Access entry for aws console

benbonnet commented 2 weeks ago

Description

Trying out a basic kms + karpenter setup (copy pasted from the ./examples folder), in eu-west-3 (in case it matters). Everything works fine, besides the access/visibility of resources within the control plane within the aws console.

✋ I have searched the open/closed issues and my issue is not listed. -> But it is totally unclear to me if the behaviour is normal (am i wrong to think it should work out of the box?)

Versions

Module version [Required]: 20.13.1
Terraform version: v1.5.7
Provider version(s): hashicorp/aws : 5.53.0 hashicorp/helm : 2.13.2 alekc/kubectl : 2.0.4

Reproduction Code

N/A, copy pasted the eks + karpenter from example

Steps to reproduce the behavior:

Creates a cluster in eu-west-3. Once finished, go to aws console, enter the cluster, view the no access messages :

at the top : "Your current IAM principal doesn't have access to Kubernetes objects on this cluster."
under the kubernetes resources : This cluster does not have any xxx, or you don't have permission to view them.

Create the access entry manually for arn:aws:iam:xxx:root with AmazonEKSViewPolicy, save it : everything is then okay. kubernetes resources appears, so does the node groups and all; no more "no access messages"

Expected behavior

Having everything configured for the control plane to be fully available with no extra manual steps within the aws console's eks cluster pages

Actual behavior

Having to create the access entry manually to view the resources within the aws console's cluster pages

gprieto84 commented 1 week ago

I'm having the same issue with the 20.13.1 version in eu-west-2 region. I'm not able to see the resources, and also not able to access the cluster via CLI using kubectl. In my case I just used a previous working version (19.15.4) and it did work.

By the way @bryantbiggs, where did you create the manual entry?

bryantbiggs commented 1 week ago

I don't know what you mean by a "manual entry" - the issue you are experiencing is that you haven't given your IAM identity access to the cluster

gprieto-matblas commented 1 week ago

I don't know what you mean by a "manual entry" - the issue you are experiencing is that you haven't given your IAM identity access to the cluster

Sorry the question was for @benbonnet :) ... And I'm using the same user who created the cluster. It did work with 19.15.4, but not with 20.13.1

bryantbiggs commented 1 week ago

Thats because in v19.x the cluster creator was automatically added to the cluster as admin, but that is no longer the case now that cluster access entry is available. you will need to opt in to providing your IAM entity access to the cluster

gprieto84 commented 1 week ago

Thanks @bryantbiggs !

I'm going to test it right away!!

terraform-aws-modules / terraform-aws-eks