We want to push the discovery/testing of new permission requirements earlier in the development cycle, so that we have ample time to alert ROSA of any new permissions. It is also just good practice for us to take responsibility for this.

Two immediate tasks jump out for us to investigate:

• how to setup e2e tests for minimal permissions
• how to alert ROSA/docs when new permissions are needed

We also need to clarify how to approach the permissions required for the permutations of the installer.

FWIW QE does have an existing minimal install step: https://github.com/openshift/release/blob/master/ci-operator/step-registry/aws/provision/iam-user/minimal-permission/aws-provision-iam-user-minimal-permission-commands.sh

We may be able to leverage that, but it is probably worth brainstorming whether there are other options. One idea that I think is very interesting is whether we could actually embed the permissions, such as an IAM policy, that could be extracted from the installer and used to generate the role/user that runs the installer.