-
-
Notifications
You must be signed in to change notification settings - Fork 1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OIDC Provider ARN not accepted as Federated Principal for iam-role-for-service-accounts-eks #202
Comments
do you have a full configuration reproduction? what EKS module version are you using and is the OIDC provider enabled on the cluster? |
AFAICT yes, the OIDC Provider is enabled on the cluster. The EKS module sets The cluster returns an OIDC Issuer URL: aws eks describe-cluster --name tutorialCluster --query "cluster.identity.oidc.issuer"
"https://oidc.eks.us-east-1.amazonaws.com/id/<ID>"
As I've looked into this, I think this could be an issue with the EKS module, as the Outputs:
consul_cert_data = <sensitive>
eks_cluster_host = "https://<ID>.gr7.us-east-1.eks.amazonaws.com"
eks_data = <sensitive>
provider_arn = ""
vault_data = <sensitive> # module.iam_eks_role.aws_iam_role.this[0] will be created
+ resource "aws_iam_role" "this" {
. . .
+ Statement = [
+ {
+ Action = "sts:AssumeRoleWithWebIdentity"
+ Condition = {
+ StringEquals = {
+ :sub = "system:serviceaccount:default"
}
}
+ Effect = "Allow"
+ Principal = {
+ Federated = ""
}
}
. . . |
it is hard to tell where your issue lies without seeing a reproduction of your configuration (EKS and IAM). I can tell you that these examples work however https://github.com/terraform-aws-modules/terraform-aws-iam/blob/master/examples/iam-role-for-service-accounts-eks/main.tf |
Apologies, since it seems like the EKS module was returning the empty string, wasn't sure if you still needed the configuration information 😄 But here's how I have configured both modules (Including the version for EKS as you requested) EKS
And iam-role-for-service-accounts-eks: module "iam_eks_role" {
source = "registry.terraform.io/terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"
role_name = lower(var.cluster_info.name)
oidc_providers = {
one = {
provider_arn = module.eks.oidc_provider_arn
namespace_service_accounts = [ "default:tutorial" ] # this originally was set to "${var.namespace}:${var.service_account}", but exchanged those values for the current string.
}
}
} I also have trace logs from terraform plan and apply. They contain sensitive data, so if there's a way I can securely send that to you, that would be great. |
perfect, so now its clear. You are using v18.3.0 but the this is why the version is pinned to at minimum v18.6.0 in the examples
|
Oh yikes! Thank you for your patience, and the quick follow-up. Changing that now 😸 |
I was wrong above - However, do try the latest version and let me know if there is any change |
I bumped up to v18.6.0 and that populated the string for the federated principal, and the targeted apply now completes. (From my output):
For some reason |
ah I see now, in v18.4.0 we opted to enable IRSA by default terraform-aws-modules/terraform-aws-eks#1849 you could stay at v18.3.0 if desired by setting If you can though, I would go all the way up to the latest v18.9.0; otherwise users who use self-managed node groups will see some warnings due to the v4 AWS provider |
Just wanted to provide a quick follow up; I bumped to 18.9.0 and was able to successfully map the IAM role to the Service Account I created in k8s. Thanks for the help! |
awesome, glad it worked out! |
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
Description
When using this module paired with the EKS Module, I am passing the OIDC Provider ARN from the EKS module output
module.eks.oidc_provider_arn
to this module.I am returning the following error from AWS:
It appears that in the dynamic
statement
block:terraform-aws-iam/modules/iam-role-for-service-accounts-eks/main.tf
Lines 4 to 23 in 66c80ff
...It is unpacking the OIDC Providers map and using the OIDC provider ARN to specify a federated principal. I'm not sure how to proceed, since this ARN is generated by the EKS module. (Line 13 in the above block)
Versions
provider registry.terraform.io/hashicorp/aws v3.74.0
Reproduction
Steps to reproduce the behavior:
Code Snippet to Reproduce
Expected behavior
It should accept the OIDC Provider ARN I assume?
Actual behavior
Error message above.
Terminal Output Screenshot(s)
See above.
Additional context
None. Thanks!
The text was updated successfully, but these errors were encountered: