Skip to content

SREP-4038, STOR-2766: Update hcp aws-ebs-csi-driver credentials #2670

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
dfajmon wants to merge 1 commit into
base: master
Choose a base branch
from
Open

SREP-4038, STOR-2766: Update hcp aws-ebs-csi-driver credentials #2670

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
7 changes: 6 additions & 1 deletion ...ts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -4,11 +4,16 @@
{
"Effect": "Allow",
"Action": [
"ec2:CopyVolumes",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeInstances",
"ec2:DescribeSnapshots",
"ec2:DescribeTags",
"ec2:DescribeVolumes",
"ec2:DescribeVolumesModifications"
"ec2:DescribeVolumesModifications",
"ec2:DescribeVolumeStatus",
"ec2:EnableFastSnapshotRestores",
"ec2:LockSnapshot"
],
"Resource": "*"
Comment on lines +15 to 18
Copy link
Copy Markdown

@coderabbitai coderabbitai bot Mar 16, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

url="https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html"
tmp="$(mktemp)"
curl -fsSL "$url" -o "$tmp"

for action in EnableFastSnapshotRestores LockSnapshot CopyVolumes CopyVolume; do
  echo "===== ${action} ====="
  rg -n -C2 "${action}" "$tmp" || echo "No match in service authorization reference"
done

Repository: openshift/managed-cluster-config

Length of output: 2902

🏁 Script executed:

#!/bin/bash
set -euo pipefail

url="https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonec2.html"
tmp="$(mktemp)"
curl -fsSL "$url" -o "$tmp"

# Search for resource-level permissions table for EnableFastSnapshotRestores
echo "===== EnableFastSnapshotRestores - Full Details ====="
rg -n -A15 'id="amazonec2-EnableFastSnapshotRestores"' "$tmp" | head -40

echo -e "\n===== LockSnapshot - Full Details ====="
rg -n -A15 'id="amazonec2-LockSnapshot"' "$tmp" | head -40

# Also check for ARN resource patterns commonly used in EC2
echo -e "\n===== Searching for snapshot ARN patterns ====="
rg -n 'snapshot' "$tmp" | grep -i 'arn\|resource' | head -20

Repository: openshift/managed-cluster-config

Length of output: 3290

Scope snapshot actions to specific resources instead of wildcard.

The EnableFastSnapshotRestores and LockSnapshot actions in lines 15–16 support resource-level permissions (snapshot* ARNs) per AWS documentation. Using Resource: "*" violates least-privilege. Move these actions to a separate statement scoped to snapshot ARNs (e.g., arn:aws:ec2:region::snapshot/* or condition-filtered equivalents).

🤖 Prompt for AI Agents 
Verify each finding against the current code and only fix it if needed.

In
`@resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json`
around lines 15 - 18, The policy currently grants ec2:EnableFastSnapshotRestores
and ec2:LockSnapshot with "Resource": "*", so change it to a least-privilege
pattern by moving those two actions into their own statement (separate from the
existing statement that uses "Resource": "*") and scope that new statement to
snapshot ARNs instead of wildcard; for example set the new statement's Resource
to an ARN pattern like "arn:aws:ec2:<region>:<account>:snapshot/*" (or use an
equivalent condition-based filter) so ec2:EnableFastSnapshotRestores and
ec2:LockSnapshot apply only to snapshot resources.

},
Expand Down