OSDOCS-3613: Add STS snippet

Author: bmcelvee

rosa_architecture/rosa-understanding.adoc

@@ -19,7 +19,9 @@ You receive OpenShift updates with new feature releases and a shared, common sou
 [id="rosa-understanding-credential-modes_{context}"]
 == Credential modes
 
-There are two supported credential modes for ROSA clusters. One uses the AWS Secure Token Service (STS), which is recommended, and the other uses Identity Access Management (IAM) roles.
+include::snippets/rosa-sts.adoc[]
+
+There are two supported credential modes for ROSA clusters. One uses the AWS Security Token Service (STS), which is recommended, and the other uses Identity Access Management (IAM) roles.
 
 [id="rosa-understanding-aws-sts_{context}"]
 === ROSA with STS
@@ -30,6 +32,12 @@ You can use the `rosa` CLI to create the IAM role, policy, and identity provider
 
 AWS STS aligns with principles of least privilege and secure practices in cloud service resource management. The `rosa` CLI manages the STS credentials that are assigned for unique tasks and takes action upon AWS resources as part of OpenShift functionality. One limitation of using STS is that roles must be created for each ROSA cluster.
 
+The STS credential mode is more secure because:
+
+- It supports an explicit and limited set of roles and policies that you create ahead of time, and tracks every permission asked for and every role used.
+- The service is limited to the set permissions.
+- When the service is run, it obtains credentials that expire in one hour, so there is no need to rotate or revoke credentials. The expiration also reduces the risks of credentials leaking and being reused.
+
 A listing of the account-wide and per-cluster roles is provided in xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for ROSA clusters that use STS].
 
 [id="rosa-understanding-aws-without-sts_{context}"]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-accessing-cluster.adoc

@@ -10,6 +10,8 @@ As a best practice, access your {product-title} (ROSA) cluster using an identity
 
 This document describes how to access a cluster and set up an IDP using the `rosa` CLI. Alternatively, you can set up an IDP account using {cluster-manager} console.
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-accessing-your-cluster-quick.adoc[leveloffset=+1]
 
 include::modules/rosa-accessing-your-cluster.adoc[leveloffset=+1]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc

@@ -11,6 +11,8 @@ toc::[]
 
 You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-prereqs_rosa-sts-aws-prereqs[STS-specific requirements].
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-aws-understand.adoc[leveloffset=+1]
 include::modules/rosa-aws-requirements.adoc[leveloffset=+1]
 include::modules/rosa-aws-procedure.adoc[leveloffset=+1]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-config-aws-account.adoc

@@ -8,6 +8,8 @@ toc::[]
 
 After you complete the AWS prerequisites, configure your AWS account and enable the {product-title} (ROSA) service.
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-configuring-aws-account.adoc[leveloffset=+1]
 
 [id="next-steps_rosa-config-aws-account"]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-config-identity-providers.adoc

@@ -10,6 +10,8 @@ After your {product-title} (ROSA) cluster is created, you must configure identit
 
 The following topics describe how to configure an identity provider using {cluster-manager} console. Alternatively, you can use the `rosa` CLI to create an identity provider and access the cluster.
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/understanding-idp.adoc[leveloffset=+1]
 include::modules/config-github-idp.adoc[leveloffset=+1]
 include::modules/config-gitlab-idp.adoc[leveloffset=+1]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-creating-cluster.adoc

@@ -10,6 +10,8 @@ After you set up your environment and install {product-title} (ROSA), create a c
 
 This document describes how to set up a ROSA cluster. Alternatively, you can create a ROSA cluster with AWS PrivateLink.
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-creating-cluster.adoc[leveloffset=+1]
 
 == Next steps

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-deleting-access-cluster.adoc

@@ -8,6 +8,8 @@ toc::[]
 
 Delete access to a {product-title} (ROSA) cluster using the `rosa` command-line.
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-delete-dedicated-admins.adoc[leveloffset=+1]
 
 include::modules/rosa-delete-cluster-admins.adoc[leveloffset=+1]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-deleting-cluster.adoc

@@ -8,6 +8,8 @@ toc::[]
 
 Delete a {product-title} (ROSA) cluster using the `rosa` command-line.
 
+include::snippets/rosa-sts.adoc[]
+
 [id="prerequisites_rosa-deleting-cluster"]
 == Prerequisites
 

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-getting-started-workflow.adoc

@@ -10,6 +10,8 @@ Before you create a {product-title} (ROSA) cluster that uses the AWS Security To
 
 This document provides an overview of the ROSA with STS deployment workflow stages and refers to detailed resources for each stage.
 
+include::snippets/rosa-sts.adoc[]
+
 [id="rosa-overview-of-the-deployment-workflow"]
 == Overview of the ROSA deployment workflow
 

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.adoc

@@ -8,6 +8,9 @@ toc::[]
 
 After you configure your AWS account, install {product-title} (ROSA).
 
+
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-installing.adoc[leveloffset=+1]
 
 [id="next-steps_rosa-installing-rosa"]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-quickstart.adoc

@@ -6,6 +6,8 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-quickstart-instructions.adoc[leveloffset=+1]
 
 [role="_additional-resources"]

rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-required-aws-service-quotas.adoc

@@ -8,6 +8,8 @@ toc::[]
 
 Review this list of the required Amazon Web Service (AWS) service quotas that are required to run an {product-title} cluster.
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-required-aws-service-quotas.adoc[leveloffset=+1]
 
 == Next steps

rosa_planning/rosa-sts-aws-prereqs.adoc

@@ -9,6 +9,8 @@ toc::[]
 
 {product-title} (ROSA) provides a model that allows Red Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account.
 
+include::snippets/rosa-sts.adoc[]
+
 Ensure that the following AWS prerequisites are met before installing ROSA with STS.
 
 include::modules/rosa-aws-understand.adoc[leveloffset=+1]

rosa_planning/rosa-sts-setting-up-environment.adoc

@@ -8,6 +8,8 @@ toc::[]
 
 After you meet the AWS prerequisites, set up your environment and install {product-title} (ROSA).
 
+include::snippets/rosa-sts.adoc[]
+
 include::modules/rosa-sts-setting-up-environment.adoc[leveloffset=+1]
 
 [id="next-steps_rosa-sts-setting-up-environment"]

snippets/rosa-sts.adoc

@@ -0,0 +1,6 @@
+//The STS credential method has been identified as the path forward for installing and interacting with ROSA clusters. This snippet is intended to guide users in using the STS credential mode.
+
+[TIP]
+====
+AWS Security Token Service (STS) is the recommended credential mode for installing and interacting with clusters on Red Hat OpenShift Service on AWS (ROSA) because it provides enhanced security.
+====