Merge pull request #86793 from jeana-redhat/OSDOCS-12745-ccoctl-rotation

OSDOCS-12745: Rotating OIDC bound service account signer keys

Author: jeana-redhat

_attributes/common-attributes.adoc

@@ -320,8 +320,6 @@ endif::openshift-origin[]
 :vmw-first: VMware vSphere
 :vmw-full: VMware vSphere
 :vmw-short: vSphere
-
-
 //Token-based auth products
 //AWS Security Token Service
 :sts-first: Security Token Service (STS)
@@ -333,8 +331,6 @@ endif::openshift-origin[]
 //Google Cloud Platform Workload Identity
 :gcp-wid-first: Google Cloud Platform Workload Identity
 :gcp-wid-short: GCP Workload Identity
-
-
 // Cluster API terminology
 // Cluster CAPI Operator
 :cluster-capi-operator: Cluster CAPI Operator
@@ -365,9 +361,8 @@ endif::openshift-origin[]
 // Cluster API Provider VMware vSphere
 :cap-vsphere-first: Cluster API Provider VMware vSphere
 :cap-vsphere-short: Cluster API Provider vSphere
-
 // Hosted control planes related attributes
 :hcp-capital: Hosted control planes
 :hcp: hosted control planes
 :mce: multicluster engine for Kubernetes Operator
-:mce-short: multicluster engine Operator
+:mce-short: multicluster engine Operator

_unused_topics/manually-creating-iam-gcp.adoc

@@ -14,7 +14,7 @@ include::modules/alternatives-to-storing-admin-secrets-in-kube-system.adoc[level
 .Additional resources
 
 * xref:../../authentication/managing_cloud_provider_credentials/cco-mode-gcp-workload-identity.adoc#cco-mode-gcp-workload-identity[Using manual mode with GCP Workload Identity]
-* xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-rotate-remove-cloud-creds[Rotating or removing cloud provider credentials]
+* xref:../../post_installation_configuration/cluster-tasks.adoc#post-install-remove-cloud-creds[Removing cloud provider credentials]
 
 For a detailed description of all available CCO credential modes and their supported platforms, see xref:../../authentication/managing_cloud_provider_credentials/about-cloud-credential-operator.adoc#about-cloud-credential-operator[About the Cloud Credential Operator].
 

modules/cco-ccoctl-configuring.adoc

@@ -1,7 +1,7 @@
 // Module included in the following assemblies:
 //
 //Postinstall  and update content
-// * post_installation_configuration/cluster-tasks.adoc
+// * post_installation_configuration/changing-cloud-credentials-configuration.adoc
 // * updating/preparing_for_updates/preparing-manual-creds-update.adoc
 //
 //Platforms that must use `ccoctl` and update content
@@ -169,155 +169,8 @@ ifdef::update[]
 * You have extracted the `CredentialsRequest` custom resources (CRs) from the {product-title} release image and ensured that a namespace that matches the text in the `spec.secretRef.namespace` field exists in the cluster.
 endif::update[]
 
-//AWS permissions needed when running ccoctl during install (I think we can omit from upgrade, since they already have an appropriate AWS account if they are upgrading).
-ifdef::aws-sts[]
-* You have created an AWS account for the `ccoctl` utility to use with the following permissions:
-+
-.Required AWS permissions
-[%collapsible]
-====
-**Required `iam` permissions**
-
-* `iam:CreateOpenIDConnectProvider`
-* `iam:CreateRole`
-* `iam:DeleteOpenIDConnectProvider`
-* `iam:DeleteRole`
-* `iam:DeleteRolePolicy`
-* `iam:GetOpenIDConnectProvider`
-* `iam:GetRole`
-* `iam:GetUser`
-* `iam:ListOpenIDConnectProviders`
-* `iam:ListRolePolicies`
-* `iam:ListRoles`
-* `iam:PutRolePolicy`
-* `iam:TagOpenIDConnectProvider`
-* `iam:TagRole`
-
-**Required `s3` permissions**
-
-* `s3:CreateBucket`
-* `s3:DeleteBucket`
-* `s3:DeleteObject`
-* `s3:GetBucketAcl`
-* `s3:GetBucketTagging`
-* `s3:GetObject`
-* `s3:GetObjectAcl`
-* `s3:GetObjectTagging`
-* `s3:ListBucket`
-* `s3:PutBucketAcl`
-* `s3:PutBucketPolicy`
-* `s3:PutBucketPublicAccessBlock`
-* `s3:PutBucketTagging`
-* `s3:PutObject`
-* `s3:PutObjectAcl`
-* `s3:PutObjectTagging`
-
-**Required `cloudfront` permissions**
-
-* `cloudfront:ListCloudFrontOriginAccessIdentities`
-* `cloudfront:ListDistributions`
-* `cloudfront:ListTagsForResource`
-====
-+
-If you plan to store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the `ccoctl` utility requires the following additional permissions:
-+
-.Additional permissions for a private S3 bucket with CloudFront
-[%collapsible]
-====
-* `cloudfront:CreateCloudFrontOriginAccessIdentity`
-* `cloudfront:CreateDistribution`
-* `cloudfront:DeleteCloudFrontOriginAccessIdentity`
-* `cloudfront:DeleteDistribution`
-* `cloudfront:GetCloudFrontOriginAccessIdentity`
-* `cloudfront:GetCloudFrontOriginAccessIdentityConfig`
-* `cloudfront:GetDistribution`
-* `cloudfront:TagResource`
-* `cloudfront:UpdateDistribution`
-
-[NOTE]
-=====
-These additional permissions support the use of the `--create-private-s3-bucket` option when processing credentials requests with the `ccoctl aws create-all` command.
-=====
-====
-endif::aws-sts[]
-
-//Azure permissions needed when running ccoctl during install.
-ifdef::azure-workload-id[]
-* You have created a global Microsoft Azure account for the `ccoctl` utility to use with the following permissions:
-+
-.Required Azure permissions
-[%collapsible]
-====
-* Microsoft.Resources/subscriptions/resourceGroups/read
-* Microsoft.Resources/subscriptions/resourceGroups/write
-* Microsoft.Resources/subscriptions/resourceGroups/delete
-* Microsoft.Authorization/roleAssignments/read
-* Microsoft.Authorization/roleAssignments/delete
-* Microsoft.Authorization/roleAssignments/write
-* Microsoft.Authorization/roleDefinitions/read
-* Microsoft.Authorization/roleDefinitions/write
-* Microsoft.Authorization/roleDefinitions/delete
-* Microsoft.Storage/storageAccounts/listkeys/action
-* Microsoft.Storage/storageAccounts/delete
-* Microsoft.Storage/storageAccounts/read
-* Microsoft.Storage/storageAccounts/write
-* Microsoft.Storage/storageAccounts/blobServices/containers/write
-* Microsoft.Storage/storageAccounts/blobServices/containers/delete
-* Microsoft.Storage/storageAccounts/blobServices/containers/read
-* Microsoft.ManagedIdentity/userAssignedIdentities/delete
-* Microsoft.ManagedIdentity/userAssignedIdentities/read
-* Microsoft.ManagedIdentity/userAssignedIdentities/write
-* Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/read
-* Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/write
-* Microsoft.ManagedIdentity/userAssignedIdentities/federatedIdentityCredentials/delete
-* Microsoft.Storage/register/action
-* Microsoft.ManagedIdentity/register/action
-====
-endif::azure-workload-id[]
-
-//GCP permissions needed when running ccoctl during install.
-ifdef::google-cloud-platform[]
-* You have added one of the following authentication options to the GCP account that the installation program uses:
-
-** The **IAM Workload Identity Pool Admin** role.
-
-** The following granular permissions:
-+
-.Required GCP permissions
-[%collapsible]
-====
-* compute.projects.get
-* iam.googleapis.com/workloadIdentityPoolProviders.create
-* iam.googleapis.com/workloadIdentityPoolProviders.get
-* iam.googleapis.com/workloadIdentityPools.create
-* iam.googleapis.com/workloadIdentityPools.delete
-* iam.googleapis.com/workloadIdentityPools.get
-* iam.googleapis.com/workloadIdentityPools.undelete
-* iam.roles.create
-* iam.roles.delete
-* iam.roles.list
-* iam.roles.undelete
-* iam.roles.update
-* iam.serviceAccounts.create
-* iam.serviceAccounts.delete
-* iam.serviceAccounts.getIamPolicy
-* iam.serviceAccounts.list
-* iam.serviceAccounts.setIamPolicy
-* iam.workloadIdentityPoolProviders.get
-* iam.workloadIdentityPools.delete
-* resourcemanager.projects.get
-* resourcemanager.projects.getIamPolicy
-* resourcemanager.projects.setIamPolicy
-* storage.buckets.create
-* storage.buckets.delete
-* storage.buckets.get
-* storage.buckets.getIamPolicy
-* storage.buckets.setIamPolicy
-* storage.objects.create
-* storage.objects.delete
-* storage.objects.list
-====
-endif::google-cloud-platform[]
+//Permissions requirements (per platform, for install and key rotation)
+include::snippets/ccoctl-provider-permissions-requirements.adoc[]
 
 .Procedure
 

modules/refreshing-service-ids-ibm-cloud.adoc

@@ -1,27 +1,27 @@
 // Module included in the following assemblies:
 //
-// * post_installation_configuration/cluster-tasks.adoc
+// * post_installation_configuration/changing-cloud-credentials-configuration.adoc
 
 :_mod-docs-content-type: PROCEDURE
 [id="refreshing-service-ids-ibm-cloud_{context}"]
-= Rotating API keys
+= Rotating {ibm-cloud-title} credentials
 
 You can rotate API keys for your existing service IDs and update the corresponding secrets.
 
 .Prerequisites
 
-* You have configured the `ccoctl` binary.
+* You have configured the `ccoctl` utility.
 * You have existing service IDs in a live {product-title} cluster installed.
 
 .Procedure
 
-* Use the `ccoctl` utility to rotate your API keys for the service IDs and update the secrets:
+* Use the `ccoctl` utility to rotate your API keys for the service IDs and update the secrets by running the following command:
 +
 [source,terminal]
 ----
-$ ccoctl <provider_name> refresh-keys \ <1>
-    --kubeconfig <openshift_kubeconfig_file> \ <2>
-    --credentials-requests-dir <path_to_credential_requests_directory> \ <3>
+$ ccoctl <provider_name> refresh-keys \// <1>
+    --kubeconfig <openshift_kubeconfig_file> \// <2>
+    --credentials-requests-dir <path_to_credential_requests_directory> \// <3>
     --name <name> <4>
 ----
 <1> The name of the provider. For example: `ibmcloud` or `powervs`.
@@ -34,4 +34,4 @@ $ ccoctl <provider_name> refresh-keys \ <1>
 ====
 If your cluster uses Technology Preview features that are enabled by the `TechPreviewNoUpgrade` feature set, you must include the `--enable-tech-preview` parameter.
 ====
---
+--