From 65246b99f221250f3b4a9f170cef274702c5221c Mon Sep 17 00:00:00 2001
From: Shafer Slockett <sslocket@redhat.com>
Date: Mon, 19 Jan 2026 08:19:02 -0500
Subject: [PATCH] OSDOCS-11384: Add --permissions-boundary-arn flag to relevant
 ccoctl commands.

---
 modules/cco-ccoctl-creating-at-once.adoc       | 4 +++-
 modules/cco-ccoctl-upgrading.adoc              | 4 +++-
 modules/enabling-aws-sts-existing-cluster.adoc | 7 +++++--
 3 files changed, 11 insertions(+), 4 deletions(-)

diff --git a/modules/cco-ccoctl-creating-at-once.adoc b/modules/cco-ccoctl-creating-at-once.adoc
index 9e9321a631..143d86c91b 100644
--- a/modules/cco-ccoctl-creating-at-once.adoc
+++ b/modules/cco-ccoctl-creating-at-once.adoc
@@ -183,13 +183,15 @@ $ ccoctl aws create-all \
   --region=<aws_region> \// <2>
   --credentials-requests-dir=<path_to_credentials_requests_directory> \// <3>
   --output-dir=<path_to_ccoctl_output_dir> \// <4>
-  --create-private-s3-bucket <5>
+  --create-private-s3-bucket \// <5>
+  --permissions-boundary-arn=<policy_arn> <6>
 ----
 <1> Specify the name used to tag any cloud resources that are created for tracking.
 <2> Specify the AWS region in which cloud resources will be created.
 <3> Specify the directory containing the files for the component `CredentialsRequest` objects.
 <4> Optional: Specify the directory in which you want the `ccoctl` utility to create objects. By default, the utility creates objects in the directory in which the commands are run.
 <5> Optional: By default, the `ccoctl` utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the `--create-private-s3-bucket` parameter.
+<6> Optional: Specify the Amazon Resource Name (ARN) of the {aws-short} IAM policy to use as the permissions boundary for the IAM roles created by the `ccoctl` utility.
 +
 [NOTE]
 ====
diff --git a/modules/cco-ccoctl-upgrading.adoc b/modules/cco-ccoctl-upgrading.adoc
index c3cebbf5fa..dab35d4119 100644
--- a/modules/cco-ccoctl-upgrading.adoc
+++ b/modules/cco-ccoctl-upgrading.adoc
@@ -53,7 +53,8 @@ $ ccoctl aws create-all \// <1>
   --credentials-requests-dir=<path_to_credentials_requests_directory> \// <4>
   --output-dir=<path_to_ccoctl_output_dir> \// <5>
   --public-key-file=<path_to_ccoctl_output_dir>/serviceaccount-signer.public \// <6>
-  --create-private-s3-bucket <7>
+  --create-private-s3-bucket \// <7>
+  --permissions-boundary-arn=<policy_arn> <8>
 ----
 <1> To create the AWS resources individually, use the "Creating AWS resources individually" procedure in the "Installing a cluster on AWS with customizations" content. This option might be useful if you need to review the JSON files that the `ccoctl` tool creates before modifying AWS resources, or if the process the `ccoctl` tool uses to create AWS resources automatically does not meet the requirements of your organization.
 <2> Specify the name used to tag any cloud resources that are created for tracking.
@@ -62,6 +63,7 @@ $ ccoctl aws create-all \// <1>
 <5> Specify the path to the output directory.
 <6> Specify the path to the `serviceaccount-signer.public` file that you extracted from the cluster.
 <7> Optional: By default, the `ccoctl` utility stores the OpenID Connect (OIDC) configuration files in a public S3 bucket and uses the S3 URL as the public OIDC endpoint. To store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL instead, use the `--create-private-s3-bucket` parameter.
+<8> Optional: Specify the Amazon Resource Name (ARN) of the {aws-short} IAM policy to use as the permissions boundary for the IAM roles created by the `ccoctl` utility.
 ====
 +
 .{gcp-first}
diff --git a/modules/enabling-aws-sts-existing-cluster.adoc b/modules/enabling-aws-sts-existing-cluster.adoc
index 619d987e68..971f326423 100644
--- a/modules/enabling-aws-sts-existing-cluster.adoc
+++ b/modules/enabling-aws-sts-existing-cluster.adoc
@@ -6,7 +6,8 @@
 [id="enabling-aws-sts-existing-cluster_{context}"]
 = Enabling {aws-short} {sts-first} on an existing cluster
 
-If you did not configure your {aws-first} {product-title} cluster to use {sts-first} during installation, you can enable this authentication method on an existing cluster.
+[role="_abstract"]
+Enable {aws-short} {sts-first} on an existing {product-title} cluster if you did not configure this authentication method during installation.
 
 [IMPORTANT]
 ====
@@ -167,13 +168,15 @@ $ ./ccoctl aws create-iam-roles \
   --name <name_you_choose> \ <2>
   --identity-provider-arn <identity_provider_arn> \ <3>
   --region us-east-2 \ <4>
-  --credentials-requests-dir ./output_dir/cred-reqs/ <5>
+  --credentials-requests-dir ./output_dir/cred-reqs/ \ <5>
+  --permissions-boundary-arn=<policy_arn> <6>
 ----
 <1> Specify the output directory you created earlier.
 <2> Specify a globally unique name. This name functions as a prefix for AWS resources created by this command.
 <3> Specify the ARN for the IAM identity provider.
 <4> Specify the AWS region of the cluster.
 <5> Specify the relative path to the folder where you extracted the `CredentialsRequest` files with the `oc adm release extract` command.
+<6> Optional: Specify the Amazon Resource Name (ARN) of the {aws-short} IAM policy to use as the permissions boundary for the IAM roles created by the `ccoctl` utility.
 
 .. Apply the generated secrets by running the following command:
 +