Skip to content

fix(aws-sts): add EC2 snapshot permissions for minted CI users#5295

Open
deepsm007 wants to merge 1 commit into
openshift:mainfrom
deepsm007:fix/aws-sts-snapshot-cco-user-policy
Open

fix(aws-sts): add EC2 snapshot permissions for minted CI users#5295
deepsm007 wants to merge 1 commit into
openshift:mainfrom
deepsm007:fix/aws-sts-snapshot-cco-user-policy

Conversation

@deepsm007

@deepsm007 deepsm007 commented Jul 6, 2026

Copy link
Copy Markdown
Contributor
  • Add ci-user-permission-boundary inline policy with EC2 snapshot create/describe/delete actions for minted CI users
  • Add explicit iam:PutUserPolicy on the target role so CCO can attach policies to minted users

https://redhat-internal.slack.com/archives/CBN38N3MW/p1783356991822999?thread_ts=1783354331.075049&cid=CBN38N3MW

/cc @openshift/test-platform

This PR updates the AWS STS target role template (hack/aws-sts-roles/target-role.cf, CITargetRole, used by CCO) by adding a new inline policy (ci-user-permission-boundary) to serve as the permission boundary for minted CI users.

Practically, CI user provisioning via CCO can now apply this boundary to allow EC2 snapshot lifecycle operations—ec2:CreateSnapshot, ec2:DescribeSnapshots, and ec2:DeleteSnapshot on all snapshot resources—supporting CI workflows that require snapshot creation, inspection, and cleanup.

@openshift-merge-bot

Copy link
Copy Markdown
Contributor

Pipeline controller notification
This repo is configured to use the pipeline controller. Second-stage tests will be triggered either automatically or after lgtm label is added, depending on the repository configuration. The pipeline controller will automatically detect which contexts are required and will utilize /test Prow commands to trigger the second stage.

For optional jobs, comment /test ? to see a list of all defined jobs. To trigger manually all jobs from second stage use /pipeline required command.

This repository is configured in: automatic mode

@openshift-ci openshift-ci Bot requested review from Prucek and droslean July 6, 2026 16:59
@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2026
@coderabbitai

coderabbitai Bot commented Jul 6, 2026

Copy link
Copy Markdown

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: fe6e2f57-37e5-46f3-b52e-601722319306

📥 Commits

Reviewing files that changed from the base of the PR and between 01c68b3 and 1d85142.

📒 Files selected for processing (1)
  • hack/aws-sts-roles/target-role.cf
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift/release (manual)
  • openshift/ci-docs (manual)
  • openshift/release-controller (manual)
  • openshift/ci-chat-bot (manual)
🚧 Files skipped from review as they are similar to previous changes (1)
  • hack/aws-sts-roles/target-role.cf

📝 Walkthrough

Walkthrough

This PR updates the CITargetRole CloudFormation template by adding an inline IAM policy that allows EC2 snapshot create, describe, and delete actions on all resources.

Changes

IAM Policy Update

Layer / File(s) Summary
Add EC2 snapshot policy
hack/aws-sts-roles/target-role.cf
Adds the ci-user-permission-boundary inline policy to CITargetRole, granting ec2:CreateSnapshot, ec2:DescribeSnapshots, and ec2:DeleteSnapshot on *.

Estimated code review effort: 1 (Trivial) | ~5 minutes

Related PRs: None identified.
Suggested labels: aws, iam, security-review
Suggested reviewers: None identified.

🚥 Pre-merge checks | ✅ 17
✅ Passed checks (17 passed)
Check name Status Explanation
Description Check ✅ Passed Check skipped - CodeRabbit’s high-level summary is enabled.
Title check ✅ Passed The title clearly describes the main change: adding EC2 snapshot permissions for minted CI users.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
Go Error Handling ✅ Passed Only a CloudFormation file changed; no Go code was touched, so the Go error-handling check is not applicable.
Test Coverage For New Features ✅ Passed Only a CloudFormation/IAM policy file changed; no Go code or testable logic was added, so the configuration-only exception applies.
Stable And Deterministic Test Names ✅ Passed PR only changes a CloudFormation IAM role; no Ginkgo test titles were added or modified.
Test Structure And Quality ✅ Passed No Ginkgo test files changed; the PR only updates hack/aws-sts-roles/target-role.cf, so the test-quality check is not applicable.
Microshift Test Compatibility ✅ Passed No Ginkgo tests were added; the PR only modifies an IAM policy in hack/aws-sts-roles/target-role.cf.
Single Node Openshift (Sno) Test Compatibility ✅ Passed Only hack/aws-sts-roles/target-role.cf changed; no Ginkgo e2e tests were added or modified, so SNO compatibility is not applicable.
Topology-Aware Scheduling Compatibility ✅ Passed Diff only updates an IAM role policy in target-role.cf; no manifests, controllers, or scheduling constraints were added.
Ote Binary Stdout Contract ✅ Passed Only hack/aws-sts-roles/target-role.cf changed; it’s an IAM template, so no process-level stdout writes or OTE binary code paths were introduced.
Ipv6 And Disconnected Network Test Compatibility ✅ Passed Only an IAM role policy file changed; no Ginkgo tests, network code, or IPv4 assumptions were added.
No-Weak-Crypto ✅ Passed Changed file is IAM policy only; no MD5/SHA1/DES/RC4/3DES/Blowfish/ECB, custom crypto, or secret comparisons appear.
Container-Privileges ✅ Passed Only an IAM CloudFormation role policy changed; no container/K8s manifests or privilege settings are present in the diff.
No-Sensitive-Data-In-Logs ✅ Passed No new logging was added; the change only updates IAM policy entries in a CloudFormation role file and emits no secrets, tokens, PII, or hostnames.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Warning

Review ran into problems

🔥 Problems

Linked repositories: Couldn't analyze openshift/release-controller - clone failed: 2 UNKNOWN:

<title>500 Server Error</title>

Error: Server Error

The server encountered an error and could not complete your request.

Please try again in 30 seconds.


Comment @coderabbitai help to get the list of available commands.

@deepsm007 deepsm007 force-pushed the fix/aws-sts-snapshot-cco-user-policy branch from 9dea8e7 to 59a82b8 Compare July 6, 2026 17:03
@bear-redhat

Copy link
Copy Markdown
Contributor

/lgtm

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/aws-sts-roles/target-role.cf`:
- Around line 123-133: The EC2 snapshot permissions in the `CITargetRole` policy
are redundant because `EC2Full` already grants them, so remove this inline
`EC2Snapshots` statement from the role’s policy. If the goal is to constrain
minted CI users, move the snapshot actions into the user-scoped policy that is
applied through `iam:PutUserPolicy` in the CI user provisioning flow instead.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: ee5bdf9b-faae-44d1-9dea-e0b9527be375

📥 Commits

Reviewing files that changed from the base of the PR and between 7055b37 and 9dea8e7.

📒 Files selected for processing (1)
  • hack/aws-sts-roles/target-role.cf
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift/release (manual)
  • openshift/ci-docs (manual)
  • openshift/release-controller (manual)
  • openshift/ci-chat-bot (manual)

Comment on lines +123 to +133
- PolicyName: ci-user-permission-boundary
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: EC2Snapshots
Effect: Allow
Action:
- "ec2:CreateSnapshot"
- "ec2:DescribeSnapshots"
- "ec2:DeleteSnapshot"
Resource: "*"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🔒 Security & Privacy | 🟠 Major | ⚡ Quick win

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Find where minted-user policies / PutUserPolicy documents and permission boundaries are defined.
rg -nP -C3 'PutUserPolicy|PermissionsBoundary|permission-boundary|CreateSnapshot' \
  -g '!**/vendor/**'

Repository: openshift/ci-tools

Length of output: 156


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## target-role.cf excerpt\n'
nl -ba hack/aws-sts-roles/target-role.cf | sed -n '1,220p'

printf '\n## searches\n'
rg -n 'ci-user-permission-boundary|CCOPutUserPolicy|PermissionsBoundary|PutUserPolicy|permission-boundary|CreateSnapshot|EC2Full|CITargetRole' hack aws-sts-roles . -g '!**/vendor/**' || true

Repository: openshift/ci-tools

Length of output: 223


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## target-role.cf around the cited lines\n'
nl -ba hack/aws-sts-roles/target-role.cf | sed -n '40,170p'

printf '\n## all aws-sts role templates and generators\n'
fd -a '(*role*.cf|*sts*|*aws-sts*)' hack aws-sts-roles . || true

printf '\n## symbol searches in relevant tree\n'
rg -n 'ci-user-permission-boundary|CCOPutUserPolicy|PermissionsBoundary|PutUserPolicy|CreateSnapshot|DeleteSnapshot|DescribeSnapshots|EC2Full|CITargetRole|target-role' hack . -g '!**/vendor/**' || true

Repository: openshift/ci-tools

Length of output: 238


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## files under hack/aws-sts-roles\n'
fd -a . hack/aws-sts-roles

printf '\n## grep for role/policy generation paths\n'
rg -n 'policy document|permission boundary|permissions boundary|PutUserPolicy|UserPolicy|minted user|CCO|CCOPutUserPolicy|STS role|target role|EC2Snapshots|EC2Full' hack . -g '!**/vendor/**' || true

printf '\n## inspect target-role.cf if present\n'
if [ -f hack/aws-sts-roles/target-role.cf ]; then
  nl -ba hack/aws-sts-roles/target-role.cf | sed -n '1,220p'
fi

Repository: openshift/ci-tools

Length of output: 6549


🏁 Script executed:

#!/bin/bash
set -euo pipefail

printf '\n## user-min-permissions references\n'
rg -n -C3 'iam:PutUserPolicy|user-min-permissions|permission-boundary|CreateSnapshot|DeleteSnapshot|DescribeSnapshots|EC2Full|ci-step-runner-target|ci-user-permission-boundary' ci-operator/step-registry/ipi/conf/aws/user-min-permissions || true

printf '\n## file excerpt\n'
if [ -f ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh ]; then
  nl -ba ci-operator/step-registry/ipi/conf/aws/user-min-permissions/ipi-conf-aws-user-min-permissions-commands.sh | sed -n '200,260p'
fi

Repository: openshift/release

Length of output: 3909


🏁 Script executed:

#!/bin/bash
set -euo pipefail

python3 - <<'PY'
from pathlib import Path
p = Path('hack/aws-sts-roles/target-role.cf')
for i, line in enumerate(p.read_text().splitlines(), 1):
    if 40 <= i <= 150:
        print(f"{i:4d}: {line}")
PY

Repository: openshift/ci-tools

Length of output: 4226


Move these snapshot actions off CITargetRole EC2Full already covers them here, so this inline policy has no effect on the role. If the intent is to scope minted CI users, put the statement in the user policy written via iam:PutUserPolicy instead.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/aws-sts-roles/target-role.cf` around lines 123 - 133, The EC2 snapshot
permissions in the `CITargetRole` policy are redundant because `EC2Full` already
grants them, so remove this inline `EC2Snapshots` statement from the role’s
policy. If the goal is to constrain minted CI users, move the snapshot actions
into the user-scoped policy that is applied through `iam:PutUserPolicy` in the
CI user provisioning flow instead.

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jul 6, 2026
@deepsm007 deepsm007 closed this Jul 6, 2026
@deepsm007 deepsm007 force-pushed the fix/aws-sts-snapshot-cco-user-policy branch from 59a82b8 to 7055b37 Compare July 6, 2026 17:09
@openshift-ci openshift-ci Bot removed the lgtm Indicates that a PR is ready to be merged. label Jul 6, 2026
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

New changes are detected. LGTM label has been removed.

@openshift-ci openshift-ci Bot removed the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2026
@deepsm007 deepsm007 reopened this Jul 6, 2026
@deepsm007 deepsm007 changed the title fix(aws-sts): add snapshot boundary and PutUserPolicy for CCO fix(aws-sts): add EC2 snapshot permissions for minted CI users Jul 6, 2026
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bear-redhat, deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [bear-redhat,deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 6, 2026
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bear-redhat, deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [bear-redhat,deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

1 similar comment
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: bear-redhat, deepsm007

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:
  • OWNERS [bear-redhat,deepsm007]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@hack/aws-sts-roles/target-role.cf`:
- Around line 119-129: The current policy block in target-role.cf is misleading
because ci-user-permission-boundary is only an additive inline policy on the
target role, not a real permissions boundary or user-scoped policy. Update the
naming in the target role definition to match the actual behavior, or if the
intent is to enforce a boundary for minted CI users, add the proper
PermissionsBoundary attachment and/or explicit iam:PutUserPolicy flow in the
role/policy resources; use the ci-user-permission-boundary identifier and the
surrounding target role IAM statements to locate the affected section.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Repository YAML (base), Central YAML (inherited)

Review profile: CHILL

Plan: Enterprise

Run ID: af4c616e-032d-49f9-8011-8451376f241d

📥 Commits

Reviewing files that changed from the base of the PR and between 59a82b8 and 01c68b3.

📒 Files selected for processing (1)
  • hack/aws-sts-roles/target-role.cf
🔗 Linked repositories identified

CodeRabbit considers these linked repositories for cross-repo context during reviews:

  • openshift/release (manual)
  • openshift/ci-docs (manual)
  • openshift/release-controller (manual)
  • openshift/ci-chat-bot (manual)

Comment on lines +119 to +129
- PolicyName: ci-user-permission-boundary
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: EC2Snapshots
Effect: Allow
Action:
- "ec2:CreateSnapshot"
- "ec2:DescribeSnapshots"
- "ec2:DeleteSnapshot"
Resource: "*"

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

📐 Maintainability & Code Quality | 🟠 Major | ⚡ Quick win

Policy name misrepresents what this does.

ci-user-permission-boundary is a plain additive inline policy on the target role — it is neither an IAM permissions boundary (which attaches via the PermissionsBoundary property) nor scoped to any user. Per the PR objectives this was meant to bound minted CI users and pair with iam:PutUserPolicy, but the diff contains neither a boundary attachment nor a PutUserPolicy grant (note iam:* at Line 78 already covers PutUserPolicy). Rename to reflect actual behavior, or implement the boundary/user-scoping the name implies.

As per coding guidelines: "A good name is long enough to fully communicate what the item is or does."

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@hack/aws-sts-roles/target-role.cf` around lines 119 - 129, The current policy
block in target-role.cf is misleading because ci-user-permission-boundary is
only an additive inline policy on the target role, not a real permissions
boundary or user-scoped policy. Update the naming in the target role definition
to match the actual behavior, or if the intent is to enforce a boundary for
minted CI users, add the proper PermissionsBoundary attachment and/or explicit
iam:PutUserPolicy flow in the role/policy resources; use the
ci-user-permission-boundary identifier and the surrounding target role IAM
statements to locate the affected section.

Source: Coding guidelines

@deepsm007 deepsm007 force-pushed the fix/aws-sts-snapshot-cco-user-policy branch from 01c68b3 to 1d85142 Compare July 6, 2026 17:32
@openshift-ci

openshift-ci Bot commented Jul 6, 2026

Copy link
Copy Markdown
Contributor

@deepsm007: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/integration 1d85142 link true /test integration

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants