openshift · EricPonvelle · Mar 30, 2026 · Mar 27, 2026
diff --git a/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc b/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc
@@ -15,7 +15,7 @@ endif::[]
 = Creating the account-wide STS roles and policies
 
 [role="_abstract"]
-Before you create your {product-title} cluster, you must create the required account-wide roles and policies.
+Account-wide roles, like,  `account-roles` in the {rosa-cli-first} are required to create or manage {product-title} clusters. Create these roles by using the {rosa-cli} (`rosa`), regardless of whether you typically use {cluster-manager} or the {rosa-cli} to create and manage your clusters. Before you create your {product-title} cluster, you must create the required account-wide roles and policies.
 
 [NOTE]
 ====
@@ -79,4 +79,4 @@ For more information regarding AWS managed IAM policies for {product-title}, see
 
 ifeval::["{context}" == "rosa-hcp-egress-zero-install"]
 :!egress-lockdown:
-endif::[]
+endif::[]
diff --git a/modules/rosa-operator-config.adoc b/modules/rosa-operator-config.adoc
@@ -22,7 +22,7 @@ When you deploy a {product-title} cluster, you must create the Operator IAM role
 
 .Procedure
 
-. To create your Operator roles, run the following command:
+* To create your Operator roles, run the following command:
 +
 [source,terminal]
 ----

diff --git a/modules/rosa-sts-byo-oidc.adoc b/modules/rosa-sts-byo-oidc.adoc
@@ -21,7 +21,7 @@ endif::[]
 = Creating an OpenID Connect configuration
 
 [role="_abstract"]
-When creating a {product-title} cluster, you can create the OpenID Connect (OIDC) configuration before creating your cluster. This configuration is registered to be used with {cluster-manager}.
+{product-title} clusters use OIDC and the AWS Security Token Service (STS) to authenticate Operator access to AWS resources they require to perform their functions. Each production cluster requires its own OIDC configuration. When creating a {product-title} cluster, you can create the OpenID Connect (OIDC) configuration before creating your cluster. 
 
 .Prerequisites
 

diff --git a/modules/rosa-sts-ocm-role-creation.adoc b/modules/rosa-sts-ocm-role-creation.adoc
@@ -8,7 +8,7 @@
 = Creating an ocm-role IAM role
 
 [role="_abstract"]
-You create your `ocm-role` IAM roles by using the {rosa-cli-first}.
+You create your `ocm-role` IAM roles by using the {rosa-cli-first}. If you want to create and manage clusters using only the {rosa-cli-first} and the OpenShift CLI (`oc`), you do not need these roles. You only need these roles when you want to use {cluster-manager} to create and manage clusters.
 
 .Prerequisites
 

diff --git a/modules/rosa-sts-operator-roles.adoc b/modules/rosa-sts-operator-roles.adoc
@@ -8,7 +8,7 @@
 = Cluster-specific Operator IAM role reference
 
 [role="_abstract"]
-Operator roles are used to obtain the temporary permissions required to carry out cluster operations, such as managing back-end storage, cloud ingress controller, and external access to a cluster.
+Some cluster capabilities, including several capabilities provided by default, are managed using Operators. Cluster-specific Operator roles  use the OpenID Connect (OIDC) provider for the cluster to temporarily authenticate Operator access to AWS resources. Use Operator roles to obtain the temporary permissions forcluster operations, such as managing back-end storage, cloud ingress controller, and external access to a cluster.
 
 When you create the Operator roles, the account-wide Operator policies for the matching cluster version are attached to the roles.
 ifdef::openshift-rosa[]

diff --git a/rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc b/rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc
@@ -13,60 +13,19 @@ You must create several role resources on your AWS account in order to create an
 
 include::modules/rosa-prereq-roles-overview.adoc[leveloffset=+1]
 
-[role="_additional-resources"]
-[id="additional-resources_role-overview_{context}"]
-.Additional resources
-* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS Managed IAM policies for {product-title} clusters]
-
-[id="rosa-prepare-am-resources-roles-account"]
-== Roles required to create and manage clusters
-
-Several account-wide roles (`account-roles` in the {rosa-cli-first}) are required to create or manage {product-title} clusters. These roles must be created using the {rosa-cli} (`rosa`), regardless of whether you typically use {cluster-manager} or the {rosa-cli} to create and manage your clusters. These roles only need to be created once, and do not need to be created for every cluster you install.
-
-//account roles
-include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2]
+include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1]
 
-[role="_additional-resources"]
-[id="additional-resources_account-roles_{context}"]
-.Additional resources
-* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS documentation for Managed IAM policies for {product-title} clusters]
-
-[id="rosa-prepare-iam-resources-oidc"]
-== Resources required for OIDC authentication
+include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1]
 
-{product-title} clusters use OIDC and the AWS Security Token Service (STS) to authenticate Operator access to AWS resources they require to perform their functions. Each production cluster requires its own OIDC configuration.
+include::modules/rosa-sts-operator-roles.adoc[leveloffset=+1]
 
-include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2]
+include::modules/rosa-operator-config.adoc[leveloffset=+1]
 
-[id="rosa-prepare-am-resources-roles-operator"]
-== Roles required for Operator managed cluster capabilities
-//operator roles
-//created per-cluster or per-OIDC provider if that is shared between clusters
-Some cluster capabilities, including several capabilities provided by default, are managed using Operators. Cluster-specific Operator roles (`operator-roles` in the {rosa-cli}) use the OpenID Connect (OIDC) provider for the cluster to temporarily authenticate Operator access to AWS resources.
-
-include::modules/rosa-sts-operator-roles.adoc[leveloffset=+2]
-include::modules/rosa-operator-config.adoc[leveloffset=+2]
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
-[id="additional-resources_operator-roles_{context}"]
-.Additional resources
-* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS documentation for Managed IAM policies for {product-title} clusters]
-
-[id="rosa-prepare-iam-resources-roles-ocm"]
-== Roles required to use {cluster-manager}
+[id="additional-resources_{context}"]
+== Additional resources
 
-The roles in this section are only required when you want to use {cluster-manager} to create and manage clusters. If you intend to create and manage clusters using only the {rosa-cli-first} and the OpenShift CLI (`oc`), these roles are not required.
-
-include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-[id="additional-resources_ocm-role-creation_{context}"]
-.Additional resources
-* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies-creation-methods_rosa-sts-about-iam-resources[Methods of account-wide role creation]
-
-include::modules/rosa-sts-user-role-creation.adoc[leveloffset=+2]
-
-[role="_additional-resources"]
-[id="additional-resources_user-role-creation_{context}"]
-.Additional resources
 * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies-creation-methods_rosa-sts-about-iam-resources[Methods of account-wide role creation]
+* link:https://docs.aws.amazon.com/rosa/latest/userguide/security-iam-awsmanpol.html[AWS documentation for Managed IAM policies for {product-title} clusters]
diff --git a/rosa_planning/rosa-sts-aws-prereqs.adoc b/rosa_planning/rosa-sts-aws-prereqs.adoc
@@ -91,7 +91,7 @@ ifdef::openshift-rosa[]
 * xref:../rosa_planning/rosa-sts-ocm-role.adoc#rosa-sts-ocm-role[OpenShift Cluster Manager IAM role resources]
 endif::openshift-rosa[]
 ifdef::openshift-rosa-hcp[]
-* xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-prepare-iam-resources-roles-ocm[Required IAM roles and resources]
+* xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-hcp-prepare-iam-roles-resources[Required IAM roles and resources]
 endif::openshift-rosa-hcp[]
 * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference]
 * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-operator-roles_rosa-sts-about-iam-resources[Cluster-specific Operator IAM role reference]