[v2]SubscriptionRequiredException: The AWS Access Key Id needs a subscription for the service

[icyxp]

aws cn region: cn-northwest-1

iam policy { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeTags", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cognito-idp:DescribeUserPoolClient", "acm:ListCertificates", "acm:DescribeCertificate", "iam:ListServerCertificates", "iam:GetServerCertificate", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", "waf-regional:AssociateWebACL", "waf-regional:DisassociateWebACL", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:AssociateWebACL", "wafv2:DisassociateWebACL", "shield:GetSubscriptionState", "shield:DescribeProtection", "shield:CreateProtection", "shield:DeleteProtection" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws-cn:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateSecurityGroup" }, "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "arn:aws-cn:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "true", "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:CreateRule", "elasticloadbalancing:DeleteRule" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags" ], "Resource": [ "arn:aws-cn:elasticloadbalancing:*:*:targetgroup/*/*", "arn:aws-cn:elasticloadbalancing:*:*:loadbalancer/net/*/*", "arn:aws-cn:elasticloadbalancing:*:*:loadbalancer/app/*/*" ], "Condition": { "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "true", "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:SetIpAddressType", "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:SetSubnets", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:SetWebAcl", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:RemoveListenerCertificates", "elasticloadbalancing:ModifyRule" ], "Resource": "*" } ] }

error: ` {"level":"error","ts":1603940367.307082,"logger":"controller","msg":"Reconciler error","controller":"ingress","name":"openapi-gateway","namespace":"openapi-prod","error":"SubscriptionRequiredException: The AWS Access Key Id needs a subscription for the service\n\tstatus code: 400, request id: 436e78ca-e81a-4453-92ff-30927ec5a69c"}

{"level":"info","ts":1603940368.3373978,"logger":"controllers.ingress","msg":"successfully built model","model":"{\"id\":\"platform-prod/passport\",\"resources\":{\"AWS::EC2::SecurityGroup\":{\"ManagedLBSecurityGroup\":{\"spec\":{\"groupName\":\"k8s-platform-passport-2a688f3659\",\"description\":\"[k8s] Managed SecurityGroup for LoadBalancer\",\"tags\":{\"CreateTime\":\"20201028\",\"EnvType\":\"prod\",\"ImportantLevel\":\"very-important\",\"Monitored\":\"Yes\",\"Name\":\"passprot-prod\",\"Owner\":\"peng.xu\",\"Task\":\"DEVOPS-105\",\"Team\":\"platform\"},\"ingress\":[{\"ipProtocol\":\"tcp\",\"fromPort\":80,\"toPort\":80,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]},{\"ipProtocol\":\"tcp\",\"fromPort\":443,\"toPort\":443,\"ipRanges\":[{\"cidrIP\":\"0.0.0.0/0\"}]}]}}},\"AWS::ElasticLoadBalancingV2::Listener\":{\"443\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":443,\"protocol\":\"HTTPS\",\"defaultActions\":[{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}}],\"certificates\":[{\"certificateARN\":\"arn:aws-cn:iam::xxxxxx:server-certificate/a_com_20211103\"}],\"sslPolicy\":\"ELBSecurityPolicy-2016-08\"}},\"80\":{\"spec\":{\"loadBalancerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN\"},\"port\":80,\"protocol\":\"HTTP\",\"defaultActions\":[{\"type\":\"fixed-response\",\"fixedResponseConfig\":{\"contentType\":\"text/plain\",\"statusCode\":\"404\"}}]}}},\"AWS::ElasticLoadBalancingV2::ListenerRule\":{\"443:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"forward\",\"forwardConfig\":{\"targetGroups\":[{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/platform-prod/passport-w-platform-passport:http/status/targetGroupARN\"}}]}}],\"conditions\":[{\"field\":\"path-pattern\",\"pathPatternConfig\":{\"values\":[\"/\"]}}]}},\"80:1\":{\"spec\":{\"listenerARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::Listener/80/status/listenerARN\"},\"priority\":1,\"actions\":[{\"type\":\"redirect\",\"redirectConfig\":{\"port\":\"443\",\"protocol\":\"HTTPS\",\"statusCode\":\"HTTP_301\"}}],\"conditions\":[{\"field\":\"path-pattern\",\"pathPatternConfig\":{\"values\":[\"/\"]}}]}}},\"AWS::ElasticLoadBalancingV2::LoadBalancer\":{\"LoadBalancer\":{\"spec\":{\"name\":\"k8s-platform-passport-d5995e9283\",\"type\":\"application\",\"scheme\":\"internet-facing\",\"ipAddressType\":\"ipv4\",\"subnetMapping\":[{\"subnetID\":\"subnet-03fdc85118291cf09\"},{\"subnetID\":\"subnet-0c809182d99c8c442\"},{\"subnetID\":\"subnet-0a090540c7857ce38\"}],\"securityGroups\":[{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"}],\"loadBalancerAttributes\":[{\"key\":\"access_logs.s3.bucket\",\"value\":\"aws-logs-397751057748-cn-northwest-1\"},{\"key\":\"access_logs.s3.prefix\",\"value\":\"alb/eks-passport-prod\"},{\"key\":\"idle_timeout.timeout_seconds\",\"value\":\"80\"},{\"key\":\"access_logs.s3.enabled\",\"value\":\"true\"}],\"tags\":{\"CreateTime\":\"20201028\",\"EnvType\":\"prod\",\"ImportantLevel\":\"very-important\",\"Monitored\":\"Yes\",\"Name\":\"passprot-prod\",\"Owner\":\"peng.xu\",\"Task\":\"DEVOPS-105\",\"Team\":\"platform\"}}}},\"AWS::ElasticLoadBalancingV2::TargetGroup\":{\"platform-prod/passport-w-platform-passport:http\":{\"spec\":{\"name\":\"k8s-platform-wplatfor-86d71aa708\",\"targetType\":\"ip\",\"port\":80,\"protocol\":\"HTTP\",\"healthCheckConfig\":{\"port\":80,\"protocol\":\"HTTP\",\"path\":\"/manage/health\",\"matcher\":{\"httpCode\":\"200\"},\"intervalSeconds\":15,\"timeoutSeconds\":5,\"healthyThresholdCount\":2,\"unhealthyThresholdCount\":2},\"tags\":{\"CreateTime\":\"20201028\",\"EnvType\":\"prod\",\"ImportantLevel\":\"very-important\",\"Monitored\":\"Yes\",\"Name\":\"passprot-prod\",\"Owner\":\"peng.xu\",\"Task\":\"DEVOPS-105\",\"Team\":\"platform\"}}}},\"K8S::ElasticLoadBalancingV2::TargetGroupBinding\":{\"platform-prod/passport-w-platform-passport:http\":{\"spec\":{\"template\":{\"metadata\":{\"name\":\"k8s-platform-wplatfor-86d71aa708\",\"namespace\":\"platform-prod\",\"creationTimestamp\":null},\"spec\":{\"targetGroupARN\":{\"$ref\":\"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/platform-prod/passport-w-platform-passport:http/status/targetGroupARN\"},\"targetType\":\"ip\",\"serviceRef\":{\"name\":\"w-platform-passport\",\"port\":\"http\"},\"networking\":{\"ingress\":[{\"from\":[{\"securityGroup\":{\"groupID\":{\"$ref\":\"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID\"}}}],\"ports\":[{\"protocol\":\"TCP\"}]}]}}}}}}}}"} `

[DevOpserzhao]

in v2.0, Add the following parameters to deployment spec.args:

--enable-shield=false --enable-waf=false --enable-wafv2=false

[icyxp]

Yes, add these parameters can work. The reason is that AWS in China does not have WAF