search

kubernetes-sigs / cluster-api-provider-aws

Kubernetes Cluster API Provider AWS provides consistent deployment and day 2 operations of "self-managed" and EKS Kubernetes clusters on AWS.
http://cluster-api-aws.sigs.k8s.io/
Apache License 2.0
632 stars 559 forks source link

Permission error with default cloudformation: missing elasticloadbalancing:SetSecurityGroups IAM role #5053

Open eromanova opened 1 month ago

eromanova commented 1 month ago

/kind bug

What steps did you take and what happened: I've followed https://cluster-api-aws.sigs.k8s.io/getting-started to initialize Cluster API provider AWS on a management cluster:

  1. Set up admin AWS credentials to create IAM cloud formation stack (exported admin AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
  2. Created IAM cloudformation stack with clusterawsadm bootstrap iam create-cloudformation-stack.
  3. Attached created policies to my AWS user (not an admin)
  4. Set up user's credentials (exported user's AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY)
  5. Run export AWS_B64ENCODED_CREDENTIALS=$(clusterawsadm bootstrap credentials encode-as-profile) and initialize the management cluster with AWS provider by running clusterctl init --infrastructure aws
  6. Create a workload cluster with spec.controlPlaneLoadBalancer.loadBalancerType: nlb
  7. Permission error occurs in cluster-api-provider-aws: 
    E0715 12:45:14.646085       1 controller.go:329] "Reconciler error" err=<
failed to apply security groups to load balancer "hmc-system-ekaz-dev-apiserver": AccessDenied: User: arn:aws:iam::643893117298:user/ekaz-hmc is not authorized to perform: elasticloadbalancing:SetSecurityGroups on resource: arn:aws:elasticloadbalancing:us-east-2:643893117298:loadbalancer/net/hmc-system-ekaz-dev-apiserver/d5c794c5369f3d20 because no identity-based policy allows the elasticloadbalancing:SetSecurityGroups action
    status code: 403, request id: ba4a2814-495f-4476-8170-326ff3dfd72c
> controller="awscluster" controllerGroup="infrastructure.cluster.x-k8s.io" controllerKind="AWSCluster" AWSCluster="hmc-system/ekaz-dev" namespace="hmc-system" name="ekaz-dev" reconcileID="1433ad0b-a075-42b6-9781-a413bd7526c7"

What did you expect to happen: Workload cluster to deploy successfully

Anything else you would like to add: AWSCluster spec:

apiVersion: infrastructure.cluster.x-k8s.io/v1beta2
kind: AWSCluster
metadata:
  name: ekaz
spec:
  region: us-east-2
  controlPlaneLoadBalancer:
    healthCheckProtocol: TCP
    loadBalancerType: nlb

Should we add elasticloadbalancing:SetSecurityGroups role to the default cloudformation templates or did I misconfigure something? Or this is probably an expected behavior when I'm using non-default load balancer configuration I should apply custom IAM configuration as well (via AWSIAMConfiguration). Thanks in advance.

Environment:

k8s-ci-robot commented 1 month ago

This issue is currently awaiting triage.

If CAPA/CAPI contributors determines this is a relevant issue, they will accept it by applying the triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Instructions for interacting with me using PR comments are available [here](https://git.k8s.io/community/contributors/guide/pull-requests.md). If you have questions or suggestions related to my behavior, please file an issue against the [kubernetes-sigs/prow](https://github.com/kubernetes-sigs/prow/issues/new?title=Prow%20issue:) repository.