Closed ivan-sukhomlyn closed 4 years ago
dpiddockcmp
commented
4 years ago I haven't been able to reproduce this. I tried deleting the service linked role in a test account and a cluster was able to recreate it before creating a load balancer.
Are you using a permissions boundary that does not grant iam:CreateServiceLinkedRole to the eks role? AWS service linked roles docs. Or something else in your account that limits IAM permissions for the cluster role?
ivan-sukhomlyn
commented
4 years ago Hi @dpiddockcmp
Thanks for your reply.
No, I'm not using the permissions boundary. I deployed a cluster with default parameter regarding cluster IAM role(manage_cluster_iam_resources=true) for the Terraform module.
I faced the same issue with the creation of a service-linked role for ELB with EKS at a newly created account as mentioned in one of the previous issues - https://github.com/terraform-aws-modules/terraform-aws-eks/issues/183#issuecomment-435229552.
The root cause is that AWS Managed AmazonEKSClusterPolicy doesn't contain required permissions required for ELB service-linked role creation even allowing the creation of this role
{
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
}@max-rocket-internet @dpiddockcmp Can we add some additional policy to the managed EKS cluster's IAM role by default? What do you think about it?
dpiddockcmp
commented
4 years ago I'm still not convinced that the call to DescribeAccountAttributes is the source of your issue.
In a test account I removed the service role: aws iam delete-service-linked-role --role-name AWSServiceRoleForElasticLoadBalancing
And then asked EKS to create a classic ELB: kubectl create service loadbalancer test --tcp=80:8080
Waited 15 minutes 🙄 and then looked at the full API hits in CloudTrail:
:20:30 eks: AssumeRole eks cluster role - ok
:20:30 eks: DescribeRouteTables - ok
:20:30 eks: DescribeSubnets - ok
:20:30 eks: CreateSecurityGroup - ok
:20:30 eks: DescribeSecurityGroups - ok
:20:30 eks: DescribeInstances - ok
:20:31 eks: CreateLoadBalancer - AccessDenied
:20:31 eks: CreateServiceLinkedRole - ok
:20:31 eks: DescribeSecurityGroups - ok
:20:31 eks: AuthorizeSecurityGroupIngress - ok
:20:31 eks: DescribeAccountAttributes - Client.UnauthorizedOperation
:20:31 eks: DescribeLoadBalancers - AccessPointNotFoundException
:20:31 eks: CreateTags [sg] - ok
:20:36 eks: DescribeRouteTables - ok
:20:36 eks: DescribeSubnets - ok
:20:36 eks: DescribeSecurityGroups - ok
:20:37 eks: DescribeSecurityGroups - ok
:20:37 eks: DescribeAccountAttributes - Client.UnauthorizedOperation
:20:37 eks: DescribeLoadBalancers - AccessPointNotFoundException
:20:37 eks: CreateLoadBalancer - AccessDenied
:20:37 eks: CreateServiceLinkedRole - InvalidInputException
:20:47 ELB: AssumeRole AWSServiceRoleForElasticLoadBalancing - ok
:30:47 ELB: DescribeAccountAttributes - ok
:20:47 eks: DescribeSecurityGroups - ok
:20:47 eks: DescribeSubnets - ok
:20:47 eks: DescribeRouteTables: ok
:20:47 eks: DescribeLoadBalancers: AccessPointNotFoundException
:20:47 eks: DescribeSecurityGroups: ok
:20:47 eks: DescribeVpcs: ok
:20:47 eks: DescribeInternetGateways: Client.UnauthorizedOperation
:20:47 eks: DescribeSubnets: ok
:20:47 eks: DescribeAccountAttributes: Client.UnauthorizedOperation
:20:48 eks: DescribeSecurityGroups: ok
:20:48 eks: DescribeLoadBalancers: ok
:20:48 eks: DescribeSecurityGroups: ok
:20:48 eks: CreateLoadBalancer: ok
:20:48 ELB: DescribeInternetGateways: ok
:20:48 eks: ConfigureHealthCheck: ok
:20:48 eks: DescribeLoadBalancerAttributes: ok
:20:48 eks: DescribeSecurityGroups: ok
:20:48 eks: ModifyLoadBalancerAttributes: ok
:20:54 ELB: CreateNetworkInterface: okThere are multiple failed calls to DescribeAccountAttributes but it does not block the CreateServiceLinkedRole. The ELB service eventually gets the call to work via its service role.
The kube-controller-manager log shows a similar time line:
ivan-sukhomlyn
commented
4 years ago @dpiddockcmp Thank you a lot for your such deep research regarding this issue.
I've created the EKS cluster at a new AWS account with a default EKS cluster role with the Terraform module. Unfortunately, the ELB service-linked role didn't create after a LoadBalancer service definition during 1h with errors described above.
After that, I've attached the EC2ReadOnly policy to the cluster role. Then service-linked role and LB were successfully created.
Anyway, I'm going to bootstrap one more AWS account soon with the same config. I will check it again and back to you.
dpiddockcmp
commented
4 years ago Maybe it would be interesting to look through the CloudTrail logs and see what's failing.
ivan-sukhomlyn
commented
4 years ago Hi @dpiddockcmp I've tried once again and was waiting during ~1h for ELB service-linked role creation. Unfortunately, the result was the same as described in the issue.
EKS cluster can't create an ELB service-linked IAM role on a new AWS account.
» kubectl get events -n kube-system
LAST SEEN TYPE REASON OBJECT MESSAGE
8s Normal EnsuringLoadBalancer service/nginx-ingress-controller Ensuring load balancer
55m Warning SyncLoadBalancerFailed service/nginx-ingress-controller (combined from similar events): Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::{{ new_account_id }}:assumed-role/{{ some-eks-cluster-role-}}20200609182020032300000001/1591727789516159494 is not authorized to perform: ec2:DescribeAccountAttributes\n\tstatus code: 403, request id: 0230f760-c5fd-4a8e-85e1-2ef93be4dfe7"After that, I've added inline IAM policy with the ec2:DescribeAccountAttributes permissions to the EKS cluster IAM role.
The result was the same (ec2:DescribeInternetGateways permissions are required) as mentioned here https://github.com/terraform-aws-modules/terraform-aws-eks/pull/902#discussion_r434933437
» kubectl get events
21s Warning SyncLoadBalancerFailed service/nginx-ingress-controller Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::{{ new_account_id }}:assumed-role/{{ some-eks-cluster-role-}}20200609182020032300000001/1591727789516159494 is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: c91a3082-6ce8-4d62-8a9b-e2588afd3121"And only when mentioned permissions were attached to the IAM role, EKS cluster was able to create a service-linked IAM role and load balancer for the Kubernetes service.
CloudTrail events:
dd776e24-7a61-44a8-9e69-177af7ce78f9 2020-06-09, 10:51:51 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
cc0d62e9-600f-406d-8108-aa8ad5ae98cb 2020-06-09, 10:48:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
d6b08892-70ed-448e-86fd-510801fbf20a 2020-06-09, 10:47:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
42d1422b-9315-4737-af2d-1505446f35f2 2020-06-09, 10:46:51 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
3849ee46-fbc7-4dd1-9260-b56d7c346041 2020-06-09, 10:43:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
dcd3505c-13c0-4c73-8449-a2b0b4d8ed80 2020-06-09, 10:42:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
d3c2c60c-1b0a-4fb2-8881-658ddc0de0c8 2020-06-09, 10:41:51 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
04a5ce34-05a0-47e6-be62-0484b964d1d6 2020-06-09, 10:38:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
4f824955-0ddc-483e-bb5a-ea5b9cdf3353 2020-06-09, 10:37:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
ea64dada-6406-42a7-b1c5-52d1b48b3042 2020-06-09, 10:36:50 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
b1edabfb-62b9-4178-be41-c6c17ec04702 2020-06-09, 10:33:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
839923f1-b40a-4ef5-afd4-24fcc133cb39 2020-06-09, 10:32:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
fcd1d0e6-ddc5-4707-a849-ce0f43563e45 2020-06-09, 10:31:50 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
144aa9c8-9fa7-4063-bb26-4e24a1f0e458 2020-06-09, 10:28:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
5c624446-3354-45d6-8a13-9870d816ba1c 2020-06-09, 10:27:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
d166ca00-31d3-4be5-a376-263c9f9fd36f 2020-06-09, 10:26:49 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
0a53dd5e-b464-494f-8a3f-2ff4d37eb5cf 2020-06-09, 10:23:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
50111e74-8c4c-4592-a16b-ab50e2bbe5e2 2020-06-09, 10:22:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
7a65f4ea-e6f0-4b34-8108-ea55f5e62ca2 2020-06-09, 10:21:49 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
b190ea7c-bff1-446c-a09a-927aef68d7ed 2020-06-09, 10:18:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
7683062b-2ca3-446c-8520-c6792d6ada35 2020-06-09, 10:17:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
c5de9e39-7026-4e63-acdd-feb0673b9eff 2020-06-09, 10:16:49 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
83cb1c8a-a5ab-4e19-92e0-1bc44bcd38f9 2020-06-09, 10:13:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
575350f5-408b-48cc-ac1d-915abbda5bc9 2020-06-09, 10:12:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
fb6c563e-bdcc-45d7-8b6c-0456cbad88af 2020-06-09, 10:11:48 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
fb315cb8-64d6-4e0f-9f3a-51c588db6bc9 2020-06-09, 10:08:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
a488126f-c6a1-4692-a836-58c331920325 2020-06-09, 10:07:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
6cfde2c1-f10a-4dcb-a59a-743b023b50e0 2020-06-09, 10:06:48 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
e2129c6b-7515-4a29-aebf-b247d5961100 2020-06-09, 10:03:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
2115ef42-5564-4135-a5bc-7267e4d8139a 2020-06-09, 10:02:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
414e72de-8027-477b-ae2f-ce143afa103c 2020-06-09, 10:01:48 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
85027d5e-6424-4ea4-97a1-1d2ae025c7de 2020-06-09, 09:58:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
702128e5-8701-400c-a569-d0f297fe8ef1 2020-06-09, 09:57:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
4d88da2f-bd7d-479b-ab38-cb8d10d6178e 2020-06-09, 09:56:47 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
36b95517-7fe4-42af-b0cf-5da9132ab66b 2020-06-09, 09:53:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
1c40aacb-5af4-46ef-a4e7-a9d0437dcccf 2020-06-09, 09:52:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
9cf37bc2-97e5-45ea-9772-9be42db11299 2020-06-09, 09:51:47 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
d38d8213-c79b-4d10-9962-a7beebd21ee8 2020-06-09, 09:48:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
279a8131-53ce-47d7-befe-5cf85ff8faef 2020-06-09, 09:47:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
c7f65ca4-4711-4ddd-950c-18322fff40da 2020-06-09, 09:46:47 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
b6fd0b7d-d937-48e4-a95f-5279ce3ceba7 2020-06-09, 09:43:04 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
40891132-19d1-43fa-bbc9-d5de4943c350 2020-06-09, 09:42:20 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
4868787b-b6e3-43d2-bbc4-5d4dd85a0611 2020-06-09, 09:41:55 PM 1591728114280465294 CreateLogStream eu-west-1 eks.amazonaws.com
5a70c2ce-d1a5-4800-891b-3052cdc0341c 2020-06-09, 09:41:55 PM 1591728114280465294 CreateLogStream eu-west-1 eks.amazonaws.com
644790ae-6aee-474b-a025-13c71af4e429 2020-06-09, 09:41:55 PM 1591728114280465294 CreateLogStream eu-west-1 eks.amazonaws.com
9960970f-81a7-4995-9648-4f80ebf5355b 2020-06-09, 09:41:55 PM 1591728114280465294 CreateLogStream eu-west-1 eks.amazonaws.com
afea1cfe-4966-4515-b9de-b6d1ac18e465 2020-06-09, 09:41:55 PM 1591728114280465294 CreateLogStream eu-west-1 eks.amazonaws.com
69c6b737-40ef-4c47-b67a-715dd16d4c6c 2020-06-09, 09:41:46 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
630d0249-9dd7-49a3-9418-ed8ed2c148ce 2020-06-09, 09:41:28 PM RetireGrant eu-west-1 AWS Internal
c7b5e6b5-8792-44b7-92fa-345b5e2e546c 2020-06-09, 09:41:26 PM RetireGrant eu-west-1 AWS Internal
23ca8e98-cf3d-44b3-b30f-0f0c270eaef9 2020-06-09, 09:37:59 PM 1591727829062507608 UnassignPrivateIpAddresses EC2 NetworkInterface [{"resourceType":"AWS::EC2::NetworkInterface","resourceName":"eni-01cff8f0e0f318f3b"}] eu-west-1 52.213.188.5
5c890214-20d0-4197-8b94-b826c8860dfa 2020-06-09, 09:37:46 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
9ffe7f36-f7c4-452e-9810-0670a5dca82d 2020-06-09, 09:37:05 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
ae1b4200-45cd-4e95-845f-02c898cd3da2 2020-06-09, 09:36:53 PM i-0a4251669e112e3b7 UpdateInstanceInformation eu-west-1 52.213.188.5
1f1da5a5-cdb8-4de8-a8ec-dcc7e8c56930 2020-06-09, 09:36:52 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
a2aa9b0d-64f0-4b9c-bf20-3522c4921c88 2020-06-09, 09:36:52 PM i-011648ec4e24a1e0a UpdateInstanceInformation eu-west-1 18.203.166.38
3dbae387-f0aa-4452-809f-e8427c30382c 2020-06-09, 09:36:49 PM 1591726817825023000 EnableMetricsCollection AutoScaling AutoScalingGroup [{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606270700000014"}] eu-west-1 149.255.131.2
e0936ddd-7f38-4aaf-bfdb-73b24464daa4 2020-06-09, 09:36:49 PM 1591726817825023000 EnableMetricsCollection AutoScaling AutoScalingGroup [{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606332100000015"}] eu-west-1 149.255.131.2
2f3ee321-04fb-4458-838b-28949a8f8291 2020-06-09, 09:36:48 PM 1591726817825023000 SuspendProcesses AutoScaling AutoScalingGroup [{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606332100000015"}] eu-west-1 149.255.131.2
68634a8d-d93f-4663-9f49-f4293e72eb65 2020-06-09, 09:36:48 PM 1591726817825023000 SuspendProcesses AutoScaling AutoScalingGroup [{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606270700000014"}] eu-west-1 149.255.131.2
227f415a-1104-423c-8f5c-a8b66971d563 2020-06-09, 09:36:45 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
b187291a-25e0-45ab-afef-2de9c8b4d3da 2020-06-09, 09:36:35 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
e06f66a6-a518-4c76-b462-34a94f0530db 2020-06-09, 09:36:30 PM 1591727789516159494 CreateLoadBalancer ElasticLoadBalancingV2 LoadBalancer [{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}] eu-west-1 AccessDenied eks.amazonaws.com
fde5ec32-d6df-46db-88b5-87dff2d0bf84 2020-06-09, 09:36:25 PM AutoScaling CreateGrant eu-west-1 autoscaling.amazonaws.com
6b126191-1f35-4d96-94d1-f43b6fd2be5e 2020-06-09, 09:36:22 PM AutoScaling CreateGrant eu-west-1 autoscaling.amazonaws.comCould you please take a look at the PR https://github.com/terraform-aws-modules/terraform-aws-eks/pull/902? It was helpful in my case.
Also, I can say, based on the previous issues and actual comments at the PR, this case is not specific only for me.
geota
commented
4 years ago I hit this on two new clusters today. Confirmed adding the permissions manually fixed my issue.
dpiddockcmp
commented
4 years ago Fixed in #902
github-actions[bot]
commented
1 year ago I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.
I have issues
EKS cluster can't create
AWSServiceRoleForElasticLoadBalancingat a new AWS account due toec2:DescribeAccountAttributesaction isn't included to theAmazonEKSClusterPolicyIAM policy that attached to IAM role for EKS cluster.I'm submitting a...
What is the current behavior?
It happens during the process of K8S service creation with a type
LoadBalancerfor the first time. I've tested it at 2 AWS accounts.Kubernetes events:
What's the expected behavior?
The best way - it's to have an added action to the AWS managed policy for the EKS.
But, it would be nice to add the custom IAM policy to the EKS cluster IAM role that will include the
ec2:DescribeAccountAttributesaction to fix this issue before the AWS policy be updated.Are you able to fix this problem and submit a PR? Link here if you have already.
Environment details
Any other relevant info
One of the previous PRs regarding the service-linked role for ELB - https://github.com/terraform-aws-modules/terraform-aws-eks/pull/160 AWS docs - link