Hosted control planes have their API server fronted by a VPCE Service - this VPCE service is created with a single allowed principal of the hosted cluster's kube-system-control-plane-operator IAM role:

arn:aws:iam::${AWS_ACC}:role/${CLUSTER}-kube-system-control-plane-operator 

However, for managed HyperShift, we have the need to add one more allowed principal per environment (i.e. one more IAM role for staging, a different one for production) https://docs.google.com/document/d/1e-3pphlJ6JvfA8pb-Niw6bgCMPxpyvUn6wkeK8oAsRU/edit# .

Open for discussion on how to could be implemented, but in essence,

Done Criteria:

• Hosted Control Plane VPCE Services are able to have one additional allowed principal.
  • Ideally this ARN is configurable and not hard-coded, however the likelihood if it changing is very low