From ad4fc0b1e45f3dfb7cd73fa974b0b5c76cf1a145 Mon Sep 17 00:00:00 2001
From: Scott Seago <sseago@redhat.com>
Date: Thu, 3 Nov 2022 17:12:05 -0400
Subject: [PATCH] add VSL credentials documentation.

Signed-off-by: Scott Seago <sseago@redhat.com>
---
 site/content/docs/main/locations.md | 54 ++++++++++++++++++++++++++++-
 1 file changed, 53 insertions(+), 1 deletion(-)

diff --git a/site/content/docs/main/locations.md b/site/content/docs/main/locations.md
index 1b4cc15d8..db347801b 100644
--- a/site/content/docs/main/locations.md
+++ b/site/content/docs/main/locations.md
@@ -205,7 +205,7 @@ kubectl create secret generic -n velero credentials --from-file=bsl=</path/to/cr
 
 This will create a secret named `credentials` with a single key (`bsl`) which contains the contents of your credentials file.
 Next, create a `BackupStorageLocation` that uses this Secret by passing the Secret name and key in the `--credential` flag.
-When interacting with this `BackupStroageLocation` in the future, Velero will fetch the data from the key within the Secret you provide.
+When interacting with this `BackupStorageLocation` in the future, Velero will fetch the data from the key within the Secret you provide.
 
 For example, a new `BackupStorageLocation` with a Secret would be configured as follows:
 
@@ -244,6 +244,58 @@ velero backup-location set <bsl-name> \
   --credential=<secret-name>=<key-within-secret>
 ```
 
+### Create a volume snapshot location that uses unique credentials
+
+It is possible to create additional `VolumeSnapshotLocations` that use their own credentials.
+This may be necessary if you already have default credentials which don't match the account used by the cloud volumes being backed up.
+
+If you create additional `VolumeSnapshotLocations` without specifying the credentials to use, Velero will use the credentials provided at install time and stored in the `cloud-credentials` secret.
+
+#### Prerequisites
+- This feature requires support from the [volume snapshotter plugin][5] you wish to use.
+  All plugins maintained by the Velero team support this feature.
+  If you are using a plugin from another provider, please check their documentation to determine if this is supported.
+- The [plugin for the volume snapshotter provider][5] you wish to use must be [installed][6].
+- You must create a file with the object storage credentials. Follow the instructions provided by your object storage provider plugin to create this file.
+
+Once you have installed the necessary plugin and created the credentials file, create a [Kubernetes Secret][7] in the Velero namespace that contains these credentials:
+
+```shell
+kubectl create secret generic -n velero credentials --from-file=vsl=</path/to/credentialsfile>
+```
+
+This will create a secret named `credentials` with a single key (`vsl`) which contains the contents of your credentials file.
+Next, create a `VolumeSnapshotLocation` that uses this Secret by passing the Secret name and key in the `--credential` flag.
+When interacting with this `VolumeSnapshotLocation` in the future, Velero will fetch the data from the key within the Secret you provide.
+
+For example, a new `VolumeSnapshotLocation` with a Secret would be configured as follows:
+
+```bash
+velero snapshot-location create <vsl-name> \
+  --provider <provider> \
+  --config region=<region> \
+  --credential=<secret-name>=<key-within-secret>
+```
+
+To use this new `VolumeSnapshotLocation` when performing a backup, use the flag `--volume-snapshot-locations <vsl-name>[,<vsl-name...]` when running `velero backup create`, supplying at most one VSL per provider.
+
+### Modify the credentials used by an existing volume snapshot location
+
+By default, `VolumeSnapshotLocations` will use the credentials provided at install time and stored in the `cloud-credentials` secret in the Velero namespace.
+You can modify these existing credentials by [editing the `cloud-credentials` secret][10], however, these changes will apply to all locations using this secret.
+This may be the desired outcome, for example, in the case where you wish to rotate the credentials used for a particular account.
+
+You can also opt to modify an existing `VolumeSnapshotLocation` such that it uses its own credentials by using the `snapshot-location set` command.
+
+If you have a credentials file that you wish to use for a `VolumeSnapshotLocation`, follow the instructions above to create the Secret with that file in the Velero namespace.
+
+Once you have created the Secret, or have an existing Secret which contains the credentials you wish to use for your `VolumeSnapshotLocation`, set the credential to use as follows:
+
+```bash
+velero snapshot-location set <vsl-name> \
+  --credential=<secret-name>=<key-within-secret>
+```
+
 ## Additional Use Cases
 
 1. If you're using Azure's AKS, you may want to store your volume snapshots outside of the "infrastructure" resource group that is automatically created when you create your AKS cluster. This is possible using a `VolumeSnapshotLocation`, by specifying a `resourceGroup` under the `config` section of the snapshot location. See the [Azure volume snapshot location documentation][3] for details.