From ce340c60598614dedc7cda1a511f4f1a1340711c Mon Sep 17 00:00:00 2001
From: Arnaud Meukam <ameukam@gmail.com>
Date: Thu, 4 Jan 2024 23:19:14 +0100
Subject: [PATCH] Add permission needed for service-linked role creation

Attempting to fix:
  - https://github.com/kubernetes/kops/issues/16218

by adding the permission needed for the AWS CCM to create a service-linked role for the elastic lb service.

Signed-off-by: Arnaud Meukam <ameukam@gmail.com>
---
 pkg/model/iam/iam_builder.go | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index 2a68a256614eb..e4585b4a98b76 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -831,6 +831,7 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
 		"elasticloadbalancing:DescribeLoadBalancerPolicies",
 		"elasticloadbalancing:DescribeTargetGroups",
 		"elasticloadbalancing:DescribeTargetHealth",
+		"iam:CreateServiceLinkedRole",
 		"kms:DescribeKey",
 	)
 
@@ -884,7 +885,7 @@ func AddCCMPermissions(p *Policy, cloudRoutes bool) {
 	}
 }
 
-// AddAWSLoadbalancerControllerPermissions adds the permissions needed for the AWS Load Balancer Controller to the givnen policy
+// AddAWSLoadbalancerControllerPermissions adds the permissions needed for the AWS Load Balancer Controller to the given policy
 func AddAWSLoadbalancerControllerPermissions(p *Policy, enableWAF, enableWAFv2, enableShield bool) {
 	p.unconditionalAction.Insert(
 		"cognito-idp:DescribeUserPoolClient",