Add guide for sink to S3 with RoleARN

tidb-cloud/changefeed-sink-to-cloud-storage.md

@@ -20,14 +20,46 @@ This document describes how to create a changefeed to stream data from TiDB Clou
 
 ## Step 1. Configure destination
 
-Navigate to the cluster overview page of the target TiDB cluster. Click **Data** > **Changefeed** in the left navigation pane, click **Create Changefeed**, and select **Amazon S3**, **GCS**, or **Azure Blob Storage** as the destination. The configuration process varies depend on the destination you choose.
+Navigate to the cluster overview page of the target TiDB cluster. Click **Data** > **Changefeed** in the left navigation pane, click **Create Changefeed** to go to the **Configure Destination** page, and then select **Amazon S3**, **GCS**, or **Azure Blob Storage** as the destination. The configuration process varies depending on the destination you choose.
 
 <SimpleTab>
 <div label="Amazon S3">
 
-For **Amazon S3**, fill the **S3 Endpoint** area: `S3 URI`, `Access Key ID`, and `Secret Access Key`. Make the S3 bucket in the same region with your TiDB cluster.
+For **Amazon S3**, you can use either **AWS Role ARN** or **AWS access key** for authentication. Using **AWS Role ARN** is recommended for stronger security and easier management.
 
-![s3_endpoint](/media/tidb-cloud/changefeed/sink-to-cloud-storage-s3-endpoint.jpg)
+**Option 1: AWS Role ARN (recommended)**
+
+To use an IAM Role for authentication, follow these steps:
+
+1. On the **Configure Destination** page for Amazon S3, enter the **S3 URI**. Make sure that the S3 bucket is in the same AWS region as your TiDB cluster.
+2. Under **Bucket Access**, select **AWS Role ARN**.
+3. To create a new Role ARN, click **Click here to create new one with AWS CloudFormation**. This template automatically configures the required permissions.
+
+    If you prefer to create the role manually, click **Create Role ARN manually** to view the TiDB Cloud account information and the required policy.
+
+4. Ensure your IAM role has at least the following permissions for the target bucket:
+
+    - `s3:ListBucket`
+    - `s3:PutObject`
+    - `s3:GetObject`
+    - `s3:DeleteObject`
+
+5. Paste the generated **Role ARN** into the corresponding field.
+
+**Option 2: AWS access key**
+
+> **Note:**
+>
+> Using an access key and secret key (AK/SK) requires manual credential management and rotation, which increases security risks. For stronger security, it is recommended to use **AWS Role ARN** instead.
+
+To use an access key for authentication, follow these steps:
+
+1. On the **Configure Destination** page for Amazon S3, enter the **S3 URI**. Make sure that the S3 bucket is in the same AWS region as your TiDB cluster.
+2. Under **Bucket Access**, select **AWS Access Key**.
+3. Fill in the following fields:
+
+    - **Access Key ID**
+    - **Secret Access Key**
 
 </div>
 <div label="GCS">