search

crossplane-contrib / provider-jet-aws

AWS Provider for Crossplane that is built with Terrajet.
https://crossplane.io
Apache License 2.0
37 stars 30 forks source link

Failing to create AWS IAM Role #176

Open LookMumNoBackup opened 2 years ago

LookMumNoBackup commented 2 years ago

What happened?

I wanted to create an AWS IAM Role using the jet-aws provider, yet it seems to fail already with the provided example manifest provided example manifest

How can we reproduce it?

I simply created the resource with the following manifest ...

apiVersion: iam.aws.jet.crossplane.io/v1alpha2
kind: Role
metadata:
  name: sample-eks-cluster
spec:
  forProvider:
    assumeRolePolicy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "eks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
  providerConfigRef:
    name: jet-aws-provider

... after a while I got the following final state ...

apiVersion: iam.aws.jet.crossplane.io/v1alpha2
kind: Role
metadata:
  annotations:
    crossplane.io/external-name: sample-eks-cluster
    ...
  name: sample-eks-cluster
status:
  atProvider: {}
  conditions:
    - lastTransitionTime: '2022-03-21T16:48:09Z'
      message: >-
        connect failed: cannot get terraform setup: failed to use pod service
        account: unknown endpoint, could not resolve endpoint, partition: "aws",
        service: "sts", region: "", known: [ap-northeast-2 eu-central-1
        eu-west-2 sa-east-1 us-east-2-fips us-west-1 ap-east-1 ap-northeast-1
        ap-southeast-2 aws-global ca-central-1 us-east-1-fips us-east-2
        us-west-2 ap-southeast-1 eu-north-1 eu-south-1 eu-west-3 us-east-1
        us-west-1-fips us-west-2-fips af-south-1 ap-south-1 eu-west-1
        me-south-1]
      reason: ReconcileError
      status: 'False'
      type: Synced
spec:
  deletionPolicy: Delete
  forProvider:
    assumeRolePolicy: |
      {
        "Version": "2012-10-17",
        "Statement": [
          {
            "Effect": "Allow",
            "Principal": {
              "Service": "eks.amazonaws.com"
            },
            "Action": "sts:AssumeRole"
          }
        ]
      }
  providerConfigRef:
    name: jet-aws-provider

What environment did it happen in?

Crossplane version: 1.6.1

haarchri commented 2 years ago

is the issue still relevant ? with static credentials everything is working as expected - did you using InjectedIdentity or assumeRoleARN for cross-account access ?

provider is running from master:

NAME                                                READY   SYNCED   EXTERNAL-NAME        AGE
role.iam.aws.jet.crossplane.io/sample-eks-cluster   True    True     sample-eks-cluster   2m
bendyna-vitalii commented 2 years ago

Any updates? I'm using spec.credentials.source: InjectedIdentity and it doesn't work, the same error message - couldn't find a region

BGrasnick commented 2 years ago

We have the same problem when creating IAM roles with spec.credentials.source: InjectedIdentity... Any progress?

nascimento commented 2 years ago

The same happens with policy:

status:
  atProvider: {}
  conditions:
    - lastTransitionTime: '2022-06-27T14:14:41Z'
      message: >-
        connect failed: cannot get terraform setup: failed to use pod service
        account: unknown endpoint, could not resolve endpoint, partition: "aws",
        service: "sts", region: "", known: [ap-northeast-2 aws-global
        eu-central-1 eu-west-2 us-east-2 eu-west-1 us-west-1-fips us-west-2-fips
        sa-east-1 us-east-1 us-east-1-fips ap-south-1 ap-southeast-1
        ap-southeast-2 eu-north-1 eu-south-1 us-east-2-fips us-west-1 us-west-2
        me-south-1 af-south-1 ap-east-1 ap-northeast-1 ca-central-1 eu-west-3]
      reason: ReconcileError
      status: 'False'
      type: Synced