EBS CSI Policy doesn't works with VolumeAttributesClass tagging

[dmitriishaburov]

Description

I searched for issues and found #562
But while using 6.2.3 version of module with EBS CSI Driver I'm still not able to use to modify volume using VolumeAttributesClass:

type="Warning" reason="VolumeModifyFailed" message="rpc error: code = Internal desc = Could not modify volume tags "vol-xx": operation error EC2: CreateTags, https response error StatusCode: 403, RequestID: id, api error UnauthorizedOperation: You are not authorized to perform this operation. User: <user> is not authorized to perform: ec2:CreateTags on resource: <resource> because no identity-based policy allows the ec2:CreateTags action.

Completely removing this condition allows driver to tag existing volumes.

Example policy for using VAC doens't have any conditions

PS I also filled issue in driver repository to update example policy kubernetes-sigs/aws-ebs-csi-driver#2799

Versions

• Module version [Required]: 6.2.3
• Terraform version: Terraform v1.12.2
• Provider version(s): provider registry.terraform.io/hashicorp/aws v6.15.0

Reproduction Code [Required]

Steps to reproduce the behavior:

• Deploy EBS CSI Driver IRSA policy using this module
• Try to modify existing EBS volume tags using VolumeAttributesClass

Expected behavior

VolumeAttributesClass working as intended

[dmitriishaburov]

@bryantbiggs upstream mentioned that example policy have permissions missing from example on purpose.
Maybe some flag in module policy to enable tags modification?

kubernetes-sigs/aws-ebs-csi-driver#2799 (comment)

[bryantbiggs]

what am I supposed to be looking at?

[dmitriishaburov]

Just posted link why there's reason it's not included in example policy, but currenytly IAM module doesn't provides any way to modify the policy to allow (potentially dangerous) modifying tags of existing volumes: