From f18c9a524ecf840369e85748c62cec459a2e221c Mon Sep 17 00:00:00 2001 From: Dustin Row Date: Mon, 2 Mar 2026 08:40:40 -0800 Subject: [PATCH] SREP-3817: Allow day-2 CreateTags on existing EBS volumes and snapshots The EBS CSI driver EBSVolumeTagsController (introduced in OCP 4.19 via CFE-1131) calls ec2:CreateTags on existing volumes to reconcile infrastructure resource tags. The current policy restricts CreateTags to only work during CreateVolume/CreateSnapshot via the ec2:CreateAction condition, causing AccessDenied on all day-2 tag operations. Add a new statement allowing CreateTags on volumes and snapshots that already have the red-hat-managed tag, matching the pattern used by the CAPA Controller Manager policy for day-2 reconciliation. Jira: https://issues.redhat.com/browse/SREP-3817 --- ...r_ebs_operator_cloud_credentials_policy.json | 17 +++++++++++++++++ 1 file changed, 17 insertions(+) diff --git a/resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json b/resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json index 299200ed44..6434ec118a 100644 --- a/resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json +++ b/resources/sts/hypershift/openshift_hcp_cluster_csi_driver_ebs_operator_cloud_credentials_policy.json @@ -112,6 +112,7 @@ } }, { + "Sid": "CreateTagsOnCreate", "Effect": "Allow", "Action": [ "ec2:CreateTags" @@ -128,6 +129,22 @@ ] } } + }, + { + "Sid": "CreateTagsExistingVolumes", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:snapshot/*" + ], + "Condition": { + "StringEquals": { + "aws:ResourceTag/red-hat-managed": "true" + } + } } ] } \ No newline at end of file