---
apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  annotations:
    capability.openshift.io/name: MachineAPI+CloudCredential
    exclude.release.openshift.io/internal-openshift-hosted: "true"
    include.release.openshift.io/self-managed-high-availability: "true"
  creationTimestamp: "2025-10-11T10:25:20Z"
  generation: 1
  labels:
    controller-tools.k8s.io: "1.0"
  managedFields:
  - apiVersion: cloudcredential.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:metadata:
        f:annotations:
          .: {}
          f:capability.openshift.io/name: {}
          f:exclude.release.openshift.io/internal-openshift-hosted: {}
          f:include.release.openshift.io/self-managed-high-availability: {}
        f:labels:
          .: {}
          f:controller-tools.k8s.io: {}
        f:ownerReferences:
          .: {}
          k:{"uid":"d5f199fe-acec-4610-b505-6d5fa3929e77"}: {}
      f:spec:
        .: {}
        f:providerSpec:
          .: {}
          f:apiVersion: {}
          f:kind: {}
          f:statementEntries: {}
        f:secretRef: {}
        f:serviceAccountNames: {}
    manager: cluster-version-operator
    operation: Update
    time: "2025-10-11T10:25:20Z"
  - apiVersion: cloudcredential.openshift.io/v1
    fieldsType: FieldsV1
    fieldsV1:
      f:status:
        .: {}
        f:conditions: {}
        f:lastSyncGeneration: {}
        f:provisioned: {}
    manager: cloud-credential-operator
    operation: Update
    subresource: status
    time: "2025-10-11T10:26:47Z"
  name: openshift-machine-api-aws
  namespace: openshift-cloud-credential-operator
  ownerReferences:
  - apiVersion: config.openshift.io/v1
    controller: true
    kind: ClusterVersion
    name: version
    uid: d5f199fe-acec-4610-b505-6d5fa3929e77
  resourceVersion: "2834"
  uid: 2b807c85-43ba-4b44-9c76-33a6c92fae74
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: AWSProviderSpec
    statementEntries:
    - action:
      - ec2:CreateTags
      - ec2:DescribeAvailabilityZones
      - ec2:DescribeDhcpOptions
      - ec2:DescribeImages
      - ec2:DescribeInstances
      - ec2:DescribeInstanceTypes
      - ec2:DescribeInternetGateways
      - ec2:DescribeSecurityGroups
      - ec2:DescribeRegions
      - ec2:DescribeSubnets
      - ec2:DescribeVpcs
      - ec2:RunInstances
      - ec2:TerminateInstances
      - elasticloadbalancing:DescribeLoadBalancers
      - elasticloadbalancing:DescribeTargetGroups
      - elasticloadbalancing:DescribeTargetHealth
      - elasticloadbalancing:RegisterInstancesWithLoadBalancer
      - elasticloadbalancing:RegisterTargets
      - elasticloadbalancing:DeregisterTargets
      - iam:PassRole
      - iam:CreateServiceLinkedRole
      effect: Allow
      resource: '*'
    - action:
      - kms:Decrypt
      - kms:Encrypt
      - kms:GenerateDataKey
      - kms:GenerateDataKeyWithoutPlainText
      - kms:DescribeKey
      effect: Allow
      resource: '*'
    - action:
      - kms:RevokeGrant
      - kms:CreateGrant
      - kms:ListGrants
      effect: Allow
      policyCondition:
        Bool:
          kms:GrantIsForAWSResource: true
      resource: '*'
  secretRef:
    name: aws-cloud-credentials
    namespace: openshift-machine-api
  serviceAccountNames:
  - machine-api-controllers
status:
  conditions:
  - lastProbeTime: "2025-10-11T10:26:47Z"
    lastTransitionTime: "2025-10-11T10:26:47Z"
    message: CredentialsRequest is not for platform None
    reason: InfrastructureMismatch
    status: "True"
    type: Ignored
  lastSyncGeneration: 0
  provisioned: false