Merge pull request #82546 from openshift-cherrypick-robot/cherry-pick-80701-to-enterprise-4.17

[enterprise-4.17] : Add section for new roles for short lived credentials

Author: bscott-rh

modules/installation-gcp-service-account.adoc

@@ -33,8 +33,6 @@ While making the service account an owner of the project is the easiest way to g
 . You can create the service account key in JSON format, or attach the service account to a GCP virtual machine.
 See link:https://cloud.google.com/iam/docs/creating-managing-service-account-keys#creating_service_account_keys[Creating service account keys] and link:https://cloud.google.com/compute/docs/access/create-enable-service-accounts-for-instances[Creating and enabling service accounts for instances] in the GCP documentation.
 +
-You must have a service account key or a virtual machine with an attached service account to create the cluster.
-+
 [NOTE]
 ====
 If you use a virtual machine with an attached service account to create your cluster, you must set `credentialsMode: Manual` in the `install-config.yaml` file before installation.

modules/minimum-required-permissions-ipi-gcp.adoc

@@ -186,6 +186,12 @@ If your organization’s security policies require a more restrictive set of per
 * `iam.roles.get`
 ====
 
+.Required permissions when authenticating without a service account key
+[%collapsible]
+====
+* `iam.serviceAccounts.signBlob`
+====
+
 .Optional Images permissions for installation
 [%collapsible]
 ====

modules/minimum-required-permissions-upi-gcp.adoc

@@ -187,6 +187,12 @@ If your organization’s security policies require a more restrictive set of per
 * `iam.roles.get`
 ====
 
+.Required permissions when authenticating without a service account key
+[%collapsible]
+====
+* `iam.serviceAccounts.signBlob`
+====
+
 .Required Images permissions for installation
 [%collapsible]
 ====