OSDOCS-17318:Docs update for Cross-Project Federated Identity Authentication for OSD-GCP.

AedinC · AedinC · commit e8a48035351a · 2025-11-21T09:29:06.000Z
diff --git a/modules/create-wif-configuration.adoc b/modules/create-wif-configuration.adoc
@@ -7,7 +7,6 @@
 = Creating a Workforce Identity Federation configuration
 
 [role="_abstract"]
-
 You can create a WIF configuration using the `auto` mode or the `manual` mode in the `ocm` CLI.
 
 The `auto` mode enables you to automatically create the service accounts for {product-title} components as well as other IAM resources.
diff --git a/modules/osd-release-notes-Q4-2025.adoc b/modules/osd-release-notes-Q4-2025.adoc
@@ -5,6 +5,10 @@
 [id="osd-q4-2025_{context}"]
 = Q4 2025
 
+* **Support for managing workload identity pools and providers in a dedicated {GCP} project.**
+{product-title} on {GCP} now lets you update an existing Workforce Identity Federation (WIF) configuration to use a dedicated project for managing workload identity pools and providers.
+For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update[Updating a Workforce Identity Federation configuration].
+
 * **Required API services table updated.**
 The _Required API services_ table within the _Required customer procedure_ guide has been updated to restore APIs that were previously removed due to a bug. These APIs are required for new {product-title} on {GCP} cluster creation. For more information, see link:https://docs.redhat.com/en/documentation/openshift_dedicated/4/html/planning_your_environment/gcp-ccs#ccs-gcp-customer-procedure_gcp-ccs[Required customer procedure].
 
diff --git a/modules/wif-configuration-update.adoc b/modules/wif-configuration-update.adoc
@@ -30,6 +30,10 @@ When you update a wif-config or create a new one, ensure your {cluster-manager}
 Error: failed to create wif-config: failed to create wif-config: status is 400, identifier is '400', code is 'CLUSTERS-MGMT-400', at '2025-10-06T15:18:37Z' and operation identifier is 'f9551d63-a58a-4e3c-b847-5f99ba1b0b74': Client version is out of date for WIF operations. Please update from vOCM-CLI/1.0.7 to v1.0.8 and try again.
 ----
 
+You can also update an existing {product-title} cluster that is already using WIF by adding a dedicated project to manage workload identity pools and providers using the `--federated-project` flag. This best-practice model separates the workload identity pools and providers into a dedicated, centralized {GCP} project.
+
+When you update the configuration using the `--federated-project` flag, the federated identity pool moves to the new federated project you specify, while the existing IAM service accounts and custom roles remain in the original cluster-associated project.
+
 .Procedure
 . To check the version of your `ocm`, run the following command:
 +
@@ -46,9 +50,11 @@ $ ocm version
 ----
 ocm gcp update wif-config <wif_name> \ <1>
 --version <version> <2>
+--federated-project <gcp_project_id> <3>
 ----
 <1> Replace `<wif_name>` with the name of the WIF configuration you want to update.
 <2> Optional: Replace `<version>` with the {product-title} y-stream version you plan to update the cluster to. If you do not specify a version, the wif-config will be updated to support the latest {product-title} y-stream version as well as the last three {product-title} supported y-stream versions (beginning with version 4.17).
+<3> Optional: Replace `<gcp_project_id>` with the ID of the dedicated project where the workload identity pools and providers will be created and managed. If the `--federated-project` flag is not specified, the workload identity pools and providers will remain in the project associated with the cluster.
 
 .Next steps
 
diff --git a/modules/wif-requirements.adoc b/modules/wif-requirements.adoc
diff --git a/osd_whats_new/osd-whats-new.adoc b/osd_whats_new/osd-whats-new.adoc
@@ -27,7 +27,7 @@ The default IAM permissions for WIF in the link:https://github.com/openshift/man
 ** The `osd-deployer` service account no longer uses the `iam.serviceAccounts.signBlob` permission. This has been replaced with the `iam.serviceAccountTokenCreator` role, which is now specifically assigned to the service accounts that require it.
 ** The `osd-deployer` service account no longer uses the `iam.serviceAccounts.actAs` permission. This has been replaced with the `iam.serviceAccountUser` role, which is now specifically assigned to the service accounts that require it.
 
-If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a WIF configuration].
+If you have existing `wif-config` instances, you can get these new, less permissive permissions by running the `ocm gcp update wif-config` command. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#wif-configuration-update_osd-creating-a-cluster-on-gcp-with-workload-identity-federation[Updating a Workforce Identity Federation configuration].
 
 * **Workload Identify Federation (WIF) is now the default authentication type for {product-title} clusters on {GCP}.**
 In alignment with the principle of least privilege as well as {gcp-full}'s preferred method of credential authentication, WIF is now the default authentication type when creating an {product-title} cluster on {GCP}. WIF greatly improves an {product-title} cluster's resilience against unauthorized access by using short-lived, least-privilege credentials and eliminating the need for static service account keys. For more information, see xref:../osd_gcp_clusters/creating-a-gcp-cluster-with-workload-identity-federation.adoc#creating-a-gcp-cluster-with-workload-identity-federation[Creating a cluster on {gcp-short} with Workload Identity Federation authentication].
