From 33f6fa158f9e4dd848276efd6c6da67fc1f92345 Mon Sep 17 00:00:00 2001
From: Jatin Arora <jatin.arora@canonical.com>
Date: Thu, 15 Feb 2024 12:41:19 +0530
Subject: [PATCH] docs(aar): add instructions to use instance profiles with AAR

This commit adds the instructions to make use of the newly added support
for instance profiles in AAR.
---
 howto/aar/deploy.md               | 24 +++++++++++++++++++-----
 reference/release-notes/1.21.0.md |  2 +-
 2 files changed, 20 insertions(+), 6 deletions(-)

diff --git a/howto/aar/deploy.md b/howto/aar/deploy.md
index 33ea24ea..ffcd588d 100644
--- a/howto/aar/deploy.md
+++ b/howto/aar/deploy.md
@@ -17,7 +17,9 @@ To use the AWS S3 storage backend, you must create a dedicated S3 bucket for the
 
 If you don’t plan to use the [CloudFront CDN](#aws-cloudfront-cdn-support-3), you should use a region close to your Anbox Cloud deployment to keep download times low.
 
-To allow the AAR to access the S3 bucket, create an [IAM](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html) user with the following policy:
+### Configure bucket access for AAR
+
+To allow the AAR to access the S3 bucket, create an [IAM Policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/introduction.html):
 
 ```json
 {
@@ -51,17 +53,26 @@ To allow the AAR to access the S3 bucket, create an [IAM](https://docs.aws.amazo
 
 Replace `aar0` in the policy with the name of your bucket.
 
-Once you created the IAM user, create an access key for the user, which the AAR will use. See the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for more details on this.
+There are two ways to configure the bucket access for AAR using the policy created earlier:
 
-Add the credentials to the `config.yaml` file:
+1. Create an IAM user and an access key for this user, which the AAR will use. See the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) for more details on this. Assign the policy created earlier to this user.
 
-```
+2. Create an instance profile using the IAM policy created earlier and attach the instance profile to the instance where AAR is deployed. For more information, see the [AWS documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2_instance-profiles.html) for more details on this.
+
+### Configure AAR
+
+Add the following configuration to the `config.yaml` file:
+
+```yaml
 aar:
   storage_config: |
     storage:
       s3:
         region: eu-west-3
         bucket: aar0
+        # Access Key and Secret Access Key are only required if an IAM user is
+        # used to access the bucket. They can be omitted if an instance profile
+        # is going to be attached to the instance.
         access-key: <your access key>
         secret-access-key: <your secret access key>
 ```
@@ -78,13 +89,16 @@ Once you have set up a CloudFront distribution for your S3 bucket, you only need
 
 Add the credentials to the `config.yaml` file:
 
-```
+```yaml
 aar:
   storage_config: |
     storage:
       s3:
         region: eu-west-3
         bucket: aar0
+        # Access Key and Secret Access Key are only required if an IAM user is
+        # used to access the bucket. They can be omitted if an instance profile
+        # is going to be attached to the instance.
         access-key: <your access key>
         secret-access-key: <your secret access key>
         cloudfront:
diff --git a/reference/release-notes/1.21.0.md b/reference/release-notes/1.21.0.md
index 90f48e50..e04f5735 100644
--- a/reference/release-notes/1.21.0.md
+++ b/reference/release-notes/1.21.0.md
@@ -21,7 +21,7 @@ The 1.21.0 release of Anbox Cloud brings the following features and improvements
 * The [Anbox Cloud NFS operator](https://github.com/canonical/anbox-cloud-nfs-operator) charm now supports mounting EFS file system on AWS when you require Transport Layer Security (TLS). With an EFS file system, you can [configure](https://github.com/canonical/anbox-cloud-nfs-operator/blob/main/config.yaml) the charm with the following parameters:<!--AC-2119/2001-->
   - `mount_type` set to `efs`
   - `nfs_extra_options` set to `tls`
-* The Anbox Application Registry(AAR) can make use of Identity and Access Management(IAM) roles applied to an AWS instance using instance profiles. This relieves you from having to configure an access key/secret for instances. For information on how to use an IAM role in instance profiles, see [AWS IAM documentation](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_switch-role-ec2.html). <!--AC-2025/1700-->
+* The Anbox Application Registry(AAR) can make use of Identity and Access Management(IAM) roles applied to an AWS instance using instance profiles. This relieves you from having to configure an access key/secret for instances. For information on how to use an IAM role in AAR, see [how to deploy AAR](https://anbox-cloud.io/docs/howto/aar/deploy). <!--AC-2025/1700-->
 * The NATS charm is switched from its [older version](https://charmhub.io/nats-charmers-nats) to a [newer version](https://charmhub.io/nats) on Charmhub. This would require that you switch to the new charm source. For more information, see [How to upgrade Anbox Cloud](https://discourse.ubuntu.com/t/how-to-upgrade-anbox-cloud/17750).
 
 ### Dashboard improvements