From 382855d7d19d0c3cec4c89046a882823d850d211 Mon Sep 17 00:00:00 2001
From: Jesse Haka <haka.jesse@gmail.com>
Date: Sun, 12 Feb 2023 21:51:16 +0200
Subject: [PATCH 1/2] remove s3 access from nodes if using none dns

---
 pkg/model/iam/iam_builder.go | 8 +++++---
 1 file changed, 5 insertions(+), 3 deletions(-)

diff --git a/pkg/model/iam/iam_builder.go b/pkg/model/iam/iam_builder.go
index 4134426ef2..ac340b80c3 100644
--- a/pkg/model/iam/iam_builder.go
+++ b/pkg/model/iam/iam_builder.go
@@ -465,9 +465,11 @@ func (r *NodeRoleNode) BuildAWSPolicy(b *PolicyBuilder) (*Policy, error) {
 
 	b.addNodeupPermissions(p, r.enableLifecycleHookPermissions)
 
-	var err error
-	if p, err = b.AddS3Permissions(p); err != nil {
-		return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
+	if !b.Cluster.UsesNoneDNS() {
+		var err error
+		if p, err = b.AddS3Permissions(p); err != nil {
+			return nil, fmt.Errorf("failed to generate AWS IAM S3 access statements: %v", err)
+		}
 	}
 
 	if b.Cluster.Spec.IAM != nil && b.Cluster.Spec.IAM.AllowContainerRegistry {

From e7c4506e367546f884f63dfe94c8c944dcc9bf00 Mon Sep 17 00:00:00 2001
From: Jesse Haka <haka.jesse@gmail.com>
Date: Sun, 12 Feb 2023 21:57:45 +0200
Subject: [PATCH 2/2] hack/update-expected.sh

---
 ..._iam_role_policy_nodes.minimal.example.com_policy | 12 ------------
 1 file changed, 12 deletions(-)

diff --git a/tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_nodes.minimal.example.com_policy b/tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_nodes.minimal.example.com_policy
index b6eaf07f36..18d649f9e2 100644
--- a/tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_nodes.minimal.example.com_policy
+++ b/tests/integration/update_cluster/minimal-dns-none/data/aws_iam_role_policy_nodes.minimal.example.com_policy
@@ -1,17 +1,5 @@
 {
   "Statement": [
-    {
-      "Action": [
-        "s3:GetBucketLocation",
-        "s3:GetEncryptionConfiguration",
-        "s3:ListBucket",
-        "s3:ListBucketVersions"
-      ],
-      "Effect": "Allow",
-      "Resource": [
-        "arn:aws-test:s3:::placeholder-read-bucket"
-      ]
-    },
     {
       "Action": [
         "autoscaling:DescribeAutoScalingInstances",