-
s3:GetObject
-
s3:PutObject
-
s3:PutObjectTagging
-
For clusters that store the OIDC configuration in a private S3 bucket that is accessed by the IAM identity provider through a public CloudFront distribution URL, the AWS account that runs the
ccoctl
utility requires thecloudfront:ListDistributions
permission.