[CN-1306] add docs for workload identity (#222)

docs/modules/ROOT/examples/service-account.yaml

@@ -0,0 +1,5 @@
+apiVersion: hazelcast.com/v1alpha1
+kind: Hazelcast
+metadata:
+  name: hazelcast
+  serviceAccountName: myServiceAccount

docs/modules/ROOT/nav.adoc

@@ -28,6 +28,7 @@
 * xref:advanced-networking.adoc[Advanced Networking]
 * xref:tls.adoc[Configuring TLS]
 * xref:user-code-namespaces.adoc[User Code Namespaces]
+* xref:authorization.adoc[Authorization Methods to Access Cloud Storage]
 * Data Pipelines
 ** xref:jet-engine-configuration.adoc[Configuring the Jet Engine]
 ** xref:jet-job-configuration.adoc[Running Data Pipelines]

docs/modules/ROOT/pages/authorization.adoc

@@ -0,0 +1,92 @@
+= Authorization Methods to Access Cloud Storage
+
+You can use either a secret or Service Accounts to access your cloud storage, as detailed below.
+
+== Using Secrets
+
+You can create a secret to access cloud provider resources. You can find the secret creation examples for different cloud providers in the next sections:
+
+=== Accessing Resources on AWS
+
+[source,shell]
+----
+kubectl create secret generic <secret-name> \
+--from-literal=region=<region> \
+--from-literal=access-key-id=<access-key-id> \
+--from-literal=secret-access-key=<secret-access-key>
+----
+
+See https://docs.aws.amazon.com/sdk-for-go/api/aws/session/[AWS Session] to learn about the authentication procedure.
+
+=== Accessing Resources on GCP
+
+[source,bash]
+----
+kubectl create secret generic <secret-name> \
+	--from-file=google-credentials-path=<service_account_json_file>
+----
+
+See https://cloud.google.com/docs/authentication/production/[Application Default Credentials] to learn about the authentication procedure.
+
+=== Accessing Resources on Azure
+
+[source,bash]
+----
+kubectl create secret generic <secret-name> \
+	--from-literal=storage-account=<storage-account> \
+	--from-literal=storage-key=<storage-key>
+----
+
+See https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal/[Azure Storage Account Keys] to learn about the authentication procedure.
+
+== Using Service Accounts
+
+You can use `Service Accounts` to access cloud provider resources without providing `secretName` in `HotBackup`, `JetJob`, `UCN` custom resources. To use this approach, you must provide `serviceAccountName` in your Hazelcast CR.
+
+.Example of Service Account Configuration
+[source,yaml,subs="attributes+"]
+----
+include::ROOT:example$/service-account.yaml[]
+----
+
+=== Accessing GCP Resources using Workload Identity
+Google Kubernetes Engine (GKE) Workload Identity is a feature that allows you to map a Kubernetes Service Account to a Google Cloud IAM (Identity and Access Management) Service Account so that users can manage pods permissions using IAM.
+
+Create a Service Account using the following command:
+
+[source,shell]
+----
+kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE>
+----
+
+To use it, you must annotate the service account you created with the following command:
+
+[source,shell]
+----
+kubectl annotate serviceaccount myServiceAccount \
+--namespace <NAMESPACE> \
+iam.gke.io/gcp-service-account=<GCP_SA_NAME>@<GCP_PROJECT>.iam.gserviceaccount.com
+----
+
+See https://cloud.google.com/docs/authentication#service-accounts[Service Accounts] to learn more about it.
+
+=== Accessing AWS Resources using IAM Roles for Service Accounts
+IAM roles for service accounts is a feature that allows you to map a Kubernetes Service Account to an AWS IAM Role so that users can manage pods permissions using IAM.
+
+Create a Service Account using the following command:
+
+[source,shell]
+----
+kubectl create serviceaccount myServiceAccount --namespace <NAMESPACE>
+----
+
+To use it, you must annotate the service account you created with the following command:
+
+[source,shell]
+----
+kubectl annotate serviceaccount myServiceAccount \
+--namespace <NAMESPACE> \
+eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/my-role
+----
+
+See https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html[IAM Roles for Service Accounts] to learn more about it.

docs/modules/ROOT/pages/backup-restore.adoc

@@ -67,14 +67,7 @@ External backup in AWS S3:
 include::ROOT:example$/hot-backup-external-aws.yaml[]
 ----
 
-See https://docs.aws.amazon.com/sdk-for-go/api/aws/session/[AWS Session] to learn about authentication procedure.
-[source,bash]
-----
-kubectl create secret generic <secret-name> \
-	--from-literal=region=<region> \
-	--from-literal=access-key-id=<access-key-id> \
-	--from-literal=secret-access-key=<secret-access-key>
-----
+NOTE: For further information about accessing resources on different cloud providers, see xref:authorization.adoc[Authorization Methods to Access Cloud Provider Resources].
 --
 
 GCP::
@@ -86,12 +79,7 @@ External backup in GCP Bucket:
 include::ROOT:example$/hot-backup-external-gcp.yaml[]
 ----
 
-See https://cloud.google.com/docs/authentication/production/[Application Default Credentials] to learn about authentication procedure.
-[source,bash]
-----
-kubectl create secret generic <secret-name> \
-	--from-file=google-credentials-path=<service_account_json_file>
-----
+NOTE: For further information about accessing resources on different cloud providers, see xref:authorization.adoc[Authorization Methods to Access Cloud Provider Resources].
 --
 
 Azure::
@@ -103,13 +91,7 @@ External backup in Azure Blob:
 include::ROOT:example$/hot-backup-external-azure.yaml[]
 ----
 
-See https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?tabs=azure-portal/[Azure Storage Account Keys] to learn about authentication procedure.
-[source,bash]
-----
-kubectl create secret generic <secret-name> \
-	--from-literal=storage-account=<storage-account> \
-	--from-literal=storage-key=<storage-key>
-----
+NOTE: For further information about accessing resources on different cloud providers, see xref:authorization.adoc[Authorization Methods to Access Cloud Provider Resources].
 --
 ====
 <1> The bucket URI where backup data will be stored in

docs/modules/ROOT/pages/jet-job-configuration.adoc

@@ -61,4 +61,7 @@ The following `JetJob` resource runs the Data Pipeline for the `Hazelcast` resou
 .Example configuration
 [source,yaml,subs="attributes+"]
 ----
-include::ROOT:example$/jet-job-example.yaml[]
+include::ROOT:example$/jet-job-example.yaml[]
+----
+
+NOTE: For further information about accessing resources on different cloud providers, see xref:authorization.adoc[Authorization Methods to Access Cloud Provider Resources].

docs/modules/ROOT/pages/user-code-namespaces.adoc

@@ -30,6 +30,8 @@ User Code Namespaces in AWS S3:
 ----
 include::ROOT:example$/user-code-namespace-aws.yaml[]
 ----
+
+NOTE: For further information about accessing resources on different cloud providers, see xref:authorization.adoc[Authorization Methods to Access Cloud Provider Resources].
 --
 
 GCP::
@@ -40,6 +42,8 @@ User Code Namespaces in GCP:
 ----
 include::ROOT:example$/user-code-namespace-gcp.yaml[]
 ----
+
+NOTE: For further information about accessing resources on different cloud providers, see xref:authorization.adoc[Authorization Methods to Access Cloud Provider Resources].
 --
 
 Azure::
@@ -50,6 +54,8 @@ User Code Namespaces in Azure Blob:
 ----
 include::ROOT:example$/user-code-namespace-azure.yaml[]
 ----
+
+NOTE: For further information about accessing resources on different cloud providers, see xref:authorization.adoc[Authorization Methods to Access Cloud Provider Resources].
 --
 ====
 <1> The bucket URI in which to store backup data