-
Notifications
You must be signed in to change notification settings - Fork 3.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
eks: ALB Controller fails to create due to lack of AddTag permissions #26442
Comments
According to this: aws-cdk/packages/aws-cdk-lib/aws-eks/lib/alb-controller.ts Lines 262 to 267 in 3e47d1b
The required permissions are defined in But this should have sastified the required permissions? aws-cdk/packages/aws-cdk-lib/aws-eks/lib/addons/alb-iam_policy-v2.4.1.json Lines 150 to 158 in 3e47d1b
|
exactly. that's what I don't understand. the only difference is when the Condition is left out, it deploys fine. Even weirder that it fails silently- Cloudformation doesn't raise anything. Idk. maybe i'm crazy but this same configuration and code worked last week. maybe an issue with the custom resource? Cython came out with a release during this time that's broken things- namely PyYaml- and noticed that it's been cited in several downstream issues with AWS resources. of course that might not apply here since that's mostly JS. don't want to lead you down a long path. i've got a fix that works. so not too high of a priority on my end. if you notice there are some more issues coming in about it or whenever you launch a new cluster w/ALB. |
this issue appears to be fixed with ALB controller v2.4.7 |
|
Describe the bug
Trying to launch an EKS cluster (v1.23) with an ALB controller (v2.4.1). The cluster launches successfully, but the ALB does not. A cluster with nearly the exact same configuration was launched less than a week ago (7/14/23) successfully in another account with an ALB. No error is being returned by the resource that creates the ALB. It just doesn’t get created.
Looking at the Cloudtrail logs, I noticed that the role for the ALB controller gets an AccessDenied when running a CreateLoadBalancer with “not authorized to perform: elasticloadbalancing:AddTags”. Somewhat odd, since that permission is on the role.
Expected Behavior
EKS launches with ALB Controller
Current Behavior
EKS launches successfully but ALB does not and no accompanying CloudFormation error.
Cloudtrail error:
Reproduction Steps
Possible Solution
deploys successfully when the permission is added via the node:
Additional Information/Context
This problem seems to have occurred between 7/14/23 (last successful EKS launch w/ALB) and 7/18/23 (first failed EKS launch a/ALB)
CDK CLI Version
2.78
Framework Version
No response
Node.js Version
16.15.1
OS
Mac 13.4.1 (Ventura)
Language
Python
Language Version
3.9.6
Other information
No response
The text was updated successfully, but these errors were encountered: