-
-
Notifications
You must be signed in to change notification settings - Fork 4.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
EKS doesn't create AWSServiceRoleForElasticLoadBalancing service-linked role #900
Comments
I haven't been able to reproduce this. I tried deleting the service linked role in a test account and a cluster was able to recreate it before creating a load balancer. Are you using a permissions boundary that does not grant |
Hi @dpiddockcmp I faced the same issue with the creation of a service-linked role for ELB with EKS at a newly created account as mentioned in one of the previous issues - #183 (comment). The root cause is that AWS Managed
@max-rocket-internet @dpiddockcmp Can we add some additional policy to the managed EKS cluster's IAM role by default? What do you think about it? |
AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB creation on AWS with K8S Service. terraform-aws-modules#900 terraform-aws-modules#183 (comment)
AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB creation on AWS with K8S Service. terraform-aws-modules#900 terraform-aws-modules#183 (comment)
AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service. terraform-aws-modules#900 terraform-aws-modules#183 (comment)
I'm still not convinced that the call to DescribeAccountAttributes is the source of your issue. In a test account I removed the service role: And then asked EKS to create a classic ELB: Waited 15 minutes 🙄 and then looked at the full API hits in CloudTrail:
There are multiple failed calls to The kube-controller-manager log shows a similar time line:
|
@dpiddockcmp Thank you a lot for your such deep research regarding this issue. Anyway, I'm going to bootstrap one more AWS account soon with the same config. I will check it again and back to you. |
Maybe it would be interesting to look through the CloudTrail logs and see what's failing. |
Hi @dpiddockcmp EKS cluster can't create an ELB service-linked IAM role on a new AWS account.
After that, I've added inline IAM policy with the The result was the same (
And only when mentioned permissions were attached to the IAM role, EKS cluster was able to create a service-linked IAM role and load balancer for the Kubernetes service. CloudTrail events:
|
AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service. terraform-aws-modules#900 terraform-aws-modules#183 (comment)
AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service. terraform-aws-modules#900 terraform-aws-modules#183 (comment)
Could you please take a look at the PR #902? Also, I can say, based on the previous issues and actual comments at the PR, this case is not specific only for me. |
I hit this on two new clusters today. Confirmed adding the permissions manually fixed my issue. |
…ster (#902) AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service. #900 #183 (comment)
Fixed in #902 |
…ster (terraform-aws-modules#902) AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service. terraform-aws-modules#900 terraform-aws-modules#183 (comment)
…ster (#902) AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service. terraform-aws-modules/terraform-aws-eks#900 terraform-aws-modules/terraform-aws-eks#183 (comment)
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
I have issues
EKS cluster can't create
AWSServiceRoleForElasticLoadBalancing
at a new AWS account due toec2:DescribeAccountAttributes
action isn't included to theAmazonEKSClusterPolicy
IAM policy that attached to IAM role for EKS cluster.I'm submitting a...
What is the current behavior?
It happens during the process of K8S service creation with a type
LoadBalancer
for the first time.I've tested it at 2 AWS accounts.
Kubernetes events:
What's the expected behavior?
The best way - it's to have an added action to the AWS managed policy for the EKS.
But, it would be nice to add the custom IAM policy to the EKS cluster IAM role that will include the
ec2:DescribeAccountAttributes
action to fix this issue before the AWS policy be updated.Are you able to fix this problem and submit a PR? Link here if you have already.
Environment details
Any other relevant info
One of the previous PRs regarding the service-linked role for ELB - #160
AWS docs - link
The text was updated successfully, but these errors were encountered: