Misleading error message when KMS permissions are missing for snapshot restoration

[clayrosenthal]

Is your feature request related to a problem?/Why is this needed
When attempting to create a PVC from a VolumeSnapshot that references an encrypted EBS snapshot, if the CSI driver's IAM role lacks KMS permissions, the
error message is misleading:

failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-81b3839e-77dc-4596-9484-94d290d06f57": timed out waiting for volume to create: operation error EC2: DescribeVolumes, https response error StatusCode: 400, RequestID: 93c6d159-6b5b-4cbb-ad04-7602fa03435f, api error InvalidVolume.NotFound: The volume 'vol-xxxxxxxxxxx' does not exist.

Expected behavior:
The error should indicate that KMS permissions are required, such as:

Failed to create volume from encrypted snapshot: Missing KMS permissions kms:Decrypt on resource arn:xxx:kms:xxx

Actual behavior:
The error reports InvalidVolume.NotFound which suggests the volume doesn't exist, when the actual issue is insufficient KMS permissions to decrypt and
use the encrypted snapshot.

Steps to reproduce:

1. Create an encrypted EBS snapshot
2. Create VolumeSnapshotContent and VolumeSnapshot referencing the encrypted snapshot
3. Create a PVC with the VolumeSnapshot as dataSource
4. Ensure the EBS CSI driver's IAM role lacks KMS permissions

Environment:
• EBS CSI Driver version: 1.45.0
• Kubernetes version: 1.31
• EKS version: 1.31

Impact:
This misleading error message significantly increases troubleshooting time as it points users in the wrong direction (looking for missing volumes instead
of checking IAM/KMS permissions).

[ConnorJC3]

This is due to an EC2/EBS limitation - the error messages the EBS CSI Driver logs come directly from the AWS API.

There is no reasonable method for the EBS CSI Driver to determine from the API that a volume failed to create due to a lack of KMS permissions.