OSDOCS-3371: Add roles and managed policy reference

Author: bmcelvee

_topic_maps/_topic_map_rosa.yml

@@ -692,6 +692,8 @@ Topics:
   File: using-service-accounts-as-oauth-client
 - Name: Assuming an AWS IAM role for a service account
   File: assuming-an-aws-iam-role-for-a-service-account
+- Name: Roles and AWS managed policy reference
+  File: rosa-managed-policy-reference
 - Name: Scoping tokens
   File: tokens-scoping
 - Name: Using bound service account tokens

_topic_maps/_topic_map_rosa_hcp.yml

@@ -525,6 +525,8 @@ Topics:
   File: using-service-accounts-as-oauth-client
 - Name: Assuming an AWS IAM role for a service account
   File: assuming-an-aws-iam-role-for-a-service-account
+- Name: Roles and AWS managed policy reference
+  File: rosa-managed-policy-reference
 - Name: Scoping tokens
   File: tokens-scoping
 - Name: Using bound service account tokens

authentication/rosa-aws-managed-policy-reference.adoc

@@ -0,0 +1,27 @@
+:_mod-docs-content-type: ASSEMBLY
+[id="rosa-aws-managed-policy-reference"]
+= AWS roles and managed policy reference 
+include::_attributes/common-attributes.adoc[]
+:context: rosa-aws-managed-policy-reference
+
+toc::[]
+
+The roles and policies used by {product-title} (ROSA)
+can be divided into account-wide roles and policies and Operator roles and policies.
+
+The policies determine the allowed actions for each of the roles.
+ifdef::openshift-rosa[]
+See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources] for more details about the individual roles and policies. See xref:../rosa_planning/rosa-sts-ocm-role.adoc#rosa-sts-ocm-role[ROSA IAM role resource] for more details about trust policies.
+endif::openshift-rosa[]
+ifdef::openshift-rosa-hcp[]
+See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources] for more details about the individual roles and policies. See xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-hcp-prepare-iam-roles-resources[Required IAM roles and resources] for more details on preparing these resources in your cluster.
+endif::openshift-rosa-hcp[]
+
+link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS managed policies] are created and administered by AWS. The permissions defined within the AWS managed policies cannot be changed. They are used as part of the AWS STS security process that you can use to assign permissions to users, groups, and roles.
+
+[NOTE]
+====
+If the permissions defined in an AWS managed policy are updated by AWS, the update will apply to all users, groups, and roles related to the policy. 
+====
+
+include::modules/rosa-roles-and-policies.adoc[leveloffset=+1]

modules/rosa-roles-and-policies.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * authentication/rosa-hcp-aws-managed-policy-reference.adoc
+
+:_mod-docs-content-type: REFERENCE
+[id="rosa-roles-and-policies_{context}"]
+= ROSA roles and AWS managed policies
+
+.Account-wide roles
+
+ifdef::openshift-rosa-hcp[]
+* `<prefix>-HCP-ROSA-Worker-Role`
+* `<prefix>-HCP-ROSA-Support-Role`
+* `<prefix>-HCP-ROSA-Installer-Role`
+endif::openshift-rosa-hcp[]
+
+ifdef::openshift-rosa[]
+* `<prefix>-ROSA-Worker-Role`
+* `<prefix>-ROSA-Support-Role`
+* `<prefix>-ROSA-Installer-Role`
+endif::openshift-rosa[]
+
+.Account-wide AWS-managed policies
+
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAInstallerPolicy.html[ROSAInstallerPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAWorkerInstancePolicy.html[ROSAWorkerInstancePolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSASRESupportPolicy.html[ROSASRESupportPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAIngressOperatorPolicy.html[ROSAIngressOperatorPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAAmazonEBSCSIDriverOperatorPolicy.html[ROSAAmazonEBSCSIDriverOperatorPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSACloudNetworkConfigOperatorPolicy.html[ROSACloudNetworkConfigOperatorPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAControlPlaneOperatorPolicy.html[ROSAControlPlaneOperatorPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAImageRegistryOperatorPolicy.html[ROSAImageRegistryOperatorPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKMSProviderPolicy.html[ROSAKMSProviderPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAKubeControllerPolicy.html[ROSAKubeControllerPolicy]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSAManageSubscription.html[ROSAManageSubscription]
+* link:https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ROSANodePoolManagementPolicy.html[ROSANodePoolManagementPolicy]
+
+.Operator roles are:
+
+Certain policies are used by the cluster Operator roles, listed below. The Operator roles are created in a second step because they are dependent on an existing cluster name and cannot be created at the same time as the account-wide roles.
+
+* <operator_role_prefix>-openshift-cluster-csi-drivers-ebs-cloud-credentials
+* <operator_role_prefix>-openshift-cloud-network-config-controller-cloud-credentials
+* <operator_role_prefix>-openshift-machine-api-aws-cloud-credentials
+* <operator_role_prefix>-openshift-cloud-credential-operator-cloud-credentials
+* <operator_role_prefix>-openshift-image-registry-installer-cloud-credentials
+* <operator_role_prefix>-openshift-ingress-operator-cloud-crede
+
+ [NOTE]
+ ====
+ Trust policies are created for each account-wide role and each Operator role.
+====