diff --git a/docs/home/clouds/aws.md b/docs/home/clouds/aws.md
index 5b25f9c7..1cac3556 100644
--- a/docs/home/clouds/aws.md
+++ b/docs/home/clouds/aws.md
@@ -3,7 +3,8 @@
## Required types of resources
- [AWS S3 Bucket](https://aws.amazon.com/s3/)
-- [AWS IAM](https://aws.amazon.com/iam/) user with bucket access above (programmatic access)
+- [AWS IAM](https://aws.amazon.com/iam/) user with bucket access above (programmatic access) [_up to ODM version 1.60_]
+- [AWS IAM](https://aws.amazon.com/iam/) role with bucket access above [_after ODM version 1.60_]
- [AWS EKS](https://aws.amazon.com/eks/)
- [AWS EBS](https://aws.amazon.com/ebs/)
- [AWS ALB](https://aws.amazon.com/elasticloadbalancing/)
@@ -20,22 +21,28 @@
- It is recommended to set up a lifecycle rule to clean up unfinished multipart uploads. Example of [AbortIncompleteMultipartUpload rule](#configuration-examples).
-2. Create IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html), [policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) (it will be listed below) and [attach](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) the policy to the user.
-
- - [Programmatic access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) is required to work ODM with IAM user.
-
- - You can find the recommended IAM policy here [IAM policy for S3 access](#configuration-examples).
-
-3. Create [VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html).
+2. Create [VPC](https://docs.aws.amazon.com/vpc/latest/userguide/vpc-getting-started.html).
- Must have at least 2 private subnets [[link](https://docs.aws.amazon.com/eks/latest/userguide/network_reqs.html)].
- Each subnets must contain at least 100 free IP addresses [recommendation].
-4. Create [EKS](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html).
+3. Create [EKS](https://docs.aws.amazon.com/eks/latest/userguide/create-cluster.html).
- Deploy the addons you need.
+4. Create IAM [user](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html) [_up to ODM version 1.60_], [role](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_create.html) [_after ODM version 1.60_], [policy](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html) (it will be listed below) and [attach](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_manage-attach-detach.html) the policy to the user/role.
+
+ - [Programmatic access](https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html) is required to work ODM with IAM user.
+
+ - You can find the recommended IAM policy here [IAM policy for S3 access](#configuration-examples).
+
+ - Choose between [EKS IRSA](https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html) and [EKS Pod Identity](https://docs.aws.amazon.com/eks/latest/userguide/pod-identities.html) based on your requirements; however, we recommend using EKS Pod Identity.
+
+ - You can find the recommended `Trust Relationships` for EKS IRSA here [IRSA Trust Relationships](#configuration-examples).
+
+ - You can find the recommended `Trust Relationships` for EKS Pod Identity here [Pod Identity Trust Relationships](#configuration-examples).
+
5. Create Route53 [hosted zone](https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/hosted-zones-working-with.html).
- You can use private or public zone.
@@ -177,6 +184,49 @@
```
+IRSA Trust Relationships
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "Federated": "arn:aws:iam::AWS_ACCOUNT_ID:oidc-provider/oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID"
+ },
+ "Action": "sts:AssumeRoleWithWebIdentity",
+ "Condition": {
+ "StringLike": {
+ "oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID:sub": "system:serviceaccount:odm:odm",
+ "oidc.eks.AWS_REGION.amazonaws.com/id/AWS_EKS_OIDC_ID:aud": "sts.amazonaws.com"
+ }
+ }
+ }
+ ]
+}
+```
+Pod Identity Trust Relationships
+```json
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Effect": "Allow",
+ "Principal": {
+ "Service": "pods.eks.amazonaws.com"
+ },
+ "Action": [
+ "sts:TagSession",
+ "sts:AssumeRole"
+ ]
+ }
+ ]
+}
+```
+GP3 StorageClass example
```yaml
apiVersion: storage.k8s.io/v1
diff --git a/docs/home/release-notes/v1.50-v1.59.md b/docs/home/release-notes/v1.50-v1.59.md
index fa32d1c7..cc04ea2f 100644
--- a/docs/home/release-notes/v1.50-v1.59.md
+++ b/docs/home/release-notes/v1.50-v1.59.md
@@ -1,24 +1,5 @@
# Release notes
-## Version 1.60
-
-!!! tip ""
-Helm chart version 1.60.x
-
-### Rclone Migration
-
-The following ODM component called `funcFile` was replaced with `rclone`.
-
-As a result of this migration, the configuration of storages was moved from `funcFile` to `application.yaml` files in `core`, `applications`, and `funcJob`.
-You can find configuration examples in the "examples" directory within the Helm chart.
-Note that the configuration section `genestack.rclone` in all three of these services should be identical. For this purpose, we recommend using YAML anchors, which are also included in the examples.
-
-## SAML elimitaion
-
-Support of SAML was eliminated.
-
-### Helm configuration changes
-
## Version 1.59
!!! tip ""
diff --git a/docs/home/release-notes/v1.60-v1.69.md b/docs/home/release-notes/v1.60-v1.69.md
new file mode 100644
index 00000000..c9085fdc
--- /dev/null
+++ b/docs/home/release-notes/v1.60-v1.69.md
@@ -0,0 +1,44 @@
+# Release notes
+
+## Version 1.60
+
+!!! tip ""
+ Helm chart version 1.60.x
+
+### Rclone Migration
+
+The following ODM component called `funcFile` was replaced with `rclone`.
+
+As a result of this migration, the configuration of storages was moved from `funcFile` to `application.yaml` files in `core`, `applications`, and `funcJob`.
+You can find configuration examples in the "examples" directory within the Helm chart.
+Note that the configuration section `genestack.rclone` in all three of these services should be identical. For this purpose, we recommend using YAML anchors, which are also included in the examples.
+
+Also, Rclone allows to use the AWS IAM role instead of the AWS IAM user. If this is relevant fo your environment, then information on deployment can be found [here](./../clouds/aws.md) in paragraph 4.
+
+### SAML elimitaion
+
+Support of SAML was eliminated.
+
+### Helm configuration changes
+
+- The `credentials` section has been removed, please use the `rclone` configuration instead.
+
+ ```yaml
+ credentials:
+ awsS3Region:
+ awsS3AccessKey:
+ awsS3SecretAccessKey:
+ ```
+
+- All configuration related to `SAML` has been removed.
+
+- The `region` parameter has been removed from the `applications` configuration.
+
+ ```yaml
+ applications:
+ files:
+ "/var/lib/genestack/properties/application.yaml":
+ frontend:
+ aws:
+ region:
+ ```
diff --git a/mkdocs.yml b/mkdocs.yml
index 5f093781..69073736 100644
--- a/mkdocs.yml
+++ b/mkdocs.yml
@@ -29,7 +29,8 @@ nav:
- Azure SCIM: home/troubleshooting/azure-scim.md
- Sanity check: home/troubleshooting/sanity-check.md
- Release Notes:
- - v1.50 - v1.59: home/release-notes/v1.50-v1.59.md
+ - v1.60 - v1.69: home/release-notes/v1.60-v1.69.md
+ - v1.50 - v1.59: home/release-notes/v1.50-v1.59.md
theme:
name: material
palette: