When the CCO is in the default mode, the secret annotator checks if the root credential is good enough for mint mode. If not, if then checks if it is sufficient for passthrough mode against a static list of permissions that are required for this mode. 

The aforementioned list of permissions is outdated. For example, the permissions specified in credentialsrequest/openshift-ingress (for AWS) i.e.,
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
...
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - elasticloadbalancing:DescribeLoadBalancers
      - route53:ListHostedZones
      - route53:ListTagsForResources
      - route53:ChangeResourceRecordSets
      - tag:GetResources
      - sts:AssumeRole
      effect: Allow
      resource: '*'
  secretRef:
    name: cloud-credentials
    namespace: openshift-ingress-operator
  serviceAccountNames:
  - ingress-operator 

is different from the ones specified in the static list of permissions in CCO's code i.e.,
// openshift-ingress
"elasticloadbalancing:DescribeLoadBalancers",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"tag:GetResources"
see https://github.com/openshift/cloud-credential-operator/blob/5b3a050cfae7d53a7735093e61939cb119b101c6/pkg/aws/utils.go#L40-L44

This issue is found for AWS and GCP.