docs: Move the authorization content out of the resources docs (#1010)

docs/user/00-30-vpc-peering.md

@@ -18,10 +18,7 @@ You can configure Cloud Manager's VPC peering using a dedicated custom resource
 
 Before you initiate VPC peering from a Kyma cluster, you must perform the following actions:
 
-* Authorize Cloud Manager in the remote cloud provider landscape. For more information, see the relevant documents for the following cloud providers:
-  * Amazon Web Services: See [Authorization](./resources/04-30-10-aws-vpc-peering.md#authorization).
-  * Google Cloud: See [Required Permissions in the Remote Project](./resources/04-30-20-gcp-vpc-peering.md#required-permissions-in-the-remote-project).
-  * Microsoft Azure: See [Authorization](./resources/04-30-30-azure-vpc-peering.md#authorization).
+* Authorize Cloud Manager in the remote cloud provider landscape. For more information, see [Authorizing Cloud Manager in the Remote Cloud Provider](00-50-vpc-peering-authorization.md)
 * Tag the remote network with the Kyma shoot name. For more information, see the following tutorials:
   * [Create Virtual Private Cloud Peering in Amazon Web Services](./tutorials/01-30-10-aws-vpc-peering.md).
   * [Create Virtual Private Cloud Peering in Google Cloud](./tutorials/01-30-20-gcp-vpc-peering.md).

docs/user/00-50-vpc-peering-authorization.md

@@ -0,0 +1,94 @@
+# Authorizing Cloud Manager in the Remote Cloud Provider
+
+To create VPC peering in the Kyma environment, you must authorize the Cloud Manager module in the remote cloud provider to accept the connection.
+
+## Amazon Web Services
+
+For cross-account access in Amazon Web Services, Cloud Manager uses `AssumeRole`. `AssumeRole` requires specifying the trusted principle. For more information, see the [official Amazon Web Services documentation](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html).
+
+Use the following table to identify the Cloud Manager principal based on your Kyma landscape. Then perform the required actions:
+
+| BTP Cockpit URL                    | Kyma Dashboard URL                     | Cloud Manager Principal                                      |
+|------------------------------------|----------------------------------------|--------------------------------------------------------------|
+| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-stage` |
+| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap       | `arn:aws:iam::194230256199:user/cloud-manager-peering-prod`  |
+
+1. Create a new role named **CloudManagerPeeringRole** with a trust policy that allows the Cloud Manager principal to assume the role:
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Effect": "Allow",
+                "Principal": {
+                    "AWS": "{CLOUD_MANAGER_PRINCIPAL}"
+                },
+                "Action": "sts:AssumeRole"
+            }
+        ]
+    }
+
+    ```
+
+2. Create a new **CloudManagerPeeringAccess** managed policy with the following permissions:
+
+    ```json
+    {
+        "Version": "2012-10-17",
+        "Statement": [
+            {
+                "Sid": "Statement1",
+                "Effect": "Allow",
+                "Action": [
+                    "ec2:AcceptVpcPeeringConnection",
+                    "ec2:DescribeVpcs",
+                    "ec2:DescribeVpcPeeringConnections",
+                    "ec2:DescribeRouteTables",
+                    "ec2:CreateRoute",
+                    "ec2:CreateTags"
+                ],
+                "Resource": "*"
+            }
+        ]
+    }
+    ```
+
+3. Attach the **CloudManagerPeeringAccess** policy to the **CloudManagerPeeringRole**.
+
+## Google Cloud
+
+Grant the following permissions to the Kyma service account in your GCP project:
+
+| Permission                           | Description                                                                 |
+|--------------------------------------|-----------------------------------------------------------------------------|
+| `compute.networks.addPeering`        | Required to create the peering request in the remote project and VPC.       |
+| `compute.networks.get`               | Required to fetch the list of existing VPC peerings from the remote VPC.    |
+| `compute.networks.ListEffectiveTags` | Required to check if the remote VPC is tagged with the Kyma shoot name tag. |
+
+For more information on how to manage access to service accounts, see the [official Google Cloud documentation](https://cloud.google.com/iam/docs/manage-access-service-accounts).
+
+### Service Account
+
+For security reasons, each Kyma landscape has its own service account. Use the following table to identify the correct Cloud Manager service account for your Kyma landscape:
+
+| BTP Cockpit URL                    | Kyma Dashboard URL                     | Cloud Manager Service Account                                          |
+|------------------------------------|----------------------------------------|------------------------------------------------------------------------|
+| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `cloud-manager-peering@sap-ti-dx-kyma-mps-stage.iam.gserviceaccount.com` |
+| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap       | `cloud-manager-peering@sap-ti-dx-kyma-mps-prod.iam.gserviceaccount.com`  |
+
+## Microsoft Azure
+
+Microsoft Azure requires specifying the service principal. Use the following table to identify the Cloud Manager service principal based on your Kyma landscape:
+
+| BTP Cockpit URL                    | Kyma Dashboard URL                     | Cloud Manager Service Principal  |
+|------------------------------------|----------------------------------------|----------------------------------|
+| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | kyma-cloud-manager-peering-stage |
+| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap       | kyma-cloud-manager-peering-prod  |
+
+Assign the following Identity and Access Management (IAM) roles to the Cloud Manager service principal:
+
+* Classic Network Contributor
+* Network Contributor
+
+For more information, see the official Microsoft Azure documentation on how to [Assign Azure roles using the Azure portal](https://learn.microsoft.com/en-us/azure/role-based-access-control/role-assignments-portal) and how to [Manage service principals](https://learn.microsoft.com/en-us/azure/databricks/admin/users-groups/service-principals).

docs/user/resources/04-30-10-aws-vpc-peering.md

@@ -7,61 +7,6 @@ of the same cloud provider.
 Once an `AwsVpcPeering` CR is created and reconciled, the Cloud Manager controller creates a VPC peering connection in 
 the Kyma cluster underlying cloud provider account and accepts VPC peering connection in the remote cloud provider account.
 
-## Authorization
-
-Cloud Manager must be authorized in the remote cloud provider account to accept VPC peering connection. For cross-account access,
-Cloud Manager uses [`AssumeRole`](https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/assume-role.html).
-
-Use the following table to identify Cloud Manager principal based on your Kyma landscape:
-
-| BTP cockpit URL                    | Kyma dashboard URL                     | Cloud Manager principal                                      |
-|------------------------------------|----------------------------------------|--------------------------------------------------------------|
-| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-stage` |
-| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap       | `arn:aws:iam::194230256199:user/cloud-manager-peering-prod`  |
-
-1. Create a new role named **CloudManagerPeeringRole** with a trust policy that allows Cloud Manager principal to assume the role:
-
-    ```json
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Effect": "Allow",
-                "Principal": {
-                    "AWS": "{CLOUD_MANAGER_PRINCIPAL}"
-                },
-                "Action": "sts:AssumeRole"
-            }
-        ]
-    }
-
-    ```
-
-2. Create a new managed policy **CloudManagerPeeringAccess** with the following permissions:
-
-    ```json
-    {
-        "Version": "2012-10-17",
-        "Statement": [
-            {
-                "Sid": "Statement1",
-                "Effect": "Allow",
-                "Action": [
-                    "ec2:AcceptVpcPeeringConnection",
-                    "ec2:DescribeVpcs",
-                    "ec2:DescribeVpcPeeringConnections",
-                    "ec2:DescribeRouteTables",
-                    "ec2:CreateRoute",
-                    "ec2:CreateTags"
-                ],
-                "Resource": "*"
-            }
-        ]
-    }
-    ```
-
-3. Attach the **CloudManagerPeeringAccess** policy to the **CloudManagerPeeringRole**:
-
 ## Required Actions in the Remote Project
 
 Before creating the VPC peering, please tag your AWS account VPC with the Kyma shoot name tag.  

docs/user/resources/04-30-20-gcp-vpc-peering.md

@@ -4,35 +4,11 @@ The `gcpvpcpeering.cloud-resources.kyma-project.io` custom resource (CR) describ
  that you can create to allow communication between Kyma and a remote VPC in Google Cloud Platform (GCP).
 It enables you to consume services available in the remote VPC from the Kyma cluster.
 
-## Required Permissions in the Remote Project
-
-To create VPC peering, the following permissions must be granted to the Kyma service account in your GCP project:
-
-| Permission                           | Description                                                                 |
-|--------------------------------------|-----------------------------------------------------------------------------|
-| `compute.networks.addPeering`        | Required to create the peering request in the remote project and VPC.       |
-| `compute.networks.get`               | Required to fetch the list of existing VPC peerings from the remote VPC.    |
-| `compute.networks.ListEffectiveTags` | Required to check if the remote VPC is tagged with the Kyma shoot name tag. |
-
-For more information on how to manage access to service accounts, see the [Google Cloud documentation](https://cloud.google.com/iam/docs/manage-access-service-accounts).
-
-### Service Account
-
-For security reasons, each Kyma landscape has its own service account.
-Use the following table to identify the correct Cloud Manager service account for your Kyma landscape:
-
-| BTP cockpit URL                    | Kyma Dashboard URL                     | Cloud Manager service account                                          |
-|------------------------------------|----------------------------------------|------------------------------------------------------------------------|
-| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `cloud-manager-peering@sap-ti-dx-kyma-mps-stage.iam.gserviceaccount.com` |
-| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap       | `cloud-manager-peering@sap-ti-dx-kyma-mps-prod.iam.gserviceaccount.com`  |
-
-
 ## Required Actions in the Remote Project
 
 Before creating the VPC peering, please tag your GCP project's VPC with the Kyma shoot name tag.  
 For more information, check the [Create Virtual Private Cloud Peering in Google Cloud](../tutorials/01-30-20-gcp-vpc-peering.md) tutorial.
 
-
 ## Specification <!-- {docsify-ignore} -->
 
 This table lists the parameters of the given resource together with their descriptions:
@@ -72,4 +48,4 @@ spec:
   remoteProject: "my-remote-project"
   remoteVpc: "default"
   importCustomRoutes: false
-```
+```

docs/user/resources/04-30-30-azure-vpc-peering.md

@@ -8,29 +8,11 @@ Once an `AzureVpcPeering` CR is created and reconciled, the Cloud Manager contro
 the VPC network of the Kyma cluster in the underlying cloud provider subscription, and accepts a VPC peering connection in
 the remote cloud provider subscription.
 
-## Authorization
-
-Cloud Manager must be authorized in the remote cloud provider subscription to accept a VPC peering connection.
-
-Use the following table to identify Cloud Manager service principal based on your Kyma landscape:
-
-| BTP cockpit URL                    | Kyma dashboard URL                     | Cloud Manager service principal  |
-|------------------------------------|----------------------------------------|----------------------------------|
-| https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | kyma-cloud-manager-peering-stage |
-| https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap       | kyma-cloud-manager-peering-prod  |
-
-And assign the following Identity and Access Management (IAM) roles to the Cloud Manager service principal:
-
-* Classic Network Contributor
-* Network Contributor
-
 ## Required Actions in the Remote Project
 
 Before creating the VPC peering, please tag your Azure subscription VPC with the Kyma shoot name tag.  
 For more information, check the [Create Virtual Private Cloud Peering in Microsoft Azure](../tutorials/01-30-30-azure-vpc-peering.md) tutorial.
 
-
-
 ## Deleting `AzureVpcPeering`
 
 Kyma's underlying cloud provider VPC peering connection is deleted as a part of the AzureVpcPeering deletion. The remote VPC

docs/user/tutorials/01-30-10-aws-vpc-peering.md

@@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne
     export AWS_REGION={REGION}
     ```
 
-2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md#authorization) to identify Cloud Manager principal:
+2. Create a trust policy document. See [Authorizing Cloud Manager in the Remote Cloud Provider](../00-50-vpc-peering-authorization.md#amazon-web-services) to identify Cloud Manager principal:
 
     ```shell
     export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL}

docs/user/tutorials/01-30-30-azure-vpc-peering.md

@@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne
     az account set --subscription $SUBSCRIPTION
     ```
 
-2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering.md#authorization) to identify Cloud Manager service principal: 
+2. Assign the required roles to the Cloud Manager peering service principal. See [Authorizing Cloud Manager in the Remote Cloud Provider](../00-50-vpc-peering-authorization.md#microsoft-azure) to identify Cloud Manager service principal: 
     ```shell
     export SUBSCRIPTION_ID=$(az account show --query id -o tsv)
     export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL}