diff --git a/cmd/infra/aws/iam.go b/cmd/infra/aws/iam.go
index 6776237ae48..b3e39c6c528 100644
--- a/cmd/infra/aws/iam.go
+++ b/cmd/infra/aws/iam.go
@@ -68,7 +68,32 @@ const (
 				"ec2:ModifyVolume"
 			],
 			"Resource": "*"
-		}
+		},
+		{
+			"Effect": "Allow",
+			"Action": [
+				"kms:Decrypt",
+				"kms:Encrypt",
+				"kms:GenerateDataKey",
+				"kms:GenerateDataKeyWithoutPlainText",
+				"kms:DescribeKey"
+			],
+			"Resource": "*"
+		},
+        {
+            "Effect": "Allow",
+            "Action": [
+                "kms:RevokeGrant",
+                "kms:CreateGrant",
+                "kms:ListGrants"
+            ],
+            "Resource": "*",
+            "Condition": {
+                "Bool": {
+                    "kms:GrantIsForAWSResource": true
+                }
+            }
+        }
 	]
 }`
 
diff --git a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
index 8864f288f5f..8007310c955 100644
--- a/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
+++ b/control-plane-operator/hostedclusterconfigoperator/controllers/resources/resources.go
@@ -903,7 +903,6 @@ func (r *reconciler) reconcileCloudCredentialSecrets(ctx context.Context, hcp *h
 		}
 		for arn, secret := range map[string]*corev1.Secret{
 			hcp.Spec.Platform.AWS.RolesRef.IngressARN:       manifests.AWSIngressCloudCredsSecret(),
-			hcp.Spec.Platform.AWS.RolesRef.StorageARN:       manifests.AWSStorageCloudCredsSecret(),
 			hcp.Spec.Platform.AWS.RolesRef.ImageRegistryARN: manifests.AWSImageRegistryCloudCredsSecret(),
 		} {
 			err := syncSecret(secret, arn)
diff --git a/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go b/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
index f377b964cf2..34cbd87253c 100644
--- a/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
+++ b/hypershift-operator/controllers/hostedcluster/internal/platform/aws/aws.go
@@ -259,6 +259,7 @@ web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
 		hcluster.Spec.Platform.AWS.RolesRef.NodePoolManagementARN:   NodePoolManagementCredsSecret(controlPlaneNamespace),
 		hcluster.Spec.Platform.AWS.RolesRef.ControlPlaneOperatorARN: ControlPlaneOperatorCredsSecret(controlPlaneNamespace),
 		hcluster.Spec.Platform.AWS.RolesRef.NetworkARN:              CloudNetworkConfigControllerCredsSecret(controlPlaneNamespace),
+		hcluster.Spec.Platform.AWS.RolesRef.StorageARN:              AWSEBSCSIDriverCredsSecret(controlPlaneNamespace),
 	} {
 		err := syncSecret(secret, arn)
 		if err != nil {
@@ -376,3 +377,12 @@ func CloudNetworkConfigControllerCredsSecret(controlPlaneNamespace string) *core
 		},
 	}
 }
+
+func AWSEBSCSIDriverCredsSecret(controlPlaneNamespace string) *corev1.Secret {
+	return &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Namespace: controlPlaneNamespace,
+			Name:      "ebs-cloud-credentials",
+		},
+	}
+}