Permission error when creating a cluster

[MaxFedotov]

/kind bug

What steps did you take and what happened:
Created Cluster using the following AWSClusterRoleIdentity:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSClusterRoleIdentity
metadata:
  name: mf-test-6
spec:
  allowedNamespaces: {}
  roleARN: "arn:aws:iam::1234567:role/control-plane.cluster-api-provider-aws.sigs.k8s.io"
  sourceIdentityRef:
    kind: AWSClusterControllerIdentity
    name: default

Got the following error:

failed to modify target group attribute: AccessDenied: User: arn:aws:sts::1234567:assumed-role/control-plane.cluster-api-provider-aws.sigs.k8s.io/1690811638152948495 is not authorized to perform: elasticloadbalancing:ModifyTargetGroupAttributes on resource: arn:aws:elasticloadbalancing:eu-central-1:1234567:targetgroup/apiserver-target-1690811772/3f59cb53e328bfb0 because no identity-based policy allows the elasticloadbalancing:ModifyTargetGroupAttributes action

Added

  clusterAPIControllers:
    extraStatements:
    - Action:
      - "elasticloadbalancing:ModifyTargetGroupAttributes"

to my AWSIAMConfiguration

Then the following errors occured (which i was able to fix the same way):

failed to create listener: AccessDenied: User: arn:aws:sts::1234567:assumed-role/controllers.cluster-api-provider-aws.sigs.k8s.io/1691075674843575303 is not authorized to perform: elasticloadbalancing:CreateListener on resource: arn:aws:elasticloadbalancing:eu-central-1:1234567:loadbalancer/net/mf-test-15/8a52aff551f689c8 because no identity-based policy allows the elasticloadbalancing:CreateListener action

failed to create target group for load balancer: AccessDenied: User: arn:aws:sts::1234567:assumed-role/controllers.cluster-api-provider-aws.sigs.k8s.io/1691074004429987129 is not authorized to perform: elasticloadbalancing:CreateTargetGroup on resource: arn:aws:elasticloadbalancing:eu-central-1:1234567:targetgroup/apiserver-target-1691074123/* because no identity-based policy allows the elasticloadbalancing:CreateTargetGroup action

could not register control plane instance "i-06955c3fa4db1890a" with load balancer - error determining registration status: error describing ELB's target groups health "mf-test-15": AccessDenied: User: arn:aws:sts::1234567:assumed-role/controllers.cluster-api-provider-aws.sigs.k8s.io/1691076578079834145 is not authorized to perform: elasticloadbalancing:DescribeTargetHealth because no identity-based policy allows the elasticloadbalancing:DescribeTargetHealth action

could not register control plane instance "i-06955c3fa4db1890a" with load balancer: failed to register instance with target group 'apiserver-target-1691076399':AccessDenied: User: arn:aws:sts::1234567:assumed-role/controllers.cluster-api-provider-aws.sigs.k8s.io/1691076578079834145 is not authorized to perform:elasticloadbalancing:RegisterTargets on resource: arn:aws:elasticloadbalancing:eu-central-1:1234567:targetgroup/apiserver-target-1691076399/6504c2c87d29feb9because no identity-based policy allows the elasticloadbalancing:RegisterTargets action

failed to delete AWS cloud provider load balancer(s): failed to gather listeners: AccessDenied: User: arn:aws:sts::1234567:assumed-rolecontrollerscluster-api-provider-aws.sigs.k8s.io/1691074951041883380 is not authorized to perform: elasticloadbalancing:DescribeListeners because no identity-basedpolicyallows the elasticloadbalancing:DescribeListeners action

failed to delete AWS cloud provider load balancer(s): failed to delete listener 'arn:aws:elasticloadbalancing:eu-central-1:1234567:listener/net/mf-test-15/3cd170d5f965a313/aba6517893a2a672': AccessDenied: User: arn:aws:sts::1234567:assumed-role/controllers.cluster-api-provider-aws.sigs.k8s.io/1691076578079834145 is not authorized to perform: elasticloadbalancing:DeleteListener on resource: arn:aws:elasticloadbalancing:eu-central-1:1234567:listener/net/mf-test-15/3cd170d5f965a313/aba6517893a2a672 because no identity-based policy allows the elasticloadbalancing:DeleteListener action

Am I doing something wrong? Or these permissions should be added to cloudformation stack created by clusterawsadm so they are added by default?

What did you expect to happen:

Anything else you would like to add:
The cluster should be created without errors

Environment:

• Cluster-api-provider-aws version: registry.k8s.io/cluster-api-aws/cluster-api-aws-controller:v2.2.1
• Kubernetes version: (use kubectl version): v1.25.12
• OS (e.g. from /etc/os-release): amazon linux 2

[k8s-ci-robot]

This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[Skarlso]

I'm keen to understand how this was never an issue before. 🤔