modules/hcp-managed-aws-iam-separate.adoc

// Module included in the following assemblies:
//
// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc

:_mod-docs-content-type: CONCEPT
[id=" hcp-managed-aws-iam-separate_{context}"]
= Creating the {aws-short} IAM resources

In {aws-first}, you must create the following IAM resources:

* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[An OpenID Connect (OIDC) identity provider in IAM], which is required to enable STS authentication.
* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html[Seven roles], which are separate for every component that interacts with the provider, such as the Kubernetes controller manager, cluster API provider, and registry
* The link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html[instance profile], which is the profile that is assigned to all worker instances of the cluster
OSDOCS#11004: Part 2: Migration: Manage AWS on HCP 2024-09-19 17:57:11 +05:30			`// Module included in the following assemblies:`
			`//`
			`// * hosted_control_planes/hcp-manage/hcp-manage-aws.adoc`

			`:_mod-docs-content-type: CONCEPT`
			`[id=" hcp-managed-aws-iam-separate_{context}"]`
			`= Creating the {aws-short} IAM resources`

			`In {aws-first}, you must create the following IAM resources:`

			`* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[An OpenID Connect (OIDC) identity provider in IAM], which is required to enable STS authentication.`
			`* link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html[Seven roles], which are separate for every component that interacts with the provider, such as the Kubernetes controller manager, cluster API provider, and registry`
			`* The link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html[instance profile], which is the profile that is assigned to all worker instances of the cluster`