Merge pull request #105699 from openshift-cherrypick-robot/cherry-pick-105000-to-enterprise-4.21

[enterprise-4.21] OSDOCS-11384# Add --permissions-boundary-arn flag to relevant ccoctl commands.
2026-02-05 21:46:22 +01:00 · 2026-01-29 13:50:22 -05:00
parent c11dbc91f0 65246b99f2
commit 255eff8a3d
3 changed files with 11 additions and 4 deletions
--- a/modules/cco-ccoctl-creating-at-once.adoc
+++ b/modules/cco-ccoctl-creating-at-once.adoc
@@ -183,13 +183,15 @@ $ ccoctl aws create-all \
  --region=<aws_region> \// <2>
  --credentials-requests-dir=<path_to_credentials_requests_directory> \// <3>
  --output-dir=<path_to_ccoctl_output_dir> \// <4>
-  --create-private-s3-bucket <5>
+  --create-private-s3-bucket \// <5>
+  --permissions-boundary-arn=<policy_arn> <6>
 ----
 <1> Specify the name used to tag any cloud resources that are created for tracking.
 <2> Specify the AWS region in which cloud resources will be created.
 <3> Specify the directory containing the files for the component `CredentialsRequest` objects.
 <4> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
 <5> Optional: By default, the `ccoctl` utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the `--create-private-s3-bucket` parameter.
+<6> Optional: Specify the Amazon Resource Name (ARN) of the {aws-short} IAM policy to use as the permissions boundary for the IAM roles created by the `ccoctl` utility.
 +
 [NOTE]
 ====
--- a/modules/cco-ccoctl-upgrading.adoc
+++ b/modules/cco-ccoctl-upgrading.adoc
@@ -53,7 +53,8 @@ $ ccoctl aws create-all \// <1>
  --credentials-requests-dir=<path_to_credentials_requests_directory> \// <4>
  --output-dir=<path_to_ccoctl_output_dir> \// <5>
  --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public \// <6>
-  --create-private-s3-bucket <7>
+  --create-private-s3-bucket \// <7>
+  --permissions-boundary-arn=<policy_arn> <8>
 ----
 <1> To create the AWS resources individually, use the "Creating AWS resources individually" procedure in the "Installing a cluster on AWS with customizations" content. This option might be useful if you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization.
 <2> Specify the name used to tag any cloud resources that are created for tracking.
@@ -62,6 +63,7 @@ $ ccoctl aws create-all \// <1>
 <5> Specify the path to the output directory.
 <6> Specify the path to the `serviceaccount-signer.public` file that you extracted from the cluster.
 <7> Optional: By default, the `ccoctl` utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the `--create-private-s3-bucket` parameter.
+<8> Optional: Specify the Amazon Resource Name (ARN) of the {aws-short} IAM policy to use as the permissions boundary for the IAM roles created by the `ccoctl` utility.
 ====
 +
 .{gcp-first}
--- a/modules/enabling-aws-sts-existing-cluster.adoc
+++ b/modules/enabling-aws-sts-existing-cluster.adoc
@@ -6,7 +6,8 @@
 [id="enabling-aws-sts-existing-cluster_{context}"]
 = Enabling {aws-short} {sts-first} on an existing cluster

-If you did not configure your {aws-first} {product-title} cluster to use {sts-first} during installation, you can enable this authentication method on an existing cluster.
+[role="_abstract"]
+Enable {aws-short} {sts-first} on an existing {product-title} cluster if you did not configure this authentication method during installation.

 [IMPORTANT]
 ====
@@ -167,13 +168,15 @@ $ ./ccoctl aws create-iam-roles \
  --name <name_you_choose> \ <2>
  --identity-provider-arn <identity_provider_arn> \ <3>
  --region us-east-2 \ <4>
-  --credentials-requests-dir ./output_dir/cred-reqs/ <5>
+  --credentials-requests-dir ./output_dir/cred-reqs/ \ <5>
+  --permissions-boundary-arn=<policy_arn> <6>
 ----
 <1> Specify the output directory you created earlier.
 <2> Specify a globally unique name. This name functions as a prefix for AWS resources created by this command.
 <3> Specify the ARN for the IAM identity provider.
 <4> Specify the AWS region of the cluster.
 <5> Specify the relative path to the folder where you extracted the `CredentialsRequest` files with the `oc adm release extract` command.
+<6> Optional: Specify the Amazon Resource Name (ARN) of the {aws-short} IAM policy to use as the permissions boundary for the IAM roles created by the `ccoctl` utility.

 .. Apply the generated secrets by running the following command:
 +