[X] Yes, I've searched similar issues on GitHub and didn't find any.
Amazon EKS Blueprints Release version
4.3.0
What is your environment, configuration and the example used?
I'm using the crossplane example with EKS 1.22, altough any case of enable_crossplane = true with either enabling the AWS or Terrajet provider is relevant for this issue:
# Crossplane
enable_crossplane = true
# Creates ProviderConfig -> jet-aws-provider
crossplane_jet_aws_provider = {
enable = true
provider_aws_version = "v0.4.1"
# NOTE: Crossplane requires Admin like permissions to create and update resources similar to Terraform deploy role.
# This example config uses AmazonS3FullAccess for demo purpose only, but you should select a policy with the minimum permissions required to provision your resources.
additional_irsa_policies = ["arn:aws:iam::aws:policy/AmazonS3FullAccess"]
}
What did you do and What did you see instead?
Deploying a S3 Bucket via kubectl apply -f jet-aws-provider-s3.yaml results in the following error (logs from the terrajet-pod):
2022-07-06T20:04:26.684Z DEBUG provider-jet-aws Reconciling {"controller": "managed/s3.aws.jet.crossplane.io/v1alpha2, kind=bucket", "request": "/xplane-jet-aws-s3-bucket"}
2022-07-06T20:04:26.704Z DEBUG provider-jet-aws Cannot connect to provider {"controller": "managed/s3.aws.jet.crossplane.io/v1alpha2, kind=bucket", "request": "/xplane-jet-aws-s3-bucket", "uid": "a420ca1e-1072-465d-aecf-73418c71377f", "version": "25735", "external-name": "euris-crossplane-test-bucket", "error": "cannot get terraform setup: failed to use pod service account: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403, request id: db8fe84c-baf1-46b6-a6a8-48b4ce61e4e9", "errorVerbose": "AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403, request id: db8fe84c-baf1-46b6-a6a8-48b4ce61e4e9\nfailed to use pod service account\ngithub.com/crossplane-contrib/provider-jet-aws/internal/clients.TerraformSetupBuilder.func1\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/internal/clients/aws.go:65\ngithub.com/crossplane/terrajet/pkg/controller.(*Connector).Connect\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/github.com/crossplane/terrajet/pkg/controller/external.go:91\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*Reconciler).Reconcile\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/github.com/crossplane/crossplane-runtime/pkg/reconciler/managed/reconciler.go:668\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:298\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:214\nruntime.goexit\n\t/opt/hostedtoolcache/go/1.16.13/x64/src/runtime/asm_amd64.s:1371\ncannot get terraform setup\ngithub.com/crossplane/terrajet/pkg/controller.(*Connector).Connect\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/github.com/crossplane/terrajet/pkg/controller/external.go:93\ngithub.com/crossplane/crossplane-runtime/pkg/reconciler/managed.(*Reconciler).Reconcile\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/github.com/crossplane/crossplane-runtime/pkg/reconciler/managed/reconciler.go:668\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:298\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:253\nsigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2\n\t/home/runner/work/provider-jet-aws/provider-jet-aws/vendor/sigs.k8s.io/controller-runtime/pkg/internal/controller/controller.go:214\nruntime.goexit\n\t/opt/hostedtoolcache/go/1.16.13/x64/src/runtime/asm_amd64.s:1371"}
2022-07-06T20:04:26.704Z DEBUG controller-runtime.manager.events Warning {"object": {"kind":"Bucket","name":"xplane-jet-aws-s3-bucket","uid":"a420ca1e-1072-465d-aecf-73418c71377f","apiVersion":"s3.aws.jet.crossplane.io/v1alpha2","resourceVersion":"25735"}, "reason": "CannotConnectToProvider", "message": "cannot get terraform setup: failed to use pod service account: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403, request id: db8fe84c-baf1-46b6-a6a8-48b4ce61e4e9"}
So, basically it seems to be an IRSA issue: (...) AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403 (...). The following trust relationship is getting deployed to the IAM role eks-blueprints-dev-jet-aws-provider-irsa:
The Terrajet Provider generates a service account with a random string attached to it, e.g. jet-aws-provider-b42c59584ad8. This obviously makes it necessary to use a wildcard in the trust relationship. StringEquals doesn't work with wildcards though, StringLike would work. I also have to remove the sts.amazonaws.com-line to make it work. (edit: this is wrong and actually works)
Welcome to Amazon EKS Blueprints!
Amazon EKS Blueprints Release version
4.3.0
What is your environment, configuration and the example used?
I'm using the crossplane example with EKS 1.22, altough any case of
enable_crossplane = true
with either enabling the AWS or Terrajet provider is relevant for this issue:What did you do and What did you see instead?
Deploying a S3 Bucket via
kubectl apply -f jet-aws-provider-s3.yaml
results in the following error (logs from the terrajet-pod):So, basically it seems to be an IRSA issue:
(...) AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403 (...)
. The following trust relationship is getting deployed to the IAM roleeks-blueprints-dev-jet-aws-provider-irsa
:The Terrajet Provider generates a service account with a random string attached to it, e.g.
jet-aws-provider-b42c59584ad8
. This obviously makes it necessary to use a wildcard in the trust relationship.StringEquals
doesn't work with wildcards though,StringLike
would work.I also have to remove the(edit: this is wrong and actually works)sts.amazonaws.com
-line to make it work.The following edit works for me:
The same thing applies to the crossplane AWS provider.
Additional Information