Karpenter role doesn't work in China

[raonitimo]

Description

You'll get an error like:

UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws-cn:sts::xxxxxxx:assumed-role/xxxxx/1726154725231823938 is not authorized to perform: iam:PassRole on resource: arn:aws-cn:iam::xxxxxxx:role/yyyyy because no identity-based policy allows the iam:PassRole action.

This PassedToService restriction is causing this.

Some AWS services in aws-cn partition use a com.cn suffix, but that's unfortunately not very consistent.

If your request is for a new feature, please use the Feature request template.

• [ X ] ✋ I have searched the open/closed issues and my issue is not listed.

⚠️ Note

Before you submit an issue, please perform the following first:

1. Remove the local .terraform directory (! ONLY if state is stored remotely, which hopefully you are following that best practice!): rm -rf .terraform/
2. Re-initialize the project root to pull down modules: terraform init
3. Re-attempt your terraform plan or apply and check if the issue still persists

Versions

• Module version [Required]: v20.24.0

• Terraform version: v1.9.5

• Provider version(s): 5.67.0

Reproduction Code [Required]

Steps to reproduce the behavior:

Create an EKS cluster with Karpenter in cn-north-1 region. Inspect Karpenter logs.

Expected behavior

Karpenter would launch EC2 instances to provide capacity.

Actual behavior

Karpenter encounters an AWS permission error.

Terminal Output Screenshot(s)

Additional context

Happy to raise a pull request. At the moment, the solution I'm using is adding both domains:

  statement {
    sid       = "AllowPassingInstanceRole"
    resources = var.create_node_iam_role ? [aws_iam_role.node[0].arn] : [var.node_iam_role_arn]
    actions   = ["iam:PassRole"]

    condition {
      test     = "StringEquals"
      variable = "iam:PassedToService"
      values   = ["ec2.amazonaws.com", "ec2.amazonaws.com.cn"]
    }
  }

I'm not sure if a conditional like:

aws_domain_suffix = local.partition == "aws-cn" ? "amazonaws.com.cn" : "amazonaws.com"

Then using it would work and be preferred. It might be needed in other places too?

  statement {
    sid       = "AllowPassingInstanceRole"
    resources = var.create_node_iam_role ? [aws_iam_role.node[0].arn] : [var.node_iam_role_arn]
    actions   = ["iam:PassRole"]

    condition {
      test     = "StringEquals"
      variable = "iam:PassedToService"
      values   = ["ec2.${local.aws_domain_suffix}"]
    }
  }

[atishaninov-xometry]

Official Karpenter documentation also suggest just using condition with two domains regardless of AWS partition where cluster is deployed:
https://karpenter.sh/docs/reference/cloudformation/#allowpassinginstancerole

[antonbabenko]

This issue has been resolved in version 20.24.1 🎉

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.