adding the methods of getting cluster infrastructure ID and cluster OpenID Connect (OIDC) DNS, adding the methods of getting ALBO and ALBC aws arn, updating the trust policy file and so on, so it is more helpful for the customers installing the ALBO on OCP AWS sts clusters

    OCP-4.16 and OCP-4.17  

    100%

    update the 4.16 doc: https://docs.openshift.com/container-platform/4.16/networking/aws_load_balancer_operator/installing-albo-sts-cluster.html

1. please add Prerequisites at the end of "Preparing for the AWS Load Balancer Operator on a cluster using the AWS Security Token Service"

Prerequisites of Installing an AWS Load Balancer Operator
You have installed the OpenShift CLI (oc).
You are using OpenShift Container Platform (OCP) 4.16 or later.
You can get the cluster infrastructure ID by the following oc command:
    $oc get infrastructure cluster -o json | jq -r '.status.infrastructureName' 
You can the cluster OpenID Connect (OIDC) DNS by the following oc command, then you can get its aws arn on the aws web console(IAM --> Access management --> Identity providers)
    $oc get authentication.config cluster -o=jsonpath="{.spec.serviceAccountIssuer}" 
     for example, the oidc dns is "https://rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f", and the oidc-arn is "arn:aws:iam::777777777777:oidc-provider/rh-oidc.s3.us-east-1.amazonaws.com/28292va7ad7mr9r4he1fb09b14t59t4f".(Note: 777777777777 is your AWS Account Number)

2. In "Creating an AWS IAM role by using the Cloud Credential Operator utility", update the Note for Example output in step 2, it could be:

Note the Amazon Resource Name (ARN) of an AWS IAM role of the ALBO, it could be "arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-operator" 


3. In "Creating an AWS IAM role by using the AWS CLI" for ALBO, update the trust policy filecontent in the first step

$ cat <<EOF > albo-operator-trust-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "<oidc-arn>"    <-- a 
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-operator-controller-manager"   <-- b
                }
            }
        }
    ]
}
EOF

a, Specifies the Amazon Resource Name (ARN) of the oidc identity provider. For expample, "arn:aws:iam::301721915996:oidc-provider/aos-hypershift-ci-oidc-305153.s3.us-east-2.amazonaws.com/hypershift-ci-3051531"
b, Specifies the service account for the AWS Load Balancer Operator. For example, the cluster_oidc_endpoint could be "oidc-provider/aos-hypershift-ci-oidc-305153.s3.us-east-2.amazonaws.com/hypershift-ci-3051531"


4. In "Creating an AWS IAM role by using the AWS CLI" for ALBO, update the note of the example output in step 2.

Note the ARN of the created IAM role for ALBO, it could be: "arn:aws:iam::777777777777:role/albo-operator"


5. In "Configuring the ARN role for the AWS Load Balancer Operator", update <role-arn> to <albo-role-arn> in step 3, and add the example of albo-role-arn to the note.

Specifies the ARN role to be used in the CredentialsRequest to provision the AWS credentials for the AWS Load Balancer Operator(ALBO). The albo-role-arn could be "arn:aws:iam::777777777777:role/albo-operator".

6. In "Creating an AWS IAM role for the controller by using the Cloud Credential Operator utility", update the note for the Example output in step 2. 
a, Note the Amazon Resource Name (ARN) of an AWS IAM role for ALBC, the aws arn of ALBC here is "arn:aws:iam::777777777777:role/<name>-aws-load-balancer-operator-aws-load-balancer-controller".

 3. In "Creating an AWS IAM role by using the AWS CLI", update the trust policy file content for ALBC in step 1

$ cat <<EOF > albo-controller-trust-policy.json
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Principal": {
                "Federated": "<oidc-arn>" <--- a
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "<cluster_oidc_endpoint>:sub": "system:serviceaccount:aws-load-balancer-operator:aws-load-balancer-controller-cluster"    <--- b
                }
            }
        }
    ]
}
EOF

a, Specifies the Amazon Resource Name (ARN) of the oidc identity provider. For example, "arn:aws:iam::301721915996:oidc-provider/aos-hypershift-ci-oidc-305153.s3.us-east-2.amazonaws.com/hypershift-ci-3051531"
b, Specifies the service account for the AWS Load Balancer Controller. For example, the cluster_oidc_endpoint could be "oidc-provider/aos-hypershift-ci-oidc-305153.s3.us-east-2.amazonaws.com/hypershift-ci-3051531"

7. In "Creating an AWS IAM role for the controller by using the AWS CLI", update the note in step 2

Note the ARN of an AWS IAM role of ALBC, for example it could be "arn:aws:iam::777777777777:role/albo-controller"

8. In "Creating an AWS IAM role for the controller by using the AWS CLI", update <role-arn> to <albc-role-arn>, and add the example of albc-role-arn to the 3rd note

Specifies the ARN role for ALBC. The CredentialsRequest object uses this ARN role to provision the AWS credentials. It could be "arn:aws:iam::777777777777:role/albo-controller"
   

     

    missed some details of configuring the ALBO on aws sts cluster

    added the details of configuring the ALBO on aws sts cluster