DNM/aws/creds: fix typo on permission name

[mtulio]

TODO: validate and open a bug

According to the AWS, and audit events collected by AWS CloudTrail[1] the correct permission/API name is kms:GenerateDataKeyWithoutPlaintext: https://docs.aws.amazon.com/kms/latest/APIReference/API_GenerateDataKeyWithoutPlaintext.html

I am tracking real issues of a CI step which is under development[0] to check required permissions versus requested permissions (CredentialsRequests) by OCP components. Here[1] is a preview of a user created to the controller.

[0] openshift/release#58651
[1] https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_release/58651/rehearse-58651-periodic-ci-openshift-release-master-nightly-4.18-e2e-aws-ovn-audit-perms/1874577125499998208/artifacts/e2e-aws-ovn-audit-perms/gather-cloud-iam-access-aws/artifacts/compiled_users.json

[openshift-ci]

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by:
Once this PR has been reviewed and has the lgtm label, please assign elmiko for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[mtulio]

Hi @JoelSpeed , I am checking audit logs of API calls of OCP components, and looks like this change is mismatching. I didn't find the history of changes if AWS changed the name of this recently, but looks like would be nice to keep consistency with AWS API names. What do you think? Would it be valid to file a bug to address this?

[JoelSpeed]

Yeah I think this would make sense to double check. I wonder if AWS is silently dropping this permission if we are misspelling it? I'll poke our QE and get them to investigate

[JoelSpeed]

Had the QE folks test this, and as far as they can tell, everything appears to be working, even with the incorrect casing. If there's a mismatch that's causing noise though, lets get a bug filed and clean up the noise

[mtulio]

Had the QE folks test this, and as far as they can tell, everything appears to be working, even with the incorrect casing.

Yeah, that's a standardization only, AWS does not care much about case in the policy name.

$ aws iam simulate-principal-policy \
--policy-source-arn $IAM_ROLE_TEST \
--action-names kms:generatedatakeywithoutplaintext \
| jq -r '.EvaluationResults[] | [.EvalActionName, .EvalDecision]'
[
  "kms:generatedatakeywithoutplaintext",
  "allowed"
]

If there's a mismatch that's causing noise though, lets get a bug filed and clean up the noise

ACK. I will file it.