SREP-4038, STOR-2766: Update hcp aws-ebs-csi-driver credentials

[dfajmon]

What type of PR is this?

feature

What this PR does / why we need it?

This PR updates the IAM permission policy for the aws-ebs-csi-driver to align with upstream changes required for the OpenShift rebase. These updates ensure full driver functionality and support for enhanced EBS features.

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster
• Included documentation changes with PR

[openshift-ci-robot]

@dfajmon: This pull request references STOR-2766 which is a valid jira issue.

Details

In response to this:

What type of PR is this?

feature

What this PR does / why we need it?

This PR updates the IAM permission policy for the aws-ebs-csi-driver to align with upstream changes required for the OpenShift rebase. These updates ensure full driver functionality and support for enhanced EBS features.

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster
• Included documentation changes with PR

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Walkthrough

The change expands IAM permissions in an EBS operator cloud credentials policy document, adding six new EC2 actions including volume operations, availability zone queries, and snapshot management capabilities to the existing policy statement's action list.

Changes

Cohort / File(s)	Summary
IAM Policy Permissions resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json	Added six EC2 actions to the first policy statement: ec2:CopyVolumes, ec2:DescribeAvailabilityZones, ec2:DescribeVolumeStatus, ec2:EnableFastSnapshotRestores, and ec2:LockSnapshot.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

📝 Coding Plan

• Generate coding plan for human review comments

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

Tip

You can enable review details to help with troubleshooting, context usage and more.

Enable the reviews.review_details setting to include review details such as the model used, the time taken for each step and more in the review comments.

[openshift-ci-robot]

@dfajmon: This pull request references SREP-4038 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.22.0" version, but no target version was set.

This pull request references STOR-2766 which is a valid jira issue.

Details

In response to this:

What type of PR is this?

feature

What this PR does / why we need it?

This PR updates the IAM permission policy for the aws-ebs-csi-driver to align with upstream changes required for the OpenShift rebase. These updates ensure full driver functionality and support for enhanced EBS features.

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster
• Included documentation changes with PR

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: dfajmon
Once this PR has been reviewed and has the lgtm label, please assign iamkirkbater for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• resources/sts/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In
`@resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json`:
- Around line 15-18: The policy currently grants ec2:EnableFastSnapshotRestores
and ec2:LockSnapshot with "Resource": "*", so change it to a least-privilege
pattern by moving those two actions into their own statement (separate from the
existing statement that uses "Resource": "*") and scope that new statement to
snapshot ARNs instead of wildcard; for example set the new statement's Resource
to an ARN pattern like "arn:aws:ec2:<region>:<account>:snapshot/*" (or use an
equivalent condition-based filter) so ec2:EnableFastSnapshotRestores and
ec2:LockSnapshot apply only to snapshot resources.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 813f5d31-4b8c-4e77-be71-56314e51f2af

📥 Commits

Reviewing files that changed from the base of the PR and between b8bb4eb and 82ac13f.

📒 Files selected for processing (1)

• resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

url="https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html"
tmp="$(mktemp)"
curl -fsSL "$url" -o "$tmp"

for action in EnableFastSnapshotRestores LockSnapshot CopyVolumes CopyVolume; do
  echo "===== ${action} ====="
  rg -n -C2 "${action}" "$tmp" || echo "No match in service authorization reference"
done

Repository: openshift/managed-cluster-config

Length of output: 2902

---

🏁 Script executed:

#!/bin/bash
set -euo pipefail

url="https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html"
tmp="$(mktemp)"
curl -fsSL "$url" -o "$tmp"

# Search for resource-level permissions table for EnableFastSnapshotRestores
echo "===== EnableFastSnapshotRestores - Full Details ====="
rg -n -A15 'id="amazonec2-EnableFastSnapshotRestores"' "$tmp" | head -40

echo -e "\n===== LockSnapshot - Full Details ====="
rg -n -A15 'id="amazonec2-LockSnapshot"' "$tmp" | head -40

# Also check for ARN resource patterns commonly used in EC2
echo -e "\n===== Searching for snapshot ARN patterns ====="
rg -n 'snapshot' "$tmp" | grep -i 'arn\|resource' | head -20

Repository: openshift/managed-cluster-config

Length of output: 3290

---

Scope snapshot actions to specific resources instead of wildcard.

The EnableFastSnapshotRestores and LockSnapshot actions in lines 15–16 support resource-level permissions (snapshot* ARNs) per AWS documentation. Using Resource: "*" violates least-privilege. Move these actions to a separate statement scoped to snapshot ARNs (e.g., arn:aws:ec2:region::snapshot/* or condition-filtered equivalents).

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In
`@resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json`
around lines 15 - 18, The policy currently grants ec2:EnableFastSnapshotRestores
and ec2:LockSnapshot with "Resource": "*", so change it to a least-privilege
pattern by moving those two actions into their own statement (separate from the
existing statement that uses "Resource": "*") and scope that new statement to
snapshot ARNs instead of wildcard; for example set the new statement's Resource
to an ARN pattern like "arn:aws:ec2:<region>:<account>:snapshot/*" (or use an
equivalent condition-based filter) so ec2:EnableFastSnapshotRestores and
ec2:LockSnapshot apply only to snapshot resources.

[dfajmon]

/hold

[openshift-ci]

@dfajmon: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.