From 352241d9f56a3fbd4070462851f7d803d008ec30 Mon Sep 17 00:00:00 2001
From: Thuan Vo <thvo@redhat.com>
Date: Wed, 21 Jan 2026 17:53:00 -0800
Subject: [PATCH] CORS-4055: migrate IAM API calls to AWS SDK v2

The commit is an incremental step to migrate AWS API calls to AWS SDK
v2. This focuses on IAM clients in the pkg/asset and dependent pkg(s).
---
 pkg/asset/installconfig/aws/validation.go | 15 +++++++++------
 1 file changed, 9 insertions(+), 6 deletions(-)

diff --git a/pkg/asset/installconfig/aws/validation.go b/pkg/asset/installconfig/aws/validation.go
index bb8e31e9644..bb6a1725515 100644
--- a/pkg/asset/installconfig/aws/validation.go
+++ b/pkg/asset/installconfig/aws/validation.go
@@ -10,10 +10,10 @@ import (
 	"sort"
 
 	ec2v2 "github.com/aws/aws-sdk-go-v2/service/ec2"
+	"github.com/aws/aws-sdk-go-v2/service/iam"
 	"github.com/aws/aws-sdk-go/aws"
 	"github.com/aws/aws-sdk-go/aws/endpoints"
 	"github.com/aws/aws-sdk-go/service/ec2"
-	"github.com/aws/aws-sdk-go/service/iam"
 	"github.com/aws/aws-sdk-go/service/route53"
 	"github.com/sirupsen/logrus"
 	"k8s.io/apimachinery/pkg/util/sets"
@@ -946,19 +946,22 @@ func isHostedZoneAssociatedWithVPC(hostedZone *route53.GetHostedZoneOutput, vpcI
 }
 
 func validateInstanceProfile(ctx context.Context, meta *Metadata, fldPath *field.Path, pool *awstypes.MachinePool) *field.Error {
-	session, err := meta.Session(ctx)
+	client, err := NewIAMClient(ctx, EndpointOptions{
+		Region:    meta.Region,
+		Endpoints: meta.Services,
+	})
 	if err != nil {
-		return field.InternalError(fldPath, fmt.Errorf("unable to retrieve aws session: %w", err))
+		return field.InternalError(fldPath, fmt.Errorf("unable to retrieve iam client: %w", err))
 	}
-	client := iam.New(session)
-	res, err := client.GetInstanceProfileWithContext(ctx, &iam.GetInstanceProfileInput{
+
+	res, err := client.GetInstanceProfile(ctx, &iam.GetInstanceProfileInput{
 		InstanceProfileName: aws.String(pool.IAMProfile),
 	})
 	if err != nil {
 		msg := fmt.Errorf("unable to retrieve instance profile: %w", err).Error()
 		return field.Invalid(fldPath, pool.IAMProfile, msg)
 	}
-	if len(res.InstanceProfile.Roles) == 0 || res.InstanceProfile.Roles[0] == nil {
+	if len(res.InstanceProfile.Roles) == 0 {
 		return field.Invalid(fldPath, pool.IAMProfile, "no role attached to instance profile")
 	}