Clarify only IAM role is created by eksctl in CONFIGURATION.md (#267)

*Issue #, if available:* N/A

*Description of changes:*

I was following the instructions in order to create a cluster for
testing. These changes will hopefully make it a bit clearer.

I also removed some validation steps as I think they're ultimately
distracting and not appropriate at the step they were mentioned. They
could be re-added elsewhere if there's a good home for them.

By submitting this pull request, I confirm that you can use, modify,
copy, and redistribute this contribution, under the terms of your
choice.

---------

Signed-off-by: Daniel Carl Jones <[email protected]>

docs/CONFIGURATION.md

@@ -103,12 +103,19 @@ graph LR;
 
 #### Service Account configuration for EKS Clusters
 
-EKS allows [using Kubernetes service accounts to authenticate requests to S3](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
-To set this up follow these steps:
+EKS allows using Kubernetes service accounts to authenticate requests to S3 using [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+This is supported for both [driver-level identity](#driver-level-credentials-with-irsa)
+and [pod-level identity](#pod-level-credentials).
 
-##### Create a Kubernetes service account for the driver and attach the policy to the service account
+The following sections describe how to create the supporting resources for IRSA with driver-level identity.
 
-> [!NOTE]
+##### Create an IAM role for use by the CSI driver's service account
+
+The following command will use `eksctl` to create the IAM role that will be used by the CSI driver's service account.
+The service account is not created by this command, only the IAM role due to the `--role-only` option.
+It will be created when the Mountpoint CSI driver is installed.
+
+> [!IMPORTANT]
 > The same service account name (`s3-csi-driver-sa`) must be specified both in this command and when creating a driver
 > pod (in the pod spec `deploy/kubernetes/base/node-daemonset.yaml`, Helm value `node.serviceAccount.name`).
 
@@ -123,11 +130,6 @@ eksctl create iamserviceaccount \
     --region $REGION \
     --role-only
 ```
-##### [Optional] Validate the account was successfully created
-```
-kubectl describe sa s3-csi-driver-sa --namespace kube-system
-```
-For more validation steps see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html).
 
 ### Driver-Level Credentials with K8s Secrets
 
@@ -220,7 +222,7 @@ graph LR;
 ```
 
 
-## Pod-Level Credentials
+### Pod-Level Credentials
 
 > [!WARNING]
 > To enable Pod-Level credentials on K8s clusters <1.30, you need to pass `node.podInfoOnMountCompat.enable=true` into
@@ -297,12 +299,18 @@ spec:
 Pods mounting the specified PV will use the pod's own Service Account for IRSA authentication.
 
 
-#### Pod Level Service Account configuration for EKS Clusters
+#### Pod-Level Identity Service Account configuration for EKS Clusters
+
+EKS allows using Kubernetes service accounts to authenticate requests to S3 using [IAM Roles for Service Accounts (IRSA)](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html).
+This is supported for both [driver-level identity](#driver-level-credentials-with-irsa)
+and [pod-level identity](#pod-level-credentials).
 
-See the docs for configuring [Service Account](./CONFIGURATION.md#service-account-configuration-for-eks-clusters) for
-driver level configuration.
+The following sections describe how to create the supporting resources for IRSA with pod-level identity.
 
-##### Create a Kubernetes service account for the pod and attach the policy to the service account
+##### Create an IAM role for use by the pod's service account
+
+The following command will use `eksctl` to create the IAM role that will be used by the pod's service account.
+The service account is not created by this command, only the IAM role due to the `--role-only` option.
 
 ```
 eksctl create iamserviceaccount \
@@ -316,15 +324,7 @@ eksctl create iamserviceaccount \
     --role-only
 ```
 
-See [Pod-Level identity](https://github.com/awslabs/mountpoint-s3-csi-driver/tree/main/examples/kubernetes/static_provisioning/pod_level_identity.yaml)
-examples for how to set up Pod-Level identity with IRSA.
-
-##### [Optional] Validate the account was successfully created
-```
-kubectl describe sa s3-pod-sa --namespace $POD_NAMESPACE
-```
-For more validation steps see the [EKS documentation](https://docs.aws.amazon.com/eks/latest/userguide/associate-service-account-role.html).
-
+See the [example spec for pod-level identity](https://github.com/awslabs/mountpoint-s3-csi-driver/tree/main/examples/kubernetes/static_provisioning/pod_level_identity.yaml) for how to set up pod-level identity with IRSA.
 
 ### Configuring the STS region
 

docs/install.md

@@ -39,7 +39,10 @@ aws eks update-kubeconfig --region $REGION --name $CLUSTER_NAME
 
 ### Configure access to S3
 
-See [CONFIGURATION.md](./CONFIGURATION.md) for configuration instructions.
+Assuming you have a cluster created, the next step is to ensure the CSI Driver will be able to access Amazon S3.
+
+There's a few different options for providing credentials for the Mountpoint CSI Driver to use when accessing Amazon S3.
+See the [AWS credentials section of CONFIGURATION.md](./CONFIGURATION.md#aws-credentials) for instructions on how to setup IAM principals for accessing Amazon S3.
 
 ### Deploy driver
 You may deploy the Mountpoint for Amazon S3 CSI driver via Kustomize, Helm, or as an [Amazon EKS managed add-on](https://docs.aws.amazon.com/eks/latest/userguide/eks-add-ons.html#workloads-add-ons-available-eks).