OCM-23909 | fix: Remove unused sts:AssumeRole and sts:AssumeRoleWithW…

[robpblake]

…ebIdentity from OCM Role permission policy

What type of PR is this?

Cleanup of unused permissions

What this PR does / why we need it?

A review of the OCM Role permissions was conducted and it was determined that the sts:AssumeRole and sts:AssumeRoleWithWebIdentity are not required for the OCM Role. To ensure customers are working with least privilege requirements, this removes the sts:AssumeRole and sts:AssumeRoleWithWebIdentity permissions from the OCM Role.

I have tested that the permission policy definition remains valid with the removals:

# Policy analyzed as valid

rblake@rblake-mac /tmp % aws accessanalyzer validate-policy \
  --policy-document file://policy.json \
  --policy-type IDENTITY_POLICY
{
    "findings": []
}

# Policy creates without issue

rblake@rblake-mac /tmp % POLICY_ARN=$(aws iam create-policy \
  --policy-name "rblake-policy-validation-test-$(date +%s)" \
  --policy-document file://policy.json \
  --query 'Policy.Arn' \
  --output text)

echo "$POLICY_ARN"
arn:aws:iam::765374464689:policy/rblake-policy-validation-test-1780308760


# Display contents of the policy

rblake@rblake-mac /tmp % aws iam get-policy \
  --policy-arn $POLICY_ARN \ 
  --query 'Policy.DefaultVersionId' \
  --output text
v1

rblake@rblake-mac /tmp % aws iam get-policy-version \
  --policy-arn $POLICY_ARN \
  --version-id v1 \          
  --query 'PolicyVersion.Document'
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSubnets",
                "ec2:DescribeVpcs",
                "ec2:DescribeRegions",
                "ec2:DescribeRouteTables",
                "ec2:DescribeInstanceTypeOfferings",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:ListRoleTags",
                "iam:GetOpenIDConnectProvider",
                "iam:GetPolicy"
            ],
            "Resource": "*"
        }
    ]
}

The ROSA E2E have been updated to use an OCM Role with this reduced permission set, as have the E2E for console.redhat.com

Which Jira/Github issue(s) this PR fixes?

https://redhat.atlassian.net/browse/OCM-23907

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster

• Included documentation changes with PR

• If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

  matchExpressions:
  - key: api.openshift.com/fedramp
    operator: NotIn
    values: ["true"]

Summary by CodeRabbit

• Security Updates
  • Removed STS role assumption permissions from policies across versions 4.10–4.22, while retaining all other EC2 and IAM-related permissions.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[coderabbitai]

Walkthrough

Across versioned STS OCM permission policy files (4.10–4.22), the Action arrays in the single Allow statements had sts:AssumeRole and sts:AssumeRoleWithWebIdentity removed, with all other EC2 and IAM actions and the policy structure left unchanged.

Changes

STS OCM Permission Policy Updates

Layer / File(s)

Summary

Remove STS assume-role actions resources/sts/4.10/sts_ocm_permission_policy.json, resources/sts/4.11/sts_ocm_permission_policy.json, resources/sts/4.12/sts_ocm_permission_policy.json, resources/sts/4.13/sts_ocm_permission_policy.json, resources/sts/4.14/sts_ocm_permission_policy.json, resources/sts/4.15/sts_ocm_permission_policy.json, resources/sts/4.16/sts_ocm_permission_policy.json, resources/sts/4.17/sts_ocm_permission_policy.json, resources/sts/4.18/sts_ocm_permission_policy.json, resources/sts/4.19/sts_ocm_permission_policy.json, resources/sts/4.20/sts_ocm_permission_policy.json, resources/sts/4.21/sts_ocm_permission_policy.json, resources/sts/4.22/sts_ocm_permission_policy.json

Removed sts:AssumeRole and sts:AssumeRoleWithWebIdentity from the allowed Action arrays in each policy’s single Allow statement; all other EC2 and IAM actions and policy structure remain unchanged.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly describes the main change: removing two unused STS assume-role permissions from the OCM Role permission policy across multiple versions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	PR modifies only JSON IAM policy files; contains no Ginkgo tests or test code, so the Ginkgo test naming check is not applicable.
Test Structure And Quality	✅ Passed	PR contains only JSON IAM policy file changes with no Go code or Ginkgo tests present. Check for test quality is not applicable to configuration-only changes.
Microshift Test Compatibility	✅ Passed	PR modifies only JSON IAM policy files (resources/sts//.json), not Ginkgo e2e tests. Custom check for MicroShift test compatibility is not applicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No Ginkgo e2e tests are added in this PR. All changes are to JSON IAM policy configuration files only (removing sts:AssumeRole and sts:AssumeRoleWithWebIdentity actions).
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only AWS IAM policy JSON files (resources/sts/*.json), not deployment manifests, operator code, or controllers; topology-aware scheduling check does not apply.
Ote Binary Stdout Contract	✅ Passed	PR modifies only JSON IAM policy configuration files; no test binaries, executable code, or OTE-related code is present in the changes, making the OTE Binary Stdout Contract check not applicable.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	No Ginkgo e2e tests added in this PR. Changes are limited to AWS IAM policy JSON files, which are not subject to the IPv6/disconnected network test compatibility check.
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[joshbranham]

/lgtm
/approve

[joshbranham]

/approved

[typeid]

/approve

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: joshbranham, robpblake, typeid

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• resources/sts/OWNERS [typeid]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

@robpblake: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.