Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iam-role-for-service-accounts-eks module incorrect policies for load_balancer_controller #190

Closed
11qu1d opened this issue Feb 18, 2022 · 2 comments · Fixed by #191
Closed

Comments

@11qu1d
Copy link

11qu1d commented Feb 18, 2022

Description

Hi, I started using the iam-role-for-service-accounts-eks module to create a role for aws-lb-controller deployment. Ingress deployment works fine but when trying to modify an existing ingress the controller throws the below permission errors:

{"level":"error","ts":1645201526.94589,"logger":"controller-runtime.manager.controller.ingress","msg":"Reconciler error","name":"example-internal","namespace":"","error":"AccessDenied: User: arn:aws:sts::xxxxxxxxxxxx:assumed-role/example/111111111111111111 is not authorized to perform: elasticloadbalancing:ModifyListener on resource: arn:aws:elasticloadbalancing:us-east-1:xxxxxxxxxxxx:listener/app/example/example because no identity-based policy allows the elasticloadbalancing:ModifyListener action\n\tstatus code: 403, request id: xxxxxx-xxxxxxx-xxxxx"}

The policies mentioned in the controller's official documentation seem to be slightly different compared to the ones deployed by the module: https://github.com/kubernetes-sigs/aws-load-balancer-controller/blob/694a0b14184e388806f9f34be0dd9075aa8fb0a7/docs/install/iam_policy.json

Versions

  • Terraform: 1.1.2
  • Provider(s):
    • aws: 3.74.2
  • Module: iam-role-for-service-accounts-eks

Reproduction

Steps to reproduce the behavior:

  1. Deploy the IAM role using the module and assign it to the service account in the cluster
  2. Deploy a new ingress resource and wait for provisioning to finish
  3. Update existing ingress resource (e.g. path)
  4. Watch aws-load-balancer-controller logs for the error

Expected behavior

Controller should update ALB rules without any errors.

Actual behavior

Controller throws permission error (see above)

Thanks!

@antonbabenko
Copy link
Member

This issue has been resolved in version 4.13.1 🎉

@github-actions
Copy link

github-actions bot commented Nov 8, 2022

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 8, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
None yet
Projects
None yet
Development

Successfully merging a pull request may close this issue.

2 participants