openshift · EricPonvelle · Mar 3, 2026
diff --git a/modules/rosa-sts-about-ocm-role.adoc b/modules/rosa-sts-about-ocm-role.adoc
@@ -12,6 +12,7 @@ Some considerations for your `ocm-role` IAM resource are:
 
 * Only one `ocm-role` IAM role can be linked per Red{nbsp}Hat organization; however, you can have any number of `ocm-role` IAM roles per AWS account. The web UI requires that only one of these roles can be linked at a time.
 * Any user in a Red{nbsp}Hat organization may create and link an `ocm-role` IAM resource.
+* You must create an `ocm-role` before you can create a {product-title} cluster.
 * Only the Red{nbsp}Hat Organization Administrator can unlink an `ocm-role` IAM resource. This limitation is to protect other Red{nbsp}Hat organization members from disturbing the interface capabilities of other users.
 +
 [NOTE]
@@ -21,7 +22,7 @@ If you just created a Red{nbsp}Hat account that is not part of an existing organ
 +
 * See "Understanding the {cluster-manager} role" in the Additional resources of this section for a list of the AWS permissions policies for the basic and admin `ocm-role` IAM resources.
 
-Using the ROSA CLI (`rosa`), you can link your IAM resource when you create it.
+Using the {rosa-cli-first}, you can link your IAM resource when you create it.
 
 [NOTE]
 ====

diff --git a/modules/rosa-sts-ocm-role-creation.adoc b/modules/rosa-sts-ocm-role-creation.adoc
@@ -10,6 +10,11 @@
 [role="_abstract"]
 You create your `ocm-role` IAM roles by using the {rosa-cli-first}.
 
+[IMPORTANT]
+====
+You must create the `ocm-role` IAM role before you can create your {product-title} cluster.
+====
+
 .Prerequisites
 
 * You have an AWS account.

diff --git a/modules/rosa-sts-understanding-ocm-role.adoc b/modules/rosa-sts-understanding-ocm-role.adoc
@@ -6,7 +6,7 @@
 [id="rosa-sts-understanding-ocm-role_{context}"]
 = Understanding the {cluster-manager} role
 
-Creating ROSA clusters in {cluster-manager-url} require an `ocm-role` IAM role. The basic `ocm-role` IAM role permissions let you to perform cluster maintenance within {cluster-manager}. To automatically create the operator roles and OpenID Connect (OIDC) provider, you must add the `--admin` option to the `rosa create` command. This command creates an `ocm-role` resource with additional permissions needed for administrative tasks.
+Creating {product-title} clusters in {cluster-manager-url} require an `ocm-role` IAM role. The basic `ocm-role` IAM role permissions let you to perform cluster maintenance within {cluster-manager}. To automatically create the operator roles and OpenID Connect (OIDC) provider, you must add the `--admin` option to the `rosa create` command. This command creates an `ocm-role` resource with additional permissions needed for administrative tasks.
 
 [NOTE]
 ====

diff --git a/rosa_architecture/rosa-sts-about-iam-resources.adoc b/rosa_architecture/rosa-sts-about-iam-resources.adoc
@@ -18,7 +18,7 @@ toc::[]
 
 [role="_abstract"]
 ifndef::openshift-rosa-hcp[]
-To deploy a {product-title} (ROSA) cluster that uses the AWS Security Token Service (STS),
+To deploy a {product-title} cluster that uses the AWS Security Token Service (STS),
 endif::openshift-rosa-hcp[]
 ifdef::openshift-rosa-hcp[]
 {hcp-title-first} uses the AWS Security Token Service (STS) to provide temporary, limited-permission credentials for your cluster. This means that before you deploy your cluster,
@@ -38,7 +38,7 @@ and compute functionality. This includes account-wide Operator policies.
 
 This document provides reference information about the IAM resources that you must deploy
 ifdef::openshift-rosa[]
-when you create a ROSA cluster that uses STS.
+when you create a {product-title} cluster that uses STS.
 endif::openshift-rosa[]
 ifdef::openshift-rosa-hcp[]
 when you create a {hcp-title} cluster.
@@ -58,12 +58,12 @@ endif::openshift-rosa-hcp[]
 [id="rosa-sts-ocm-roles-and-permissions_{context}"]
 == {cluster-manager} roles and permissions
 
-If you create ROSA clusters by using {cluster-manager-url}, you must have the following AWS IAM roles linked to your AWS account to create and manage the clusters. For more information, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account].
+If you create {product-title} clusters by using {cluster-manager-url}, you must have the following AWS IAM roles linked to your AWS account to create and manage the clusters. For more information, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account].
 
 These AWS IAM roles are as follows:
 
-* The ROSA user role (`user-role`) is an AWS role used by Red{nbsp}Hat to verify the customer's AWS identity. This role has no additional permissions, and the role has a trust relationship with the Red{nbsp}Hat installer account.
-* An `ocm-role` resource grants the required permissions for installation of ROSA clusters in {cluster-manager}. You can apply basic or administrative permissions to the `ocm-role` resource. If you create an administrative `ocm-role` resource, {cluster-manager} can create the needed AWS Operator roles and OpenID Connect (OIDC) provider. This IAM role also creates a trust relationship with the Red{nbsp}Hat installer account as well.
+* The {product-title} user role (`user-role`) is an AWS role used by Red{nbsp}Hat to verify the customer's AWS identity. This role has no additional permissions, and the role has a trust relationship with the Red{nbsp}Hat installer account.
+* An `ocm-role` resource grants the required permissions for installation of {product-title} clusters in {cluster-manager}. You can apply basic or administrative permissions to the `ocm-role` resource. If you create an administrative `ocm-role` resource, {cluster-manager} can create the needed AWS Operator roles and OpenID Connect (OIDC) provider. This IAM role also creates a trust relationship with the Red{nbsp}Hat installer account as well.
 +
 [NOTE]
 ====
@@ -136,7 +136,7 @@ endif::openshift-rosa[]
 [id="rosa-sts-oidc-provider-requirements-for-operators_{context}"]
 == Open ID Connect (OIDC) requirements for Operator authentication
 
-For ROSA installations that use STS, you must create a cluster-specific OIDC provider that is used by the cluster Operators to authenticate or create your own OIDC configuration for your own OIDC provider.
+For {product-title} installations that use STS, you must create a cluster-specific OIDC provider that is used by the cluster Operators to authenticate or create your own OIDC configuration for your own OIDC provider.
 
 include::modules/rosa-sts-oidc-provider-command.adoc[leveloffset=+2]
 

diff --git a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc
@@ -9,6 +9,7 @@ toc::[]
 [role="_abstract"]
 For {product-title} workloads that do not require public internet access, you can create a private cluster.
 
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1]
 include::modules/rosa-hcp-aws-private-create-cluster.adoc[leveloffset=+1]
 include::modules/rosa-hcp-aws-private-security-groups.adoc[leveloffset=+1]
 include::modules/rosa-additional-principals-overview.adoc[leveloffset=+1]

diff --git a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc
@@ -29,6 +29,8 @@ If you choose to use your own CNI for {product-title} clusters, it is strongly r
 
 * Ensure that you have a configured xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc_rosa-hcp-sts-creating-a-cluster-quickly[virtual private cloud] (VPC).
 
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1]
+
 include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1]
 
 include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1]

diff --git a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc
@@ -58,6 +58,8 @@ include::modules/rosa-hcp-vpc-subnet-tagging.adoc[leveloffset=+3]
 * link:https://developer.hashicorp.com/terraform[HashiCorp Terraform documentation]
 * link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/subnet_discovery/[Subnet Auto Discovery]
 
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2]
+
 include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2]
 
 include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2]

diff --git a/rosa_hcp/rosa-hcp-egress-zero-install.adoc b/rosa_hcp/rosa-hcp-egress-zero-install.adoc
@@ -43,7 +43,7 @@ include::modules/rosa-glossary-disconnected.adoc[leveloffset=+1]
 
 include::modules/rosa-hcp-set-environment-variables.adoc[leveloffset=+1]
 
-include::modules/rosa-hcp-egress-zero-install-creating.adoc[leveloffset=+2]
+include::modules/rosa-hcp-egress-zero-install-creating.adoc[leveloffset=+1]
 
 [role="_additional-resources"]
 .Additional resources
@@ -98,6 +98,8 @@ include::modules/vpc-troubleshooting.adoc[leveloffset=+2]
 * xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting {product-title} cluster installations]
 * xref:../support/getting-support.adoc#getting-support[Getting support for Red{nbsp}Hat OpenShift Service on AWS]
 
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1]
+
 include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+1]
 
 include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1]

diff --git a/rosa_hcp/rosa-hcp-quickstart-guide.adoc b/rosa_hcp/rosa-hcp-quickstart-guide.adoc
@@ -53,6 +53,7 @@ include::modules/rosa-hcp-vpc-subnet-tagging.adoc[leveloffset=+3]
 * link:https://developer.hashicorp.com/terraform[HashiCorp Terraform documentation]
 * link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/subnet_discovery/[Subnet Auto Discovery]
 
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1]
 include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+1]
 include::modules/rosa-operator-config.adoc[leveloffset=+1]
 include::modules/rosa-hcp-sts-creating-a-cluster-cli.adoc[leveloffset=+1]

diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc
@@ -32,6 +32,7 @@ To create a {product-title} cluster, you must have completed the following steps
 
 * xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc_rosa-hcp-sts-creating-a-cluster-quickly[Configured virtual private cloud (VPC)]
 * Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Account-wide roles]
+* Created the xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-sts-ocm-roles-and-permissions-iam-basic-role_prepare-role-resources[ocm-role IAM role]
 * Created an xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-byo-oidc_rosa-hcp-sts-creating-a-cluster-quickly[OIDC configuration]
 * Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-operator-config_rosa-hcp-sts-creating-a-cluster-quickly[Operator roles]
 

diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
@@ -79,6 +79,8 @@ include::modules/rosa-hcp-vpc-subnet-tagging.adoc[leveloffset=+3]
 * link:https://developer.hashicorp.com/terraform[HashiCorp Terraform documentation]
 * link:https://kubernetes-sigs.github.io/aws-load-balancer-controller/v2.2/deploy/subnet_discovery/[Subnet Auto Discovery]
 
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2]
+
 include::modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2]
 
 include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2]

diff --git a/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc b/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc
@@ -10,6 +10,7 @@ This document describes how to create a ROSA cluster using AWS PrivateLink.
 
 include::modules/osd-aws-privatelink-about.adoc[leveloffset=+1]
 include::modules/osd-aws-privatelink-required-resources.adoc[leveloffset=+1]
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1]
 include::modules/rosa-aws-privatelink-create-cluster.adoc[leveloffset=+1]
 include::modules/osd-aws-privatelink-config-dns-forwarding.adoc[leveloffset=+1]
 

diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc
@@ -54,6 +54,7 @@ If you need additional xref:../support/getting-support.adoc#getting-support[supp
 include::modules/rosa-sts-creating-a-cluster-quickly-ocm.adoc[leveloffset=+1]
 include::modules/rosa-sts-associating-your-aws-account.adoc[leveloffset=+2]
 include::modules/rosa-sts-creating-account-wide-sts-roles-and-policies.adoc[leveloffset=+2]
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2]
 include::modules/rosa-sts-byo-oidc.adoc[leveloffset=+2]
 include::modules/rosa-sts-creating-a-cluster-using-defaults-ocm.adoc[leveloffset=+2]
 include::modules/rosa-sts-creating-a-cluster-quickly-cli.adoc[leveloffset=+1]

diff --git a/...all_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc b/...all_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc
@@ -12,6 +12,7 @@ With the procedures in this document, you can also choose between the `auto` and
 
 include::modules/rosa-understanding-deployment-modes.adoc[leveloffset=+1]
 include::modules/rosa-creating-operator-roles-and-oidc-manually-ocm.adoc[leveloffset=+2]
+include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+1]
 include::modules/rosa-sts-understanding-aws-account-association.adoc[leveloffset=+1]
 
 [role="_additional-resources"]