ALB controller fails to create Load Balancer (and won't tell me why)

[Poundex]

Describe the bug I am trying to use the ALB controller to create ALBs based on Ingress objects. The controller fails, but the only log message is "Failed deploy model due to InternalFailure: status code: 500". There is also a request ID but I don't seem to be able to do anything with this. I tried downgrading the image to v1 so I could use --aws-api-debug to see the body from the 500 so I could see what was going on, but v1 doesn't support the new Ingress API version. The controller, however, does create a Target Group, although it does not have any targets in it. How can I find out what the error is, please?

alb.log ingress.yaml.txt

[oliviassss]

Hi @Poundex, in the logs it shows permission error on your assume role:

{"level":"error","ts":"2023-06-12T18:35:47Z","logger":"controllers.ingress","msg":"unable to determine AWS Shield subscription state, skipping AWS shield reconciliation","error":"AccessDeniedException: User: arn:aws:sts::5xxxxxxxxxxx:assumed-role/dev-node-policy/i-04da14584d5839411 is not authorized to perform: shield:GetSubscriptionState on resource: arn:aws:shield::5xxxxxxxxxxx:subscription/* because no identity-based policy allows the shield:GetSubscriptionState action"}

Would you be able to share what IAM permissions you created? Can you please try to fix it first and see if the controller can create ALB successfully? I think you can either add the missing permission to your role, or disable the shield for ALB by the command line flag --enable-shield=false. Please let us know if it helps.

[oliviassss]

@Poundex, I'm going to close the issue as for now, please feel free to reach out or reopen if you have any questions, thanks.