When a SecretStore is created with aws_minimal_permission credentials, the oc get ss command indicates a STATUS of Valid and CAPABILITIES of ReadWrite for the SecretStore. However, during an actual attempt to retrieve a Secret value from AWS Secrets Manager using this SecretStore, the logs show an AccessDeniedException, explicitly stating that the IAM user lacks the secretsmanager:GetSecretValue permission. This contradicts the information provided by oc get ss, leading to misinterpretation of the actual permission status by the user.

jitli@RedHat:~/work/src/test/eso$ oc get csv
NAME                               DISPLAY                                           VERSION   REPLACES   PHASE
external-secrets-operator.v0.1.0   External Secrets Operator for Red Hat OpenShift   0.1.0                Succeeded

  Use an IAM user arn:aws:iam::30172115996:user/ci-op-07j5f2q-acb76-minimal-perm-installer that currently does not have secretsmanager:GetSecretValue permission granted.

In an OpenShift cluster, create a SecretStore using the aforementioned AWS credentials.Bash

jitli@RedHat:~/work/src/test/eso$ oc get ss
NAME                  AGE   STATUS   CAPABILITIES   READY
aws-secrets-manager   19m   Valid    ReadWrite      True
(Assuming aws-secrets-manager is the name of the created SecretStore)

Attempt to access or synchronize an AWS Secrets Manager Secret named jitliSecret via this SecretStore.     

   jitli@RedHat:~/work/src/test/eso$ oc logs -n external-secrets external-secrets-78944c9c88-58h55

err: AccessDeniedException: User: arn:aws:iam::301721915996:user/ci-op-07j5pf2q-acb76-minimal-perm-installer is not authorized to perform: secretsmanager:GetSecretValue on resource: jitliSecret because no identity-based policy allows the secretsmanager:GetSecretValue action\n\tstatus code: 400, "

    The minimal_permission privilege will indeed report an insufficient permission error. 

The CAPABILITIES field of oc get ss should accurately reflect the actual permissions of the underlying AWS credentials.