From cb2aac7477660064c0e8bbeccd1d1aac28706853 Mon Sep 17 00:00:00 2001
From: Federico Bonfigli <fbonfigl@redhat.com>
Date: Wed, 29 Apr 2026 17:48:11 +0200
Subject: [PATCH] Add SetSecurityGroups IAM permission

Adds the elasticloadbalancing:SetSecurityGroups IAM permission
required for the BYO Security Group feature for AWS NLBs by AWS CCM.
This permission is needed so that the controller can associate or
disassociate security groups on AWS NLBs without deletion and
recreation of the NLB.
---
 ...openshift_hcp_kube_controller_manager_credentials_policy.json | 1 +
 1 file changed, 1 insertion(+)

diff --git a/resources/sts/hypershift/openshift_hcp_kube_controller_manager_credentials_policy.json b/resources/sts/hypershift/openshift_hcp_kube_controller_manager_credentials_policy.json
index e2ebdc6372..7ac24d4685 100644
--- a/resources/sts/hypershift/openshift_hcp_kube_controller_manager_credentials_policy.json
+++ b/resources/sts/hypershift/openshift_hcp_kube_controller_manager_credentials_policy.json
@@ -79,6 +79,7 @@
         "elasticloadbalancing:ModifyTargetGroup",
         "elasticloadbalancing:DeleteTargetGroup",
         "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
+        "elasticloadbalancing:SetSecurityGroups",
         "elasticloadbalancing:CreateLoadBalancerListeners",
         "elasticloadbalancing:DeleteLoadBalancerListeners",
         "elasticloadbalancing:AttachLoadBalancerToSubnets",