From d3859a96e5df84dc941c5e0e66fab1405725576b Mon Sep 17 00:00:00 2001
From: chenfei <fei.chen@pingcap.com>
Date: Thu, 19 Sep 2024 16:55:23 +0800
Subject: [PATCH 1/2] Optimize usage of External ID

---
 tidb-cloud/config-s3-and-gcs-access.md | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tidb-cloud/config-s3-and-gcs-access.md b/tidb-cloud/config-s3-and-gcs-access.md
index 38b1e3489545a..0c5c3b3663691 100644
--- a/tidb-cloud/config-s3-and-gcs-access.md
+++ b/tidb-cloud/config-s3-and-gcs-access.md
@@ -21,7 +21,7 @@ To allow TiDB Cloud to access the source data in your Amazon S3 bucket, you need
 
 Configure the bucket access for TiDB Cloud and get the Role ARN as follows:
 
-1. In the [TiDB Cloud console](https://tidbcloud.com/), get the TiDB Cloud account ID and external ID of the target TiDB cluster.
+1. In the [TiDB Cloud console](https://tidbcloud.com/), get the corresponding TiDB Cloud account ID and external ID of the target TiDB cluster.
 
     1. Navigate to the [**Clusters**](https://tidbcloud.com/console/clusters) page of your project.
 
@@ -117,7 +117,7 @@ Configure the bucket access for TiDB Cloud and get the Role ARN as follows:
 
         - Under **Trusted entity type**, select **AWS account**.
         - Under **An AWS account**, select **Another AWS account**, and then paste the TiDB Cloud account ID to the **Account ID** field.
-        - Under **Options**, click **Require external ID (Best practice when a third party will assume this role)**, and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", once the configuration is done for one TiDB cluster in a project, all TiDB clusters in that project can use the same Role ARN to access your Amazon S3 bucket. If the role is created with the account ID and external ID, only the corresponding TiDB cluster can access the bucket.
+        - Under **Options**, click **Require external ID (To avoid [Confused Deputy Problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html))**, and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", other users having your S3 bucket URI and IAM role ARN may be able to access your Amazon S3 bucket. If the role is created with the account ID and external ID, only the TiDB clusters running in your same project and same region can access the bucket.
 
     3. Click **Next** to open the policy list, choose the policy you just created, and then click **Next**.
     4. Under **Role details**, set a name for the role, and then click **Create role** in the lower-right corner. After the role is created, the list of roles is displayed.

From 5f9cab916f976081c38eb6d351e9d530b31c486c Mon Sep 17 00:00:00 2001
From: ideascf <ideascf@163.com>
Date: Wed, 9 Oct 2024 10:33:37 +0800
Subject: [PATCH 2/2] Update tidb-cloud/config-s3-and-gcs-access.md

Co-authored-by: Grace Cai <qqzczy@126.com>
---
 tidb-cloud/config-s3-and-gcs-access.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/tidb-cloud/config-s3-and-gcs-access.md b/tidb-cloud/config-s3-and-gcs-access.md
index 0c5c3b3663691..fd438fef4d211 100644
--- a/tidb-cloud/config-s3-and-gcs-access.md
+++ b/tidb-cloud/config-s3-and-gcs-access.md
@@ -117,7 +117,7 @@ Configure the bucket access for TiDB Cloud and get the Role ARN as follows:
 
         - Under **Trusted entity type**, select **AWS account**.
         - Under **An AWS account**, select **Another AWS account**, and then paste the TiDB Cloud account ID to the **Account ID** field.
-        - Under **Options**, click **Require external ID (To avoid [Confused Deputy Problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html))**, and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", other users having your S3 bucket URI and IAM role ARN may be able to access your Amazon S3 bucket. If the role is created with the account ID and external ID, only the TiDB clusters running in your same project and same region can access the bucket.
+        - Under **Options**, click **Require external ID** to avoid the [confused deputy problem](https://docs.aws.amazon.com/IAM/latest/UserGuide/confused-deputy.html), and then paste the TiDB Cloud External ID to the **External ID** field. If the role is created without "Require external ID", anyone with your S3 bucket URI and IAM role ARN might be able to access your Amazon S3 bucket. If the role is created with both the account ID and external ID, only TiDB clusters running in the same project and the same region can access the bucket.
 
     3. Click **Next** to open the policy list, choose the policy you just created, and then click **Next**.
     4. Under **Role details**, set a name for the role, and then click **Create role** in the lower-right corner. After the role is created, the list of roles is displayed.