Closed Poundex closed 1 year ago
Hi @Poundex, in the logs it shows permission error on your assume role:
{"level":"error","ts":"2023-06-12T18:35:47Z","logger":"controllers.ingress","msg":"unable to determine AWS Shield subscription state, skipping AWS shield reconciliation","error":"AccessDeniedException: User: arn:aws:sts::5xxxxxxxxxxx:assumed-role/dev-node-policy/i-04da14584d5839411 is not authorized to perform: shield:GetSubscriptionState on resource: arn:aws:shield::5xxxxxxxxxxx:subscription/* because no identity-based policy allows the shield:GetSubscriptionState action"}
Would you be able to share what IAM permissions you created? Can you please try to fix it first and see if the controller can create ALB successfully? I think you can either add the missing permission to your role, or disable the shield for ALB by the command line flag --enable-shield=false
. Please let us know if it helps.
@Poundex, I'm going to close the issue as for now, please feel free to reach out or reopen if you have any questions, thanks.
Describe the bug I am trying to use the ALB controller to create ALBs based on Ingress objects. The controller fails, but the only log message is "Failed deploy model due to InternalFailure: status code: 500". There is also a request ID but I don't seem to be able to do anything with this. I tried downgrading the image to v1 so I could use
--aws-api-debug
to see the body from the 500 so I could see what was going on, but v1 doesn't support the new Ingress API version. The controller, however, does create a Target Group, although it does not have any targets in it. How can I find out what the error is, please?alb.log ingress.yaml.txt