-xxxx-openshift-image-registry-installer-cloud-creden
+ - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent
+ - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-machine-api-aws-cloud-credentials
+ - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cloud-credential-operator-cloud-crede
+ - arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-image-registry-installer-cloud-creden
 State:                      ready
 Private:                    No
 Created:                    Oct  1 2021 08:12:25 UTC
diff --git a/modules/rosa-sts-creating-a-cluster-with-customizations-ocm.adoc b/modules/rosa-sts-creating-a-cluster-with-customizations-ocm.adoc
@@ -224,6 +224,18 @@ Only persistent volumes (PVs) created from the default storage class are encrypt
 
 PVs created by using any other storage class are only encrypted if the storage class is configured to be encrypted.
 ====
++
+... Optional. To create a customer managed KMS key, follow the procedure for link:https://docs.aws.amazon.com/kms/latest/developerguide/create-keys.html#create-symmetric-cmk[Creating symmetric encryption KMS keys].
++
+[IMPORTANT]
+====
+The EBS operator role is required in addition to the account roles to successfully create your cluster.
+
+.Example EBS Operator role
+`"arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent"`
+
+After you create your Operator Roles, you must edit the _Key Policy_ in the link:https://console.aws.amazon.com/kms[*Key Management Service (KMS)* page of the AWS Console] to add the roles.
+====
 
 .. Click *Next*.
 
@@ -392,6 +404,15 @@ If you specified custom ARN paths when you created the associated account-wide r
 ====
 If you opted to use *Auto* mode, {cluster-manager} creates the Operator roles and the OIDC provider automatically.
 ====
++
+[IMPORTANT]
+====
+The EBS operator role is required in addition to the account roles to successfully create your cluster.
+.Example EBS Operator role
+`"arn:aws:iam::<aws_account_id>:role/<cluster_name>-xxxx-openshift-cluster-csi-drivers-ebs-cloud-credent"`
+
+After you create your Operator Roles, you must edit the _Key Policy_ in the link:https://console.aws.amazon.com/kms[*Key Management Service (KMS)* page of the AWS Console] to add the roles.
+====
 
 .Verification
 
