OCPBUGS-63305: Make SimulatePrincipalPolicy optional

barbacbd · barbacbd · commit 12cd06c842a3 · 2025-11-13T15:52:39.000-05:00
Removing SimulatePrincipalPolicy as a required permission for Mint and Passthrough modes.
Instead it will be required when a credential mode is not set.
diff --git a/pkg/asset/installconfig/aws/permissions.go b/pkg/asset/installconfig/aws/permissions.go
@@ -84,6 +84,9 @@ const (
 
 	// PermissionPassthroughCreds is a permission set required when using passthrough credentials.
 	PermissionPassthroughCreds PermissionGroup = "permission-passthrough-creds"
+
+	// PermissionEmptyCreds is a required permission set when a credential mode is not provided.
+	PermissionEmptyCreds PermissionGroup = "permission-empty-creds"
 )
 
 var permissions = map[PermissionGroup][]string{
@@ -173,7 +176,6 @@ var permissions = map[PermissionGroup][]string{
 		"iam:ListRoles",
 		"iam:ListUsers",
 		"iam:PassRole",
-		"iam:SimulatePrincipalPolicy",
 		"iam:TagInstanceProfile",
 		"iam:TagRole",
 
@@ -370,12 +372,10 @@ var permissions = map[PermissionGroup][]string{
 		"iam:ListAccessKeys",
 		"iam:PutUserPolicy",
 		"iam:TagUser",
-		"iam:SimulatePrincipalPolicy", // needed so we can verify the above list of course
 	},
 	PermissionPassthroughCreds: {
 		// so we can query whether we have the below list of creds
 		"iam:GetUser",
-		"iam:SimulatePrincipalPolicy",
 
 		// openshift-ingress
 		"elasticloadbalancing:DescribeLoadBalancers",
@@ -430,6 +430,10 @@ var permissions = map[PermissionGroup][]string{
 		"iam:GetUserPolicy",
 		"iam:ListAccessKeys",
 	},
+	PermissionEmptyCreds: {
+		// needed so we can verify the other required permissions
+		"iam:SimulatePrincipalPolicy",
+	},
 }
 
 // ValidateCreds will try to create an AWS session, and also verify that the current credentials
diff --git a/pkg/asset/permissions/permissions.go b/pkg/asset/permissions/permissions.go
@@ -54,6 +54,8 @@ func (o *Permissions) Generate(ctx context.Context, dependencies asset.Parents)
 		case types.PassthroughCredentialsMode:
 			// Include permissions needed by CCO/cluster for passthrough creds mode
 			reqGroups = append(reqGroups, awsconfig.PermissionPassthroughCreds)
+		case "":
+			reqGroups = append(reqGroups, awsconfig.PermissionEmptyCreds)
 		default:
 			// Include permissions needed by CCO/cluster for mint creds mode
 			reqGroups = append(reqGroups, awsconfig.PermissionMintCreds)
