Mention Barbican creator role in config reference

A normal user can't create an encrypted volme without the
creator role defined in Barbican's policy.json. This patch
adds this detail to the configuration reference section on
volume encryption.

Change-Id: I947ee10090f11a38c93d7bcde5d590a84e0b972f
Closes-Bug: #1627609

doc/config-reference/source/block-storage/volume-encryption.rst

@@ -142,6 +142,18 @@ type, ``unencrypted``, is used.
 Notice the encrypted parameter; it will show ``True`` or ``False``.
 The option ``volume_type`` is also shown for easy review.
 
+Non-admin users need the ``creator`` role to store secrets in Barbican
+and to create encrypted volumes. As an administrator, you can give a user
+the creator role in the following way:
+
+.. code-block:: console
+
+   $ openstack role add --project PROJECT --user USER creator
+
+For details, see the
+`Barbican Access Control page
+<http://docs.openstack.org/developer/barbican/admin-guide-cloud/access_control.html>`_.
+
 .. note::
 
    Due to the issue that some of the volume drivers do not set