Use STS for Hosted Control Plane Authentication

Problem

We must define and codify the AWS policy requirements so users know what permissions they're granting HyperShift to provide managed clusters.

Currently we don't explicitly define the AWS IAM policy or policies necessary for HyperShift to work. With a codified definition of the requirements, we can more easily get user feedback about whether the policies are acceptable.

This issue tracks effort to introduce a more clearly and narrowly scoped cloud permissions model for AWS.

Cloud provider credentials are currently used in the following contexts:

• Kube Controller Manager (KCM) deployment
• Kube API server deployment
• Kube CSI driver cloud credentials
• CAPI AWS provider

Only the Kube Controller Manager and CAPI provider really need cloud credentials, so the CSI and API server usages should simply be removed.

The KCM and CAPI components have separate responsibilities and different permission needs. Each of these components should use distinct AWS IAM policies that we define and support so that users have more control over the exposed surface area of accounts attached to those policies.

User story

As an end-user I would like to understand the scope and permissions I am granting for cluster creation. 

Steps

Based on prior discussions, a viable approach has two main parts:

1. Update the HostedCluster API to replace the single ProviderCreds field with a new struct that embeds two credentials fields for the two known contexts (KCM and CAPI provider).
2. Update the CLI to produce canonical AWS policy resources and make creating default accounts using those policies easy for tests and development.

References

Github Issue