OSDOCS-3033 - Adding a ROSA quick start guide

_topic_maps/_topic_map_rosa.yml

@@ -49,11 +49,18 @@ Topics:
 - Name: Planning your environment
   File: rosa-planning-environment
 ---
-Name: Setting up accounts and clusters using AWS security token service (STS)
+Name: Getting started
+Dir: rosa_getting_started
+Distros: openshift-rosa
+Topics: 
+- Name: Getting started with ROSA
+  File: rosa-getting-started
+---
+Name: Setting up accounts and clusters using AWS Security Token Service (STS)
 Dir: rosa_getting_started_sts
 Distros: openshift-rosa
 Topics:
-- Name: Getting started using STS workflow
+- Name: Understanding the ROSA with STS deployment workflow
   File: rosa-sts-getting-started-workflow
 - Name: AWS prerequisites for ROSA with STS
   File: rosa-sts-aws-prereqs
@@ -85,7 +92,7 @@ Name: Setting up accounts and clusters
 Dir: rosa_getting_started
 Distros: openshift-rosa
 Topics:
-- Name: Getting started workflow
+- Name: Understanding the ROSA deployment workflow
   File: rosa-getting-started-workflow
 - Name: AWS prerequisites for ROSA
   File: rosa-aws-prereqs

modules/deploy-app.adoc

@@ -1,35 +1,34 @@
-
 // Module included in the following assemblies:
 //
-// * assemblies/quickstart-osd.adoc
+// * rosa_getting_started/rosa-getting-started.adoc
+// * osd_quickstart/osd-quickstart.adoc
 
 [id="deploy-app_{context}"]
-= Deploying an app with the OpenShift service catalog
+= Deploying an application from the Developer Catalog
 
-
-From the OpenShift web console, you can deploy one of the built-in service catalog apps and expose the app with a route.
+From the {product-title} web console, you can deploy a test application from the Developer Catalog and expose it with a route.
 
 .Prerequisites
 
-- An actively running cluster.
+* You have access to a {product-title} cluster.
 
 .Procedure
 
-. From OpenShift Cluster Manager (OCM), click *Open console*.
+. From {console-redhat-com}, navigate to the overview page for your cluster and select *Open console*.
 
-. From the side navigation menu in the *Administrator* perspective, click *Home* -> *Projects* and then click *Create Project*.
+. In the *Administrator* perspective, select *Home* -> *Projects* -> *Create Project*.
 
-. Enter a name for your project. Optional: Add a *Display Name* and *Description*. Click *Create*.
+. Enter a name for your project and optionally add a *Display Name* and *Description*.
 
-. Switch to the Developer perspective from the side navigation menu to create an app.
+. Click *Create* to create the project.
 
-. Click *+Add* from the side navigation menu. From the *Add pane* menu bar, make sure that the *Project* is the one that you just created.
+. Switch to the *Developer* perspective and select *+Add*. Make sure that the selected *Project* is the one that you just created.
 
-. Click *From Catalog*. The Developer Catalog opens in the pane.
+. In the *Developer Catalog* dialog, select *All services*.
 
-. From the navigation menu in the pane, click *Languages* -> *JavaScript*.
+. In the *Developer Catalog* page, select *Languages* -> *JavaScript* from the menu.
 
-. Click *Node.js*, and then click *Create Application*. After you select *Node.js*, the *Create Source-to-Image Application* pane opens.
+. Click *Node.js*, and then click *Create Application* to open the *Create Source-to-Image Application* page.
 +
 [NOTE]
 ====
@@ -38,23 +37,26 @@ You might need to click *Clear All Filters* to display the *Node.js* option.
 
 . In the *Git* section, click *Try Sample*.
 
-. Scroll to confirm that *Deployment* and *Create a route to the application* are selected.
+. Add a unique name in the *Name* field. The value will be used to name the associated resources.
 
-. Click *Create*. It will take a few minutes for the pods to deploy.
+. Confirm that *Deployment* and *Create a route to the application* are selected.
 
-. Optional: You can check the status of the pods from the *Topology* pane. Click your *nodejs* app and review its sidebar. You must see that the `nodejs` build is complete, and that the `nodejs` pod is in a *Running* state to continue.
+. Click *Create* to deploy the application. It will take a few minutes for the pods to deploy.
 
-. When the deployment is complete, click the route location URL, which has a format similar to the following:
+. Optional: Check the status of the pods in the *Topology* pane by selecting your *nodejs* app and reviewing its sidebar. You must wait for the `nodejs` build to complete and for the `nodejs` pod to be in a *Running* state before continuing.
+
+. When the deployment is complete, click route URL for the application, which has a format similar to the following:
 +
 ----
-http://nodejs-<project>.<cluster_name>-<hash>.<region>.containers.appdomain.cloud
+http://nodejs-<project>.<cluster_name>.<hash>.<region>.openshiftapps.com/
 ----
 +
-
 A new tab in your browser opens with a message similar to the following.
 +
 ----
 Welcome to your Node.js application on OpenShift
 ----
 
-. Optional: To clean up the resources that you created, select *Administrator* from the perspective switcher, navigate to *Home* -> *Projects*, click your project's action menu, and click *Delete Project*.
+. Optional: Delete the application and clean up the resources that you created:
+.. In the *Administrator* perspective, navigate to *Home* -> *Projects*.
+.. Click the action menu for your project and select *Delete Project*.

modules/rosa-accessing-your-cluster.adoc

@@ -49,8 +49,12 @@ Any optional fields can be left empty and a default will be selected.
 ...
 ----
 +
-.. Follow the URL from the output. This creates a new OAuth application in the GitHub organization you specified.
-.. Click *Register application* to access your client ID and client secret.
+.. Follow the URL in the output and select *Register application* to register a new OAuth application in your GitHub organization. By registering the application, you enable the OAuth server that is built into ROSA to authenticate members of your GitHub organization into your cluster.
++
+[NOTE]
+====
+The fields in the *Register a new OAuth application* GitHub form are automatically filled with the required values through the URL that is defined by the `rosa` CLI tool.
+====
 .. Use the information from the GitHub application you created and continue the prompts. Enter the following values:
 +
 --

modules/rosa-create-objects.adoc

@@ -58,7 +58,7 @@ Create a cluster administrator that can log in to a cluster named `mycluster`:
 $ rosa create admin --cluster=mycluster
 ----
 
-[id="rosa-create-cluster_{context}"]
+[id="rosa-create-cluster-command_{context}"]
 == create cluster
 
 Create a new cluster.

modules/rosa-getting-started-access-cluster-web-console.adoc

@@ -0,0 +1,37 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-access-cluster-web-console_{context}"]
+= Accessing a cluster through the web console
+
+After you have created a cluster administrator user or added a user to your configured identity provider, you can log into your {product-title} (ROSA) cluster through the web console.
+
+.Prerequisites
+
+* You have an AWS account.
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You created a ROSA cluster.
+* You have created a cluster administrator user or added your user account to the configured identity provider.
+
+.Procedure
+
+. Obtain the console URL for your cluster:
++
+[source,terminal]
+----
+$ rosa describe cluster -c <cluster_name> | grep Console <1>
+----
+<1> Replace `<cluster_name>` with the name of your cluster.
++
+.Example output
+[source,terminal]
+----
+Console URL:                https://console-openshift-console.apps.example-cluster.wxyz.p1.openshiftapps.com
+----
+
+. Go to the console URL in the output of the preceding step and log in.
++
+* If you created a `cluster-admin` user, log in by using the provided credentials.
+* If you configured an identity provider for your cluster, select the identity provider name in the *Log in with...* dialog and complete any authorization requests that are presented by your provider.

modules/rosa-getting-started-configure-an-idp-and-grant-access.adoc

@@ -0,0 +1,10 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-configure-an-idp-and-grant-access_{context}"]
+= Configuring an identity provider and granting cluster access
+
+{product-title} (ROSA) includes a built-in OAuth server. After your ROSA cluster is created, you must configure OAuth to use an identity provider. You can then add members to your configured identity provider to grant them access to your cluster.
+
+You can also grant the identity provider users with `cluster-admin` or `dedicated-admin` privileges as required.

modules/rosa-getting-started-configure-an-idp.adoc

@@ -0,0 +1,93 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-configure-an-idp_{context}"]
+= Configuring an identity provider
+
+You can configure different identity provider types for your {product-title} (ROSA) cluster. Supported types include GitHub, GitHub Enterprise, GitLab, Google, LDAP, OpenID Connect and HTPassword identity providers.
+
+The following procedure configures a GitHub identity provider as an example.
+
+.Prerequisites
+
+* You have an AWS account.
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You created a ROSA cluster.
+* You have a GitHub user account.
+
+.Procedure
+
+. Go to link:https://github.com[github.com] and log in to your GitHub account.
+
+. If you do not have an existing GitHub organization to use for identity provisioning for your ROSA cluster, create one. Follow the steps in the link:https://docs.github.com/en/organizations/collaborating-with-groups-in-organizations/creating-a-new-organization-from-scratch[GitHub documentation].
+
+. Configure a GitHub identity provider for your cluster that is restricted to the members of your GitHub organization.
+.. Configure an identity provider using the interactive mode:
++
+[source,terminal]
+----
+$ rosa create idp --cluster=<cluster_name> --interactive <1>
+----
+<1> Replace `<cluster_name>` with the name of your cluster.
++
+.Example output
+[source,terminal]
+----
+I: Interactive mode enabled.
+Any optional fields can be left empty and a default will be selected.
+? Type of identity provider: github
+? Identity provider name: github-1
+? Restrict to members of: organizations
+? GitHub organizations: <github_org_name> <1>
+? To use GitHub as an identity provider, you must first register the application:
+  - Open the following URL:
+    https://github.com/organizations/<github_org_name>/settings/applications/new?oauth_application%5Bcallback_url%5D=https%3A%2F%2Foauth-openshift.apps.<cluster_name>/<random_string>.p1.openshiftapps.com%2Foauth2callback%2Fgithub-1&oauth_application%5Bname%5D=<cluster_name>&oauth_application%5Burl%5D=https%3A%2F%2Fconsole-openshift-console.apps.<cluster_name>/<random_string>.p1.openshiftapps.com
+  - Click on 'Register application'
+...
+----
+<1> Replace `<github_org_name>` with the name of your GitHub organization.
+.. Follow the URL in the output and select *Register application* to register a new OAuth application in your GitHub organization. By registering the application, you enable the OAuth server that is built into ROSA to authenticate members of your GitHub organization into your cluster.
++
+[NOTE]
+====
+The fields in the *Register a new OAuth application* GitHub form are automatically filled with the required values through the URL defined by the `rosa` CLI tool.
+====
+.. Use the information from your GitHub OAuth application page to populate the remaining `rosa create idp` interactive prompts.
++
+.Continued example output
+[source,terminal]
+----
+...
+? Client ID: <github_client_id> <1>
+? Client Secret: [? for help] <github_client_secret> <2>
+? GitHub Enterprise Hostname (optional):
+? Mapping method: claim <3>
+I: Configuring IDP for cluster '<cluster_name>'
+I: Identity Provider 'github-1' has been created.
+   It will take up to 1 minute for this configuration to be enabled.
+   To add cluster administrators, see 'rosa grant user --help'.
+   To login into the console, open https://console-openshift-console.apps.<cluster_name>.<random_string>.p1.openshiftapps.com and click on github-1.
+----
+<1> Replace `<github_client_id>` with the client ID for your GitHub OAuth application.
+<2> Replace `<github_client_secret>` with a client secret for your GitHub OAuth application.
+<3> Specify `claim` as the mapping method.
++
+[NOTE]
+====
+It might take approximately two minutes for the identity provider configuration to become active. If you have configured a `cluster-admin` user, you can watch the OAuth pods redeploy with the updated configuration by running `oc get pods -n openshift-authentication --watch`.
+====
+.. Enter the following command to verify that the identity provider has been configured correctly:
++
+[source,terminal]
+----
+$ rosa list idps --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+NAME        TYPE      AUTH URL
+github-1    GitHub    https://oauth-openshift.apps.<cluster_name>.<random_string>.p1.openshiftapps.com/oauth2callback/github-1
+----

modules/rosa-getting-started-create-cluster-admin-user.adoc

@@ -0,0 +1,69 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-create-cluster-admin-user_{context}"]
+= Creating a cluster administrator user for quick cluster access
+
+Before configuring an identity provider, you can create a user with `cluster-admin` privileges for immediate access to your {product-title} (ROSA) cluster.
+
+[NOTE]
+====
+The cluster administrator user is useful when you need quick access to a newly deployed cluster. However, Red Hat recommends that you configure an identity provider and grant cluster administrator privileges to the identity provider users as required. For more information about setting up an identity provider for your ROSA cluster, see _Configuring an identity provider and granting cluster access_.
+====
+
+.Prerequisites
+
+* You have an AWS account.
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You created a ROSA cluster.
+
+.Procedure
+
+. Create a cluster administrator user:
++
+[source,terminal]
+----
+$ rosa create admin --cluster=<cluster_name> <1>
+----
+<1> Replace `<cluster_name>` with the name of your cluster.
++
+.Example output
+[source,terminal]
+----
+W: It is recommended to add an identity provider to login to this cluster. See 'rosa create idp --help' for more information.
+I: Admin account has been added to cluster '<cluster_name>'.
+I: Please securely store this generated password. If you lose this password you can delete and recreate the cluster admin user.
+I: To login, run the following command:
+
+   oc login https://api.example-cluster.wxyz.p1.openshiftapps.com:6443 --username cluster-admin --password d7Rca-Ba4jy-YeXhs-WU42J
+
+I: It may take up to a minute for the account to become active.
+----
++
+[NOTE]
+====
+It might take approximately one minute for the `cluster-admin` user to become active.
+====
+
+. Log in to the cluster through the CLI:
+.. Run the command provided in the output of the preceding step to log in:
++
+[source,terminal]
+----
+$ oc login <api_url> --username cluster-admin --password <cluster_admin_password> <1>
+----
+<1> Replace `<api_url>` and `<cluster_admin_password>` with the API URL and cluster administrator password for your environment.
+.. Verify if you are logged in to the ROSA cluster as the `cluster-admin` user:
++
+[source,terminal]
+----
+$ oc whoami
+----
++
+.Example output
+[source,terminal]
+----
+cluster-admin
+----

modules/rosa-getting-started-deleting-a-cluster.adoc

@@ -0,0 +1,74 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-deleting-a-cluster_{context}"]
+= Deleting a ROSA cluster and the AWS STS resources
+
+You can delete a ROSA cluster that uses the AWS Security Token Service (STS) by using the ROSA CLI (`rosa`). You can also use the ROSA CLI to delete the AWS Identity and Access Management (IAM) account-wide roles, the cluster-specific Operator roles, and the OpenID Connect (OIDC) provider. To delete the account-wide inline and Operator policies, you can use the AWS IAM Console.
+
+[IMPORTANT]
+====
+Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
+====
+
+.Prerequisites
+
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You created a ROSA cluster.
+
+.Procedure
+
+. Delete a cluster and watch the logs, replacing `<cluster_name>` with the name or ID of your cluster:
++
+[source, terminal]
+----
+$ rosa delete cluster --cluster=<cluster_name> --watch
+----
++
+[IMPORTANT]
+====
+You must wait for the cluster deletion to complete before you remove the IAM roles, policies, and OIDC provider. The account-wide roles are required to delete the resources created by the installer. The cluster-specific Operator roles are required to clean-up the resources created by the OpenShift Operators. The Operators use the OIDC provider to authenticate.
+====
+
+.  Delete the OIDC provider that the cluster Operators use to authenticate:
++
+[source,terminal]
+----
+$ rosa delete oidc-provider -c <cluster_id> --mode auto <1>
+----
+<1> Replace `<cluster_id>` with the ID of the cluster.
++
+[NOTE]
+====
+You can use the `-y` option to automatically answer yes to the prompts.
+====
+
+. Delete the cluster-specific Operator IAM roles:
++
+[source,terminal]
+----
+$ rosa delete operator-roles -c <cluster_id> --mode auto <1>
+----
+<1> Replace `<cluster_id>` with the ID of the cluster.
+
+. Delete the account-wide roles:
++
+[source,terminal]
+----
+$ rosa delete account-roles --prefix <prefix> --mode auto <1>
+----
+<1> You must include the `--<prefix>` argument. Replace `<prefix>` with the prefix of the account-wide roles to delete. If you did not specify a custom prefix when you created the account-wide roles, specify the default prefix, `ManagedOpenShift`.
++
+[IMPORTANT]
+====
+Account-wide IAM roles and policies might be used by other ROSA clusters in the same AWS account. You must only remove the resources if they are not required by other clusters.
+====
+
+. Delete the account-wide inline and Operator IAM policies that you created for ROSA deployments that use STS:
+.. Log in to the link:https://console.aws.amazon.com/iamv2/home#/home[AWS IAM Console].
+.. Navigate to *Access management* -> *Policies* and select the checkbox for one of the account-wide policies.
+.. With the policy selected, click on *Actions* -> *Delete* to open the delete policy dialog.
+.. Enter the policy name to confirm the deletion and select *Delete* to delete the policy.
+.. Repeat this step to delete each of the account-wide inline and Operator policies for the cluster.

modules/rosa-getting-started-enable-rosa.adoc

@@ -0,0 +1,23 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-enable-rosa_{context}"]
+= Enabling ROSA in your AWS account
+
+Use the steps in this procedure to enable {product-title} (ROSA) in your AWS account.
+
+.Prerequisites
+
+* You created an AWS account.
++
+[NOTE]
+====
+Red Hat recommends the use of a dedicated AWS account to run production clusters. If you are using AWS Organizations, you can use an AWS account within your organization or link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_accounts_create.html#orgs_manage_accounts_create-new[create a new one].
+====
+
+.Procedure
+
+. Sign in to the https://console.aws.amazon.com/rosa/home[AWS Management Console].
+
+. Enable ROSA in your AWS account by navigating to the link:https://console.aws.amazon.com/rosa/home[ROSA service] and selecting *Enable OpenShift*.

modules/rosa-getting-started-environment-setup.adoc

@@ -0,0 +1,16 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-environment-setup_{context}"]
+= Setting up the environment
+
+Before you create a {product-title} (ROSA) cluster, you must set up your environment by completing the following tasks:
+
+* Enable ROSA in your AWS account
+* Install and configure the required CLI tools
+* Verify the configuration of the CLI tools
+* Verify that the AWS Elastic Load Balancing (ELB) service role exists
+* Verify that the required AWS resource quotas are available
+
+You can follow the procedures in this section to complete these setup requirements.

modules/rosa-getting-started-grant-admin-privileges.adoc

@@ -0,0 +1,73 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-grant-admin-privileges_{context}"]
+= Granting administrator privileges to a user
+
+After you have added a user to your configured identity provider, you can grant the user `cluster-admin` or `dedicated-admin` privileges for your {product-title} (ROSA) cluster.
+
+.Prerequisites
+
+* You have an AWS account.
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You created a ROSA cluster.
+* You have configured a GitHub identity provider for your cluster and added identity provider users.
+
+.Procedure
+
+* To configure `cluster-admin` privileges for an identity provider user:
+.. Grant the user `cluster-admin` privileges:
++
+[source,terminal]
+----
+$ rosa grant user cluster-admin --user=<idp_user_name> --cluster=<cluster_name> <1>
+----
+<1> Replace `<idp_user_name>` and `<cluster_name>` with the name of the identity provider user and your cluster name.
++
+.Example output
+[source,terminal]
+----
+I: Granted role 'cluster-admins' to user '<idp_user_name>' on cluster '<cluster_name>'
+----
+.. Verify if the user is listed as a member of the `cluster-admins` group:
++
+[source,terminal]
+----
+$ rosa list users --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+ID                 GROUPS
+<idp_user_name>    cluster-admins
+----
+
+* To configure `dedicated-admin` privileges for an identity provider user:
+.. Grant the user `dedicated-admin` privileges:
++
+[source,terminal]
+----
+$ rosa grant user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+I: Granted role 'dedicated-admins' to user '<idp_user_name>' on cluster '<cluster_name>'
+----
+.. Verify if the user is listed as a member of the `dedicated-admins` group:
++
+[source,terminal]
+----
+$ rosa list users --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+ID                 GROUPS
+<idp_user_name>    dedicated-admins
+----

modules/rosa-getting-started-grant-user-access.adoc

@@ -0,0 +1,25 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-grant-user-access_{context}"]
+= Granting user access to a cluster
+
+You can grant a user access to your {product-title} (ROSA) cluster by adding them to your configured identity provider.
+
+You can configure different types of identity providers for your ROSA cluster. The following example procedure adds a user to a GitHub organization that is configured for identity provision to the cluster.
+
+.Prerequisites
+
+* You have an AWS account.
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You created a ROSA cluster.
+* You have a GitHub user account.
+* You have configured a GitHub identity provider for your cluster.
+
+.Procedure
+
+. Navigate to link:https://github.com[github.com] and log in to your GitHub account.
+
+. Invite users that require access to the ROSA cluster to your GitHub organization. Follow the steps in link:https://docs.github.com/en/organizations/managing-membership-in-your-organization/inviting-users-to-join-your-organization[Inviting users to join your organization] in the GitHub documentation.

modules/rosa-getting-started-install-configure-cli-tools.adoc

@@ -0,0 +1,159 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-install-configure-cli-tools_{context}"]
+= Installing and configuring the required CLI tools
+
+Use the following steps to install and configure the AWS, {product-title} (ROSA) and OpenShift CLI tools on your workstation.
+
+.Prerequisites
+
+* You have an AWS account.
+* You created a Red Hat account.
++
+[NOTE]
+====
+You can create a Red Hat account by navigating to link:https://console.redhat.com[console.redhat.com] and selecting *Register for a Red Hat account*.
+====
+
+.Procedure
+
+. Install and configure the latest AWS CLI (`aws`).
+.. Follow the link:https://aws.amazon.com/cli/[AWS Command Line Interface] documentation to install and configure the AWS CLI for your operating system.
++
+Specify your `aws_access_key_id`, `aws_secret_access_key`, and `region` in the `.aws/credentials` file. See link:https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-quickstart.html[AWS Configuration basics] in the AWS documentation.
++
+[NOTE]
+====
+You can alternatively use the `AWS_DEFAULT_REGION` environment variable to set the default AWS region.
+====
+.. Query the AWS API to verify if the AWS CLI is installed and configured correctly:
++
+[source,terminal]
+----
+$ aws sts get-caller-identity
+----
++
+.Example output
+[source,terminal]
+----
+<aws_account_id>    arn:aws:iam::<aws_account_id>:user/<username>  <aws_user_id>
+----
+
+. Install and configure the latest ROSA CLI (`rosa`).
+.. Download the latest version of the `rosa` CLI for your operating system from the link:https://console.redhat.com/openshift/downloads[*Downloads*] page on the {OCM}.
+.. Extract the `rosa` binary file from the downloaded archive. The following example extracts the binary from a Linux tar archive:
++
+[source,terminal]
+----
+$ tar xvf rosa-linux.tar.gz
+----
+.. Add `rosa` to your path. In the following example, the `/usr/local/bin` directory is included in the path of the user:
++
+[source,terminal]
+----
+$ sudo mv rosa /usr/local/bin/rosa
+----
+.. Verify if the `rosa` CLI tool is installed correctly by querying the `rosa` version:
++
+[source,terminal]
+----
+$ rosa version
+----
++
+.Example output
+[source,terminal]
+----
+1.1.7
+----
++
+.. Optional: Generate the command completion scripts for the `rosa` CLI. The following example generates the Bash completion scripts for a Linux machine:
++
+[source,terminal]
+----
+$ rosa completion bash | sudo tee /etc/bash_completion.d/rosa
+----
+.. Optional: Enable `rosa` command completion from your existing terminal. The following example enables Bash completion for `rosa` in an existing terminal on a Linux machine:
++
+[source,terminal]
+----
+$ source /etc/bash_completion.d/rosa
+----
+.. Log in to your Red Hat account by using the `rosa` CLI:
++
+[source,terminal]
+----
+$ rosa login
+----
++
+.Example output
+[source,terminal]
+----
+To login to your Red Hat account, get an offline access token at https://console.redhat.com/openshift/token/rosa
+? Copy the token and paste it here: 
+----
++
+Go to the URL listed in the command output to obtain an offline access token. Specify the token at the CLI prompt to log in.
++
+[NOTE]
+====
+You can subsequently specify the offline access token by using the `--token="<offline_access_token>"` argument when you run the `rosa login` command.
+====
+.. Verify if you are logged in successfully and check your credentials:
++
+[source,terminal]
+----
+$ rosa whoami
+----
++
+.Example output
+[source,terminal]
+----
+AWS Account ID:               <aws_account_number>
+AWS Default Region:           us-east-1
+AWS ARN:                      arn:aws:iam::<aws_account_number>:user/<aws_user_name>
+OCM API:                      https://api.openshift.com
+OCM Account ID:               <red_hat_account_id>
+OCM Account Name:             Your Name
+OCM Account Username:         you@domain.com
+OCM Account Email:            you@domain.com
+OCM Organization ID:          <org_id>
+OCM Organization Name:        Your organisation
+OCM Organization External ID: <external_org_id>
+----
++
+Check that the information in the output is correct before proceeding.
+
+. Install and configure the latest OpenShift CLI (`oc`).
+.. Use the `rosa` CLI to download the latest version of the `oc` CLI:
++
+[source,terminal]
+----
+$ rosa download openshift-client
+----
+.. Extract the `oc` binary file from the downloaded archive. The following example extracts the files from a Linux tar archive:
++
+[source,terminal]
+----
+$ tar xvf openshift-client-linux.tar.gz
+----
+.. Add the `oc` binary to your path. In the following example, the `/usr/local/bin` directory is included in the path of the user:
++
+[source,terminal]
+----
+$ sudo mv oc /usr/local/bin/oc
+----
+.. Verify if the `oc` CLI is installed correctly:
++
+[source,terminal]
+----
+$ rosa verify openshift-client
+----
++
+.Example output
+[source,terminal]
+----
+I: Verifying whether OpenShift command-line tool is available...
+I: Current OpenShift Client Version: 4.9.12
+----

modules/rosa-getting-started-prerequisites.adoc

@@ -0,0 +1,14 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-prerequisites_{context}"]
+= Prerequisites
+
+* You reviewed the xref:../rosa_architecture/rosa-understanding.adoc#rosa-understanding[introduction to {product-title} (ROSA)], and the documentation on ROSA xref:../rosa_architecture/rosa-architecture-models.adoc#rosa-architecture-models[architecture models] and xref:../rosa_architecture/rosa-basic-architecture-concepts.adoc#rosa-basic-architecture-concepts[architecture concepts].
+
+* You read the documentation on xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[limits and scalability] and the xref:../rosa_planning/rosa-planning-environment.adoc#rosa-planning-environment[guidelines for planning your environment].
+
+* You reviewed the detailed xref:../rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[AWS prerequisites for ROSA with STS].
+
+* You have the xref:../rosa_getting_started_sts/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[AWS service quotas that are required to run a ROSA cluster].

modules/rosa-getting-started-revoke-admin-privileges.adoc

@@ -0,0 +1,73 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-revoke-admin-privileges_{context}"]
+= Revoking administrator privileges from a user
+
+Follow the steps in this section to revoke `cluster-admin` or `dedicated-admin` privileges from a user.
+
+.Prerequisites
+
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You created a ROSA cluster.
+* You have configured a GitHub identity provider for your cluster and added an identity provider user.
+* You granted `cluster-admin` or `dedicated-admin` privileges to a user.
+
+.Procedure
+
+* To revoke `cluster-admin` privileges from an identity provider user:
+.. Revoke the `cluster-admin` privilege:
++
+[source,terminal]
+----
+$ rosa revoke user cluster-admin --user=<idp_user_name> --cluster=<cluster_name> <1>
+----
+<1> Replace `<idp_user_name>` and `<cluster_name>` with the name of the identity provider user and your cluster name.
++
+.Example output
+[source,terminal]
+----
+? Are you sure you want to revoke role cluster-admins from user <idp_user_name> in cluster <cluster_name>? Yes
+I: Revoked role 'cluster-admins' from user '<idp_user_name>' on cluster '<cluster_name>'
+----
+.. Verify that the user is not listed as a member of the `cluster-admins` group:
++
+[source,terminal]
+----
+$ rosa list users --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+W: There are no users configured for cluster '<cluster_name>'
+----
+
+* To revoke `dedicated-admin` privileges from an identity provider user:
+.. Revoke the `dedicated-admin` privilege:
++
+[source,terminal]
+----
+$ rosa revoke user dedicated-admin --user=<idp_user_name> --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+? Are you sure you want to revoke role dedicated-admins from user <idp_user_name> in cluster <cluster_name>? Yes
+I: Revoked role 'dedicated-admins' from user '<idp_user_name>' on cluster '<cluster_name>'
+----
+.. Verify that the user is not listed as a member of the `dedicated-admins` group:
++
+[source,terminal]
+----
+$ rosa list users --cluster=<cluster_name>
+----
++
+.Example output
+[source,terminal]
+----
+W: There are no users configured for cluster '<cluster_name>'
+----

modules/rosa-getting-started-revoke-user-access.adoc

@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-revoke-user-access_{context}"]
+= Revoking user access to a cluster
+
+You can revoke cluster access for an identity provider user by removing them from your configured identity provider.
+
+You can configure different types of identity providers for your ROSA cluster. The following example procedure revokes cluster access for a member of a GitHub organization that is configured for identity provision to the cluster.
+
+.Prerequisites
+
+* You have a ROSA cluster.
+* You have a GitHub user account.
+* You have configured a GitHub identity provider for your cluster and added an identity provider user.
+
+.Procedure
+
+. Navigate to link:https://github.com[github.com] and log in to your GitHub account.
+
+. Remove the user from your GitHub organization. Follow the steps in link:https://docs.github.com/en/organizations/managing-membership-in-your-organization/removing-a-member-from-your-organization[Removing a member from your organization] in the GitHub documentation.

modules/rosa-getting-started-revoking-admin-privileges-and-user-access.adoc

@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-revoking-admin-privileges-and-user-access_{context}"]
+= Revoking administrator privileges and user access
+
+You can revoke `cluster-admin` or `dedicated-admin` privileges from a user by using the ROSA CLI (`rosa`).
+
+To revoke cluster access from a user, you must remove the user from your configured identity provider.
+
+Follow the procedures in this section to revoke administrator privileges or cluster access from a user.

modules/rosa-getting-started-verify-aws-quota.adoc

@@ -0,0 +1,30 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-verify-aws-quota_{context}"]
+= Verifying AWS quota availability
+
+Verify that the required resource quotas are available for your account in the default AWS region.
+
+.Prerequisites
+
+* You have an AWS account.
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+
+.Procedure
+
+. Verify if the required resource quotas are available in your default region:
++
+[source,terminal]
+----
+$ rosa verify quota
+----
++
+.Example output
+[source,terminal]
+----
+I: Validating AWS quota...
+I: AWS quota ok. If cluster installation fails, validate actual AWS resource usage against https://docs.openshift.com/rosa/rosa_getting_started/rosa-required-aws-service-quotas.html
+----

modules/rosa-getting-started-verify-elb-role.adoc

@@ -0,0 +1,47 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started/rosa-getting-started.adoc
+
+[id="rosa-getting-started-verify-elb-role_{context}"]
+= Creating the ELB service role
+
+Check if the `AWSServiceRoleForElasticLoadBalancing` AWS Elastic Load Balancing (ELB) service role exists and if not, create it.
+
+[NOTE]
+====
+`Error creating network Load Balancer: AccessDenied:` is produced if you attempt to create a {product-title} (ROSA) cluster without the AWS ELB service role in place.
+====
+
+.Prerequisites
+
+* You have an AWS account.
+* You installed and configured the latest AWS CLI (`aws`) on your workstation.
+
+.Procedure
+
+. Check if the `AWSServiceRoleForElasticLoadBalancing` role exists for your AWS account:
++
+[source,terminal]
+----
+$ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
+----
++
+.Example output
++
+The following example output confirms that the role exists:
++
+[source,terminal]
+----
+ROLE    arn:aws:iam::<aws_account_number>:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing  2018-09-27T19:49:23+00:00       Allows ELB to call AWS services on your behalf. 3600      /aws-service-role/elasticloadbalancing.amazonaws.com/   <role_id>   AWSServiceRoleForElasticLoadBalancing
+ASSUMEROLEPOLICYDOCUMENT        2012-10-17
+STATEMENT       sts:AssumeRole  Allow
+PRINCIPAL       elasticloadbalancing.amazonaws.com
+ROLELASTUSED    2022-01-06T09:27:57+00:00       us-east-1
+----
+
+. If the AWS ELB service role does not exist, create it:
++
+[source,terminal]
+----
+$ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
+----

modules/rosa-installing.adoc

@@ -65,14 +65,13 @@ Flags:
 Use "rosa [command] --help" for more information about a command.
 ----
 +
-.. Optional: You can run the `rosa completion` command to generate a bash completion file.
+.. Optional: Generate the command completion scripts for the `rosa` CLI. The following example generates the Bash completion scripts for a Linux machine:
 +
 [source,terminal]
 ----
-$ rosa completion > /etc/bash_completion.d/rosa
+$ rosa completion bash | sudo tee /etc/bash_completion.d/rosa
 ----
-+
-Add this file to the correct location for your operating system. For example, on a Linux machine, run the following command to enable `rosa` bash completion:
+.. Optional: Enable `rosa` command completion from your existing terminal. The following example enables Bash completion for `rosa` in an existing terminal on a Linux machine:
 +
 [source,terminal]
 ----

modules/rosa-sts-creating-a-cluster-quickly.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * rosa_getting_started_sts/rosa_creating_a_cluster_with_sts/rosa-sts-creating-a-cluster-quickly.adoc
+// * rosa_getting_started/rosa-getting-started.adoc
 
 [id="rosa-sts-creating-cluster-using-defaults{context}"]
 = Creating a ROSA cluster with STS using the default options
@@ -9,22 +10,14 @@ Through the {product-title} CLI (`rosa`), you can quickly create an OpenShift cl
 
 Additionally, you can use `auto` mode to immediately create the required AWS Identity and Access Management (IAM) resources using the current AWS account. `auto` mode is used in the following procedure to immediately create the account-wide IAM roles and policies, including the Operator policies, as well as the OpenID Connect (OIDC) identity provider.
 
-[IMPORTANT]
-====
-Only public and AWS PrivateLink clusters are supported with STS. Regular private clusters (non-PrivateLink) are not available for use with STS.
-====
-
-[NOTE]
-====
-link:https://docs.aws.amazon.com/vpc/latest/userguide/vpc-sharing.html[AWS Shared VPCs] are not currently supported for ROSA installations.
-====
-
 .Prerequisites
 
 * You have completed the AWS prerequisites for ROSA with STS.
 * You have available AWS service quotas.
 * You have enabled the ROSA service in the AWS Console.
-* You have installed and configured the latest AWS, ROSA, and `oc` CLIs on your installation host.
+* You installed and configured the latest AWS (`aws`), ROSA (`rosa`), and OpenShift (`oc`) CLIs on your workstation.
+* You logged in to your Red Hat account by using the `rosa` CLI.
+* You verified that the AWS Elastic Load Balancing (ELB) service role exists in your AWS account.
 
 .Procedure
 

modules/rosa-sts-setting-up-environment.adoc

@@ -100,14 +100,13 @@ Flags:
 Use "rosa [command] --help" for more information about a command.
 ----
 +
-.. Optional: You can run the `rosa completion` command to generate a bash completion file.
+.. Generate the command completion scripts for the `rosa` CLI. The following example generates the Bash completion scripts for a Linux machine:
 +
 [source,terminal]
 ----
-$ rosa completion > /etc/bash_completion.d/rosa
+$ rosa completion bash | sudo tee /etc/bash_completion.d/rosa
 ----
-+
-Add this file to the correct location for your operating system. For example, on a Linux machine, run the following command to enable `rosa` bash completion:
+.. Source the scripts to enable `rosa` command completion from your existing terminal. The following example sources the Bash completion scripts for `rosa` on a Linux machine:
 +
 [source,terminal]
 ----

modules/scaling-cluster.adoc

@@ -1,17 +1,15 @@
-
 // Module included in the following assemblies:
 //
-// * assemblies/osd-quickstart.adoc
+// * osd_quickstart/osd-quickstart.adoc
 
 [id="scaling-cluster_{context}"]
 = Scaling your cluster
 
-// TODO: This writes out OCM, but there is an {OCM} attribute. Should that always be used instead?
-You can scale your {product-title} cluster from the OpenShift Cluster Manager (OCM).
+You can scale your {product-title} cluster from the {OCM}.
 
 .Procedure
 
-. From link:https://cloud.redhat.com/openshift[OCM], click on the cluster you want to resize.
+. From {console-redhat-com}, click on the cluster you want to resize.
 
 . Click *Actions* -> *Edit load balancers and persistent storage*
 .. Use the drop-down menu to select how many *Load balancers* you want to scale to.

rosa_getting_started/rosa-accessing-cluster.adoc

@@ -20,4 +20,4 @@ include::modules/rosa-create-dedicated-cluster-admins.adoc[leveloffset=+1]
 [id="additional-resources-cluster-access"]
 == Additional resources
 * xref:../rosa_getting_started/rosa-config-identity-providers.adoc#rosa-config-identity-providers[Configuring identity providers using the OCM console]
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]

rosa_getting_started/rosa-aws-prereqs.adoc

@@ -24,4 +24,4 @@ xref:../rosa_getting_started/rosa-required-aws-service-quotas.adoc#rosa-required
 == Additional resources
 * See xref:../rosa_planning/rosa-limits-scalability.adoc#initial-planning-considerations_rosa-limits-scalability[Intial Planning Considerations] for guidance on worker node count.
 * See xref:../rosa_policy/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red Hat OpenShift Service on AWS clusters] for information about how Red Hat site reliability engineering accesses ROSA clusters.
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]

rosa_getting_started/rosa-aws-privatelink-creating-cluster.adoc

@@ -1,7 +1,7 @@
-include::modules/attributes-openshift-dedicated.adoc[]
-:context: rosa-getting-started
 [id="rosa-aws-privatelink-creating-cluster"]
 = Creating an AWS PrivateLink cluster on ROSA
+include::modules/attributes-openshift-dedicated.adoc[]
+:context: rosa-aws-privatelink-creating-cluster
 
 toc::[]
 
@@ -17,6 +17,6 @@ xref:../rosa_getting_started/rosa-config-identity-providers.adoc#rosa-config-ide
 
 == Additional resources
 * xref:../rosa_getting_started/rosa-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites[AWS PrivateLink firewall prerequisites]
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]
 * xref:../rosa_getting_started/rosa-deleting-cluster.adoc#rosa-deleting-cluster[Deleting a ROSA cluster]
 * xref:../rosa_architecture/rosa-architecture-models.adoc#rosa-architecture-models[ROSA architecture]

rosa_getting_started/rosa-config-aws-account.adoc

@@ -19,4 +19,4 @@ include::modules/rosa-configuring-aws-account.adoc[leveloffset=+1]
 
 * xref:../rosa_getting_started/rosa-aws-prereqs.adoc#prerequisites[AWS prerequisites]
 * xref:../rosa_getting_started/rosa-required-aws-service-quotas.adoc#rosa-required-aws-service-quotas[Required AWS service quotas and requesting increases]
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]

rosa_getting_started/rosa-config-identity-providers.adoc

@@ -19,4 +19,4 @@ include::modules/config-openid-idp.adoc[leveloffset=+1]
 [id="additional-resources-idps"]
 == Additional resources
 * xref:../rosa_getting_started/rosa-accessing-cluster.adoc#rosa-accessing-cluster[Accessing a cluster]
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]

rosa_getting_started/rosa-creating-cluster.adoc

@@ -1,7 +1,7 @@
-include::modules/attributes-openshift-dedicated.adoc[]
-:context: rosa-getting-started
 [id="rosa-creating-cluster"]
 = Creating a ROSA cluster
+include::modules/attributes-openshift-dedicated.adoc[]
+:context: rosa-creating-cluster
 
 toc::[]
 
@@ -17,6 +17,6 @@ xref:../rosa_getting_started/rosa-config-identity-providers.adoc#rosa-config-ide
 
 == Additional resources
 
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]
 * xref:../rosa_getting_started/rosa-deleting-cluster.adoc#rosa-deleting-cluster[Deleting a ROSA cluster]
 * xref:../rosa_architecture/rosa-architecture-models.adoc#rosa-architecture-models[ROSA architecture]

rosa_getting_started/rosa-getting-started-workflow.adoc

@@ -1,22 +1,29 @@
+[id="rosa-understanding-the-deployment-workflow"]
+= Understanding the ROSA deployment workflow
 include::modules/attributes-openshift-dedicated.adoc[]
-
-[id="rosa-getting-started-workflow"]
-= Getting started workflow
-:context: rosa-getting-started-workflow
+:context: rosa-understanding-the-deployment-workflow
 
 toc::[]
 
-Follow this workflow to set up and access {product-title} (ROSA) clusters:
+Before you create a {product-title} (ROSA) cluster that uses the AWS Security Token Service (STS), you must complete the AWS prerequisites, verify that the required AWS service quotas are available, and set up your environment.
 
-. xref:../rosa_getting_started/rosa-aws-prereqs.adoc#prerequisites[Perform the AWS prerequisites].
-. xref:../rosa_getting_started/rosa-required-aws-service-quotas.adoc#rosa-required-aws-service-quotas[Review the required AWS service quotas].
-. xref:../rosa_getting_started/rosa-config-aws-account.adoc#rosa-config-aws-account[Configure your AWS account].
-. xref:../rosa_getting_started/rosa-installing-rosa.adoc#rosa-installing-rosa[Install ROSA].
-. xref:../rosa_getting_started/rosa-creating-cluster.adoc#rosa-creating-cluster[Create a ROSA cluster] or xref:../rosa_getting_started/rosa-aws-privatelink-creating-cluster.adoc#rosa-aws-privatelink-creating-cluster[Create a ROSA cluster using AWS PrivateLink].
-. xref:../rosa_getting_started/rosa-accessing-cluster.adoc#rosa-accessing-cluster[Access a cluster].
+This document provides an overview of the ROSA with STS deployment workflow stages and refers to detailed resources for each stage.
 
+[id="rosa-overview-of-the-deployment-workflow"]
+== Overview of the ROSA deployment workflow
+
+You can follow the workflow stages outlined in this section to set up and access a {product-title} (ROSA) cluster.
+
+. xref:../rosa_getting_started/rosa-aws-prereqs.adoc#prerequisites[Perform the AWS prerequisites]. To deploy a ROSA cluster, your AWS account must meet the prerequisite requirements.
+. xref:../rosa_getting_started/rosa-required-aws-service-quotas.adoc#rosa-required-aws-service-quotas[Review the required AWS service quotas]. To prepare for your cluster deployment, review the AWS service quotas that are required to run a ROSA cluster.
+. xref:../rosa_getting_started/rosa-config-aws-account.adoc#rosa-config-aws-account[Configure your AWS account]. Before you create a ROSA cluster, you must enable ROSA in your AWS account, install and configure the AWS CLI (`aws`) tool, and verify the AWS CLI tool configuration.
+. xref:../rosa_getting_started/rosa-installing-rosa.adoc#rosa-installing-rosa[Install the ROSA and OpenShift CLI tools and verify the AWS servce quotas]. Install and configure the ROSA CLI (`aws`) and the OpenShift CLI (`oc`). You can verify if the required AWS resource quotas are available by using the ROSA CLI.
+. xref:../rosa_getting_started/rosa-creating-cluster.adoc#rosa-creating-cluster[Create a ROSA cluster] or xref:../rosa_getting_started/rosa-aws-privatelink-creating-cluster.adoc#rosa-aws-privatelink-creating-cluster[Create a ROSA cluster using AWS PrivateLink]. Use the ROSA CLI (`rosa`) to create a cluster. You can optionally create a ROSA cluster with AWS PrivateLink.
+. xref:../rosa_getting_started/rosa-accessing-cluster.adoc#rosa-accessing-cluster[Access a cluster]. You can configure an identity provider and grant cluster administrator privileges to the identity provider users as required. You can also access a newly deployed cluster quickly by configuring a `cluster-admin` user.
+. xref:../rosa_getting_started/rosa-deleting-access-cluster.adoc#rosa-deleting-access-cluster[Revoke access to a ROSA cluster for a user]. You can revoke access to a ROSA cluster from a user by using the ROSA CLI or the web console.
+. xref:../rosa_getting_started/rosa-deleting-cluster.adoc#rosa-deleting-cluster[Delete a ROSA cluster]. You can delete a ROSA cluster by using the ROSA CLI (`rosa`).
+
+[id="additional_resources_{context}"]
 == Additional resources
-* xref:../rosa_getting_started/rosa-config-identity-providers.adoc#rosa-config-identity-providers[Configuring identity providers using the OCM console]
-* xref:../rosa_getting_started/rosa-deleting-cluster.adoc#rosa-deleting-cluster[Deleting a cluster]
-* xref:../rosa_getting_started/rosa-deleting-access-cluster.adoc#rosa-deleting-access-cluster[Deleting access to a cluster]
-* xref:../rosa_getting_started/rosa-quickstart.adoc#rosa-getting-started[Command quick reference for creating clusters and users]
+
+* For information about using the ROSA deployment workflow to create a cluster that uses the AWS Security Token Service (STS), see xref:../rosa_getting_started_sts/rosa-sts-getting-started-workflow.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow ].

rosa_getting_started/rosa-getting-started.adoc

@@ -0,0 +1,48 @@
+[id="rosa-getting-started"]
+= Getting started with {product-title}
+include::modules/attributes-openshift-dedicated.adoc[]
+:context: rosa-getting-started
+
+toc::[]
+
+Follow this getting started document to quickly create a {product-title} (ROSA) cluster, add users, deploy your first application, and learn how to scale and delete your cluster.
+
+You can create a ROSA cluster either with or without the AWS Security Token Service (STS). The procedures in this document enable you to create a cluster that uses AWS STS. For more information about using AWS STS with ROSA clusters, see xref:../rosa_architecture/rosa-understanding.adoc#rosa-using-sts_rosa-understanding[Using the AWS Security Token Service].
+
+include::modules/rosa-getting-started-prerequisites.adoc[leveloffset=+1]
+include::modules/rosa-getting-started-environment-setup.adoc[leveloffset=+1]
+include::modules/rosa-getting-started-enable-rosa.adoc[leveloffset=+2]
+include::modules/rosa-getting-started-install-configure-cli-tools.adoc[leveloffset=+2]
+include::modules/rosa-getting-started-verify-elb-role.adoc[leveloffset=+2]
+include::modules/rosa-getting-started-verify-aws-quota.adoc[leveloffset=+2]
+include::modules/rosa-sts-creating-a-cluster-quickly.adoc[leveloffset=+1]
+include::modules/rosa-getting-started-create-cluster-admin-user.adoc[leveloffset=+1]
+
+.Additional resource
+
+* For steps to log in to the ROSA web console, see xref:../rosa_getting_started/rosa-getting-started.adoc#rosa-getting-started-access-cluster-web-console_rosa-getting-started[Accessing a cluster through the web console]
+
+include::modules/rosa-getting-started-configure-an-idp-and-grant-access.adoc[leveloffset=+1]
+include::modules/rosa-getting-started-configure-an-idp.adoc[leveloffset=+2]
+
+.Additional resource
+
+* For detailed steps to configure each of the supported identity provider types, see xref:../rosa_getting_started_sts/rosa-sts-config-identity-providers.adoc#rosa-sts-config-identity-providers[Configuring identity providers for STS]
+
+include::modules/rosa-getting-started-grant-user-access.adoc[leveloffset=+2]
+include::modules/rosa-getting-started-grant-admin-privileges.adoc[leveloffset=+2]
+include::modules/rosa-getting-started-access-cluster-web-console.adoc[leveloffset=+1]
+include::modules/deploy-app.adoc[leveloffset=+1]
+include::modules/rosa-getting-started-revoking-admin-privileges-and-user-access.adoc[leveloffset=+1]
+include::modules/rosa-getting-started-revoke-admin-privileges.adoc[leveloffset=+2]
+include::modules/rosa-getting-started-revoke-user-access.adoc[leveloffset=+2]
+include::modules/rosa-getting-started-deleting-a-cluster.adoc[leveloffset=+1]
+
+[id="additional-resources_{context}"]
+== Additional resources
+
+* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_getting_started_sts/rosa-sts-getting-started-workflow.adoc#rosa-sts-understanding-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]
+
+* For information about setting up accounts and ROSA clusters without using AWS STS, see xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]
+
+* For documentation on upgrading your cluster, see xref:../upgrading/rosa-upgrading.adoc#rosa-upgrading[Upgrading ROSA clusters]

rosa_getting_started/rosa-installing-rosa.adoc

@@ -19,4 +19,4 @@ include::modules/rosa-installing.adoc[leveloffset=+1]
 
 * xref:../rosa_getting_started/rosa-aws-prereqs.adoc#prerequisites[AWS Prerequisites]
 * xref:../rosa_getting_started/rosa-required-aws-service-quotas.adoc#rosa-required-aws-service-quotas[Required AWS service quotas and requesting increases]
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]

rosa_getting_started/rosa-quickstart.adoc

@@ -1,12 +1,11 @@
-include::modules/attributes-openshift-dedicated.adoc[]
-
-[id="rosa-getting-started"]
+[id="rosa-command-reference"]
 = Command quick reference for creating clusters and users
-:context: rosa-getting-started
+include::modules/attributes-openshift-dedicated.adoc[]
+:context: rosa-command-reference
 
 toc::[]
 
 include::modules/rosa-quickstart-instructions.adoc[leveloffset=+1]
 
 == Additional resources
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]

rosa_getting_started/rosa-required-aws-service-quotas.adoc

@@ -1,6 +1,6 @@
-include::modules/attributes-openshift-dedicated.adoc[]
 [id="rosa-required-aws-service-quotas"]
 = Required AWS service quotas
+include::modules/attributes-openshift-dedicated.adoc[]
 :context: rosa-required-aws-service-quotas
 
 toc::[]
@@ -14,4 +14,4 @@ include::modules/rosa-required-aws-service-quotas.adoc[leveloffset=+1]
 
 == Additional resources
 
-* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]

rosa_getting_started_sts/rosa-sts-accessing-cluster.adoc

@@ -16,4 +16,4 @@ include::modules/rosa-create-dedicated-cluster-admins.adoc[leveloffset=+1]
 
 == Additional resources
 * xref:../rosa_getting_started_sts/rosa-sts-config-identity-providers.adoc#rosa-sts-config-identity-providers[Configuring identity providers using the OCM console]
-* xref:../rosa_getting_started_sts/rosa-sts-getting-started-workflow.adoc#rosa-sts-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started_sts/rosa-sts-getting-started-workflow.adoc#rosa-sts-understanding-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]

rosa_getting_started_sts/rosa-sts-config-identity-providers.adoc

@@ -1,6 +1,6 @@
-include::modules/attributes-openshift-dedicated.adoc[]
 [id="rosa-sts-config-identity-providers"]
 = Configuring identity providers for STS
+include::modules/attributes-openshift-dedicated.adoc[]
 :context: rosa-sts-config-identity-providers
 
 toc::[]
@@ -19,4 +19,4 @@ include::modules/config-openid-idp.adoc[leveloffset=+1]
 [id="additional-resources-cluster-access-sts"]
 == Additional resources
 * xref:../rosa_getting_started_sts/rosa-sts-accessing-cluster.adoc#rosa-sts-accessing-cluster[Accessing a cluster]
-* xref:../rosa_getting_started_sts/rosa-sts-getting-started-workflow.adoc#rosa-sts-getting-started-workflow[Getting started workflow]
+* xref:../rosa_getting_started_sts/rosa-sts-getting-started-workflow.adoc#rosa-sts-understanding-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]

rosa_getting_started_sts/rosa-sts-getting-started-workflow.adoc

@@ -1,26 +1,30 @@
+[id="rosa-sts-understanding-the-deployment-workflow"]
+= Understanding the ROSA with STS deployment workflow
 include::modules/attributes-openshift-dedicated.adoc[]
-
-[id="rosa-sts-getting-started-workflow"]
-= Getting started using STS workflow
-:context: rosa-sts-getting-started-workflow
+:context: rosa-sts-overview-of-the-deployment-workflow
 
 toc::[]
 
-[id="rosa-getting-started-rosa-sts"]
-== Getting started with ROSA using STS
+Before you create a {product-title} (ROSA) cluster, you must complete the AWS prerequisites, verify that the required AWS service quotas are available, and set up your environment.
 
-The Amazon Web Services (AWS) Security Token Service (STS) is a global web service that provides short-term credentials for IAM or federated users. You can use AWS STS with {product-title} (ROSA) to allocate temporary, limited-privilege credentials for component-specific IAM roles. The service enables cluster components to make AWS API calls using secure cloud resource management practices.
+This document provides an overview of the ROSA with STS deployment workflow stages and refers to detailed resources for each stage.
 
-Follow this workflow to set up and access {product-title} (ROSA) clusters using AWS security token service (STS).
+[id="rosa-sts-overview-of-the-deployment-workflow"]
+== Overview of the ROSA with STS deployment workflow
 
-. xref:../rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[Complete the AWS prerequisites for ROSA with STS].
-. xref:../rosa_getting_started_sts/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Review the required AWS service quotas].
-. xref:../rosa_getting_started_sts/rosa-sts-setting-up-environment.adoc#rosa-sts-setting-up-environment[Set up the environment and install ROSA using STS].
-. xref:../rosa_getting_started_sts/rosa_creating_a_cluster_with_sts/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Create a ROSA cluster with STS quickly] or xref:../rosa_getting_started_sts/rosa_creating_a_cluster_with_sts/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[create a cluster using customizations].
-. xref:../rosa_getting_started_sts/rosa-sts-accessing-cluster.adoc#rosa-sts-accessing-cluster[Access a cluster].
+The AWS Security Token Service (STS) is a global web service that provides short-term credentials for IAM or federated users. You can use AWS STS with {product-title} (ROSA) to allocate temporary, limited-privilege credentials for component-specific IAM roles. The service enables cluster components to make AWS API calls using secure cloud resource management practices.
 
-[id="additional_resources_rosa-sts-getting-started-workflow"]
+You can follow the workflow stages outlined in this section to set up and access a ROSA cluster that uses STS.
+
+. xref:../rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[Complete the AWS prerequisites for ROSA with STS]: To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements.
+. xref:../rosa_getting_started_sts/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Review the required AWS service quotas]. To prepare for your cluster deployment, review the AWS service quotas that are required to run a ROSA cluster.
+. xref:../rosa_getting_started_sts/rosa-sts-setting-up-environment.adoc#rosa-sts-setting-up-environment[Set up the environment and install ROSA using STS]. Before you create a ROSA with STS cluster, you must enable ROSA in your AWS account, install and configure the required CLI tools, and verify the configuration of the CLI tools. You must also verify that the AWS Elastic Load Balancing (ELB) service role exists and that the required AWS resource quotas are available.
+. xref:../rosa_getting_started_sts/rosa_creating_a_cluster_with_sts/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Create a ROSA cluster with STS quickly] or xref:../rosa_getting_started_sts/rosa_creating_a_cluster_with_sts/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[create a cluster using customizations]. Use the ROSA CLI (`rosa`) to create a cluster with STS. You can create a cluster by using the default options or you can apply customizations to suit the needs of your organization.
+. xref:../rosa_getting_started_sts/rosa-sts-accessing-cluster.adoc#rosa-sts-accessing-cluster[Access your cluster]. You can configure an identity provider and grant cluster administrator privileges to the identity provider users as required. You can also access a newly deployed cluster quickly by configuring a `cluster-admin` user.
+. xref:../rosa_getting_started_sts/rosa-sts-deleting-access-cluster.adoc#rosa-sts-deleting-access-cluster[Revoke access to a ROSA cluster for a user]. You can revoke access to a ROSA with STS cluster from a user by using the ROSA CLI or the web console.
+. xref:../rosa_getting_started_sts/rosa-sts-deleting-cluster.adoc#rosa-sts-deleting-cluster[Delete a ROSA cluster]. You can delete a ROSA with STS cluster by using the ROSA CLI (`rosa`). After deleting a cluster, you can delete the STS resources by using the AWS Identity and Access Management (IAM) Console.
+
+[id="additional_resources_{context}"]
 == Additional resources
-* xref:../rosa_getting_started_sts/rosa-sts-config-identity-providers.adoc#rosa-sts-config-identity-providers[Configure identity providers using the OCM console]
-* xref:../rosa_getting_started_sts/rosa-sts-deleting-cluster.adoc#rosa-sts-deleting-cluster[Deleting a cluster]
-* xref:../rosa_getting_started_sts/rosa-sts-deleting-access-cluster.adoc#rosa-sts-deleting-access-cluster[Deleting access to a cluster]
+
+* For information about using the ROSA deployment workflow to create a cluster that does not use AWS STS, see xref:../rosa_getting_started/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow].

rosa_quick_start/images

@@ -0,0 +1 @@
+../images

rosa_quick_start/modules

@@ -0,0 +1 @@
+../modules