From acc1ce3603435f1c0cf23b8606af71b05e566f2f Mon Sep 17 00:00:00 2001
From: sai-sunder-s <4540365+sai-sunder-s@users.noreply.github.com>
Date: Fri, 29 Jul 2022 21:05:51 +0000
Subject: [PATCH] docs: update wif documentation with enable-imdsv2 flag (#940)

Co-authored-by: Leo <39062083+lsirac@users.noreply.github.com>
---
 README.md | 12 +++++++++---
 1 file changed, 9 insertions(+), 3 deletions(-)

diff --git a/README.md b/README.md
index b03d5aeb4..de8018ac4 100644
--- a/README.md
+++ b/README.md
@@ -195,10 +195,16 @@ Where the following variables need to be substituted:
 
 This generates the configuration file in the specified output file.
 
-If you want to use the AWS IMDSv2 flow, you can add the field below to the credential_source in your AWS ADC configuration file:
-"imdsv2_session_token_url": "http://169.254.169.254/latest/api/token"
+If you are using [AWS IMDSv2](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/configuring-instance-metadata-service.html), an additional flag `--enable-imdsv2` needs to be added to the `gcloud iam workload-identity-pools create-cred-config` command:
 
-The gcloud create-cred-config command will be updated to support this soon.
+```bash
+gcloud iam workload-identity-pools create-cred-config \
+    projects/$PROJECT_NUMBER/locations/global/workloadIdentityPools/$POOL_ID/providers/$AWS_PROVIDER_ID \
+    --service-account $SERVICE_ACCOUNT_EMAIL \
+    --aws \
+    --output-file /path/to/generated/config.json \
+    --enable-imdsv2
+```
 
 You can now [use the Auth library](#using-external-identities) to call Google Cloud
 resources from AWS.