STS | Update Docs

Signed-off-by: shirady <[email protected]>

doc/dev_guide/create_aws_role.sh

@@ -26,6 +26,7 @@ AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
 # The OIDC provider is in the structure: 
 # 1) <OIDC-bucket>.s3.<aws-region>.amazonaws.com. for OIDC bucket configurations are in an S3 public bucket
 # 2) `<characters>.cloudfront.net` for OIDC bucket configurations in an S3 private bucket with a public CloudFront distribution URL
+# 3) OIDC Endpoint URL for ROSA HCP clusters without https:// (example oidc.os1.devshift.org/<characters>)
 OIDC_PROVIDER=$(oc get authentication cluster -ojson | jq -r .spec.serviceAccountIssuer | sed -e "s/^https:\/\///") 
 # the permission (S3 full access)
 POLICY_ARN_STRINGS="arn:aws:iam::aws:policy/AmazonS3FullAccess"

doc/dev_guide/troubleshoot_sts_cluster.md

@@ -41,6 +41,8 @@ aws sts assume-role-with-web-identity --role-arn <role-ARN> --role-session-name
 
 You should see in the output the credentials (which includes the `AccessKeyId`, `SecretAccessKey`, and `SessionToken` - output example is in file `doc/dev_guide/create_aws_sts_setup_on_minikube.md`, but in case the role is wrong you'll see still `AccessDenied`, so you can create a new role with the script and test it.
 
+Note: if this invalid role was sent as a part of OCP cluster you would need to update the subscription that have this environment variable: in odf-operator and mcg-operator subscriptions (in both of them - either in the UI or editing the YAMLs), search for the ROLEARN env name and update the value.
+
 #### 2) Cluster configurations
 
 ```