OSDOCS-282 context for cluster credentials

modules/installation-aws-iam-user.adoc

@@ -21,7 +21,17 @@ procedure in the AWS documentation, set the following options:
 . Specify the IAM user name and select `Programmatic access`.
 
 . Attach the `AdministratorAccess` policy to ensure that the account has
-sufficient permission to create the cluster.
+sufficient permission to create the cluster. This policy provides the cluster
+with the ability to grant credentials to each {product-title} component. The
+cluster grants the components only the credentials that they require.
++
+[NOTE]
+====
+While it is possible to create a policy that grants the all of the required
+AWS permissions and attach it to the user, this is not the preferred option.
+The cluster will not have the ability to grant additional credentials to
+individual components, so the same credentials are used by all components.
+====
 
 . Optionally, add metadata to the user by attaching tags.
 

modules/installation-aws-permissions.adoc

@@ -7,7 +7,7 @@
 
 When you attach the `AdministratorAccess` policy to the IAM user that you create,
 you grant that user all of the required permissions. To deploy a {project-title}
-cluster, the IAM user:
+cluster, the IAM user requires the following permissions:
 
 .EC2 roles required to launch nodes
 [cols="2a,2a,2a,5a",options="header"]

modules/installation-launching-installer.adoc

@@ -46,6 +46,13 @@ Provide values at the prompts:
 --
 endif::[]
 +
+[NOTE]
+====
+If the AWS account that you configured on your host does not have sufficient
+permissions to deploy the cluster, the installation process stops, and the
+missing permissions are displayed.
+====
++
 When the cluster deployment completes, directions for accessing your cluster,
 including a link to its web console and credentials for the `kubeadmin` user,
 display in your terminal.