OCM-23909 | fix: Remove unused sts:AssumeRole and sts:AssumeRoleWithW…

[robpblake]

…ebIdentity from OCM Role permission policy

What type of PR is this?

(bug/feature/cleanup/documentation)

What this PR does / why we need it?

Which Jira/Github issue(s) this PR fixes?

Fixes #

Special notes for your reviewer:

Pre-checks (if applicable):

• Tested latest changes against a cluster

• Included documentation changes with PR

• If this is a new object that is not intended for the FedRAMP environment (if unsure, please reach out to team FedRAMP), please exclude it with:

  matchExpressions:
  - key: api.openshift.com/fedramp
    operator: NotIn
    values: ["true"]

Summary by CodeRabbit

• Security Updates
  • Removed STS role assumption permissions from policies across versions 4.10–4.22, while retaining all other EC2 and IAM-related permissions.

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: robpblake
Once this PR has been reviewed and has the lgtm label, please assign typeid for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• resources/sts/OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 62546205-d1f6-4117-ba0c-9bb78b951dbf

📥 Commits

Reviewing files that changed from the base of the PR and between ac71b1d and 38c4414.

📒 Files selected for processing (13)

• resources/sts/4.10/sts_ocm_permission_policy.json
• resources/sts/4.11/sts_ocm_permission_policy.json
• resources/sts/4.12/sts_ocm_permission_policy.json
• resources/sts/4.13/sts_ocm_permission_policy.json
• resources/sts/4.14/sts_ocm_permission_policy.json
• resources/sts/4.15/sts_ocm_permission_policy.json
• resources/sts/4.16/sts_ocm_permission_policy.json
• resources/sts/4.17/sts_ocm_permission_policy.json
• resources/sts/4.18/sts_ocm_permission_policy.json
• resources/sts/4.19/sts_ocm_permission_policy.json
• resources/sts/4.20/sts_ocm_permission_policy.json
• resources/sts/4.21/sts_ocm_permission_policy.json
• resources/sts/4.22/sts_ocm_permission_policy.json

💤 Files with no reviewable changes (13)

• resources/sts/4.21/sts_ocm_permission_policy.json
• resources/sts/4.16/sts_ocm_permission_policy.json
• resources/sts/4.22/sts_ocm_permission_policy.json
• resources/sts/4.20/sts_ocm_permission_policy.json
• resources/sts/4.19/sts_ocm_permission_policy.json
• resources/sts/4.13/sts_ocm_permission_policy.json
• resources/sts/4.17/sts_ocm_permission_policy.json
• resources/sts/4.14/sts_ocm_permission_policy.json
• resources/sts/4.10/sts_ocm_permission_policy.json
• resources/sts/4.15/sts_ocm_permission_policy.json
• resources/sts/4.18/sts_ocm_permission_policy.json
• resources/sts/4.12/sts_ocm_permission_policy.json
• resources/sts/4.11/sts_ocm_permission_policy.json

---

Walkthrough

Across multiple STS OCM permission policy files (versions 4.10–4.22), the policy statements were updated to remove two STS role-assumption permissions (sts:AssumeRole and sts:AssumeRoleWithWebIdentity) from the allowed actions while keeping all other EC2 and IAM permissions intact.

Changes

Cohort / File(s)

Summary

STS OCM Permission Policy Updates resources/sts/4.10/sts_ocm_permission_policy.json, resources/sts/4.11/sts_ocm_permission_policy.json, resources/sts/4.12/sts_ocm_permission_policy.json, resources/sts/4.13/sts_ocm_permission_policy.json, resources/sts/4.14/sts_ocm_permission_policy.json, resources/sts/4.15/sts_ocm_permission_policy.json, resources/sts/4.16/sts_ocm_permission_policy.json, resources/sts/4.17/sts_ocm_permission_policy.json, resources/sts/4.18/sts_ocm_permission_policy.json, resources/sts/4.19/sts_ocm_permission_policy.json, resources/sts/4.20/sts_ocm_permission_policy.json, resources/sts/4.21/sts_ocm_permission_policy.json, resources/sts/4.22/sts_ocm_permission_policy.json

Removed sts:AssumeRole and sts:AssumeRoleWithWebIdentity from the allowed actions array in all policy statements. All other EC2 and IAM permissions remain unchanged. No structural changes to the policies.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 12

✅ Passed checks (12 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main change: removing sts:AssumeRole and sts:AssumeRoleWithWebIdentity from OCM Role permission policies, which matches the actual changeset across all modified policy files.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This PR modifies only JSON IAM policy files, not Go test files, so Ginkgo test name validation is not applicable.
Test Structure And Quality	✅ Passed	This custom check is not applicable to the provided pull request. The PR contains only modifications to JSON IAM policy files in the resources/sts/ directory across multiple OpenShift versions.
Microshift Test Compatibility	✅ Passed	PR only modifies JSON IAM policy files across STS versions 4.10-4.22; no new Ginkgo e2e tests are added, making this check inapplicable.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	The custom check for Single Node OpenShift (SNO) Test Compatibility is not applicable to this PR as it exclusively modifies AWS IAM permission policy JSON files without adding any Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR modifies only AWS IAM permission policy JSON files, removing STS permissions with no Kubernetes manifest or scheduling configuration changes.
Ote Binary Stdout Contract	✅ Passed	PR modifies only static AWS IAM policy JSON files in resources/sts/ directories, not executable code or test binaries.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	PR modifies JSON IAM policy files in resources/sts/ directory, not Ginkgo e2e test files.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Review rate limit: 0/1 reviews remaining, refill in 60 minutes.}

_{Comment @coderabbitai help to get the list of available commands and usage tips.}