Role policyRef with name AmazonS3FullAccess not found

[wlawton]

Just making my first ACK deployments today. Deployed the s3-controller and iam-controller and thought i'd start by creating a Role resource to provide the s3-controller with full IAM permissions on S3 via IRSA. I was hoping that I could use the policyRefs section to link the role to an existing IAM policy e.g.

policyRefs:
    - from:
        name: AmazonS3FullAccess

But iam-controller is logging an error:

error","controller":"role","controllerGroup":"iam.services.k8s.aws","controllerKind":"Role","Role":{"name":"ack-s3-controller","namespace":"utilities"},"namespace":"utilities","name":"ack-s3-controller","reconcileID":"b0ec24e5-a486-44c8-a4b3-f6b58d5be093","error":"policies.iam.services.k8s.aws \"AmazonS3FullAccess\" not found"

I guess i've misunderstood the function of the policyRefs attribute.

[wlawton]

I considered that perhaps your only meant to reference policies created by ACK in the policyRefs block, so I set about creating a policy (see spec below). Unfortunately this results in the following deployment error

Resource not found in cluster: iam.services.k8s.aws/v1alpha1/Policy:myNicePolicy

apiVersion: iam.services.k8s.aws/v1alpha1
kind: Policy
metadata:
  labels:
    argocd.argoproj.io/instance: aws-resources
  name: myNicePolicy
  namespace: utilities
spec:
  description: This is a lovely policy
  name: myNicePolicy
  policyDocument: >-
    {"Version":"2012-10-17","Statement":[{"Effect":"Allow","Action":"s3:ListAllMyBuckets","Resource":"arn:aws:s3:::*"},{"Effect":"Allow","Action":["s3:List*"],"Resource":["*"]}]}

[a-hilaly]

Hi @wlawton, in ACK, resource references should be pointing to other ACK resources. For example, an IAM role can reference an IAM Policy. These references must point to the respective resource metadata.name.

If you want to directly attach an AWS Policy, you need to use something like:

policies:
- arn:aws:iam::aws:policy/AmazonS3FullAccess

[a-hilaly]

@wlawton For your second example, I don't think argo will be able to deploy that resource since the metadata.name isn't respecting the naming standards. Quoting:

By convention, the names of Kubernetes resources should be up to maximum length of 253 characters and consist of lower case alphanumeric characters, -, and .

[a-hilaly]

ACK has a tiny place for examples you can find more in here :) https://github.com/aws-controllers-k8s/examples/blob/main/resources/iam/v1alpha1/policy.yaml - or you can take a look on the resources that are used to test the controllers https://github.com/aws-controllers-k8s/iam-controller/blob/main/test/e2e/resources/role_referring.yaml

[wlawton]

Thankyou @a-hilaly your policies suggestion for my Role definition worked a treat and I now have my IAM role established.

Regarding my faulty policy though, my Policy definition is copied from the example you referenced, so still scratching my head a bit on that one.

[a-hilaly]

@wlawton So regarding the names we use such as $POLICY_NAME - those are getting replaced during the tests by simple names like policy-name-12345, but yeah technically they are faulty as well

[a-hilaly]

I agree that maybe for the examples repository we should avoid using $POLICY_NAME as example since they can be confusing..

[wlawton]

I was using ArgoCD to deploy my resources but switched to executing helmfile locally to get better debug output and discovered I needed to change my policy name and also my policy document was being rejected. I arrived at the following helm chart config which is deploying fine now. Thanks again for your help.

apiVersion: iam.services.k8s.aws/v1alpha1
kind: Policy
metadata:
  name: {{ .Values.policyName }}
spec:
  name: {{ .Values.policyName }}
  description: "An IAM Policy that can be linked to zero or more IAM Roles"
  policyDocument: {{ .Values.policyDocument | quote }}
  {{- with .Values.tags }}
  tags:
  {{- toYaml . | nindent 4 }}
  {{- end }}

values.yaml....

policyName: simple-secure-storage-full-access
tags:
  - key: tag1
    value: val1
policyDocument: |
  {"Version": "2012-10-17","Statement": [{"Effect": "Allow","Action": ["s3:*"],"Resource": ["*"]}]}