On updating blueprints to 1.16.1, the aws-load-balancer-controller is raising AccessDenied errors (not authorized to perform: elasticloadbalancing:DescribeListenerAttributes) in managing existing load-balancers prior to the update.
Appears to be due to an update to 1.9.0 of the AWS load balancer controller changing the permissions required.
Expected Behavior
The load balancer controller should continue to manage existing load balancers.
Current Behavior
On deployment of new aws-load-balancer-controller, the following error is produced when reconciling the existing load balancers.
{"level":"error","ts":"2024-10-27T23:47:55Z","msg":"Reconciler error","controller":"service","namespace":"NAMESPACE","name":"APPLICATION","reconcileID":"xxxx","error":"operation error Elastic Load Balancing v2: DescribeListenerAttributes, https response error StatusCode: 403, RequestID: xxxx, api error AccessDenied: User: arn:aws:sts::ACCOUNT_ID:assumed-role/generated/role is not authorized to perform: elasticloadbalancing:DescribeListenerAttributes because no identity-based policy allows the elasticloadbalancing:DescribeListenerAttributes action"}
Reproduction Steps
Currently using the default values for AwsLoadBalancerControllerAddOn:
new blueprints.addons.AwsLoadBalancerControllerAddOn()
DanielAtanasovski
commented
3 days ago
Describe the bug
On updating blueprints to
1.16.1, the aws-load-balancer-controller is raising AccessDenied errors (not authorized to perform: elasticloadbalancing:DescribeListenerAttributes) in managing existing load-balancers prior to the update.Appears to be due to an update to
1.9.0of the AWS load balancer controller changing the permissions required.Expected Behavior
The load balancer controller should continue to manage existing load balancers.
Current Behavior
On deployment of new
aws-load-balancer-controller, the following error is produced when reconciling the existing load balancers.Reproduction Steps
Currently using the default values for
AwsLoadBalancerControllerAddOn:Possible Solution
Expand permissions to allow listing and modifying listener attributes in: https://github.com/aws-quickstart/cdk-eks-blueprints/blob/f2de8ccf223eb44dcccb07e84995724b8dbf10f4/lib/addons/aws-loadbalancer-controller/iam-policy.ts#L40
To what is recommended: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/main/docs/install/iam_policy.json#L43
Additional Information/Context
Extra IAM policy permissions required as of version
v1.9.0of the aws-load-balancer-controller helm chart: https://github.com/kubernetes-sigs/aws-load-balancer-controller/releases/tag/v2.9.0CDK CLI Version
2.164.1
EKS Blueprints Version
1.16.1
Node.js Version
20.18.0
Environment details (OS name and version, etc.)
AL2023
Other information
No response