Open quanhk711 opened 4 months ago
Hi! As you pointed out, it looks like you're failing to assume the cross account role.
Did you complete step #2?
In the AWS account A hosting your EKS cluster, create and attach an IAM policy with sts assume permissions to cross-account IAM role created in Step 1. Attach this policy to IAM role associated with service account of driver’s controller service. { "Version": "2012-10-17", "Statement": { "Effect": "Allow", "Action": "sts:AssumeRole", "Resource": "arn:aws:iam::123456789012:role/EFSCrossAccountAccessRole" } }
Also, your policy looks correct, TF_AWSEfsCsiDriverIAMPolicy_preprod
, but we recommend that customers use the EFS managed policy instead, AmazonEFSCSIDriverPolicy
.
yes, I have completed step 2
The Kubernetes project currently lacks enough contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle stale
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle stale
The Kubernetes project currently lacks enough active contributors to adequately respond to all issues.
This bot triages un-triaged issues according to the following rules:
lifecycle/stale
is appliedlifecycle/stale
was applied, lifecycle/rotten
is appliedlifecycle/rotten
was applied, the issue is closedYou can:
/remove-lifecycle rotten
/close
Please send feedback to sig-contributor-experience at kubernetes/community.
/lifecycle rotten
/kind bug For cross account provisioning, the efs-csi-driver need IAM role to describe mount targets of the EFS file system. The driver will select an IP address from one of the mount targets on the EFS file system to perform cross-account mount.
The describe-mount-target IAM Role wasn't working when following this blog post: https://aws.amazon.com/blogs/storage/mount-amazon-efs-file-systems-cross-account-from-amazon-eks/
What happened?
How to reproduce it (as minimally and precisely as possible)?
TF_AWSEfsCsiDriverIAMPolicy_preprod (eks account xxxx-A) :
EFSCrossAccountAccessAssumeRoleCorpPREPROD Trust relationships (efs account xxxx-B):
Amazon EFS CSI Driver version: v1.7.5-eksbuild.2