Merge pull request #82601 from eohartman/osdocs-11794-2

bmcelvee · web-flow · commit 675f07a629b9 · 2024-10-03T08:59:37.000-04:00
OSDOCS-11794: ROSA CLI security refinements adding CLI output examples - UPDATE
diff --git a/modules/rosa-sts-account-wide-roles-and-policies.adoc b/modules/rosa-sts-account-wide-roles-and-policies.adoc
@@ -730,6 +730,44 @@ The account number present in the `sts_installer_trust_policy.json` and `sts_sup
 ----
 ====
 
+[discrete]
+[id="rosa-sts-account-wide-roles-and-policies-example-cli-output-for-policies-attached-to-a-role_{context}"]
+==== Example CLI output for policies attached to a role 
+
+When a policy is attached to a role, the ROSA CLI displays a confirmation output. The output depends on the type of policy.
+
+* If the policy is a trust policy, the ROSA CLI outputs the role name and the content of the policy.
+** For the target role with policy attached, ROSA CLI outputs the role name and the console URL of the target role. 
++
+.Target role with policy attached example output
+[source,terminal]
+----
+I: Attached trust policy to role 'testrole-Worker-Role(https://console.aws.amazon.com/iam/home?#/roles/testrole-Worker-Role)': ******************
+----
++
+** If the attached policy is a trust policy, the ROSA CLI outputs the content of this policy.
++
+.Trust policy example output
+[source,terminal]
+----
+I: Attached trust policy to role 'test-Support-Role': {"Version": "2012-10-17", "Statement": [{"Action": ["sts:AssumeRole"], "Effect": "Allow", "Principal": {"AWS": ["arn:aws:iam::000000000000:role/RH-Technical-Support-00000000"]}}]} 
+----
+* If the policy is a permission policy, the ROSA CLI outputs the name and public link of this policy or the ARN depending on whether or not the policy is an AWS managed policy or customer-managed policy.
+** If the attached policy is an AWS managed policy, the ROSA CLI outputs the name and public link of this policy and the role it is attached to.
++
+.AWS managed policy example output
+[source,terminal]
+----
+I: Attached policy 'ROSASRESupportPolicy(https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSASRESupportPolicy)' to role 'test-HCP-ROSA-Support-Role(https://console.aws.amazon.com/iam/home?#/roles/test-HCP-ROSA-Support-Role)' 
+----
+** If the attached policy is an AWS managed policy, the ROSA CLI outputs the name and public link of this policy and the role it is attached to.
++
+.Customer-managed policy example output
+[source,terminal]
+----
+I: Attached policy 'arn:aws:iam::000000000000:policy/testrole-Worker-Role-Policy' to role 'testrole-Worker-Role(https://console.aws.amazon.com/iam/home?#/roles/testrole-Worker-Role)' 
+----
+
 .ROSA Ingress Operator IAM policy and policy file
 [cols="1,2",options="header"]
 |===
