CODEWITHSUNDEEP
amazon-web-services
Gowmi
Gowmi

Reputation: 611

EKS Application Load Balancer AccessDenied Not authorized to perform

I'm trying to deploy Application load balancer for EKS cluster. As per the official documentation i followed below steps

Base resources https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html

Create an IAM OIDC provider for your cluster – You only need to do this once for a cluster.

Create an IAM role and attach an IAM policy to it with the permissions that your service accounts need – We recommend creating separate roles for each unique collection of permissions that pods need.

Associate an IAM role with a service account – Complete this task for each Kubernetes service account that needs access to AWS resources.

Here the deployment and pod status for aws load balancer

# kubectl get deployment -n kube-system | grep aws
aws-load-balancer-controller   1/1     1            1           18m

# kubectl get pod -n kube-system | grep aws
aws-load-balancer-controller-59674b7589-r9hrw   1/1     Running   0          18m

Here trusted relationship

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_PROVIDER}:sub": "system:serviceaccount:<my-namespace>:<my-service-account>"
        }
      }
    }
  ]
}

THis is the error while describe the aws load balancer controller

{"level":"error","ts":1623519676.5669305,"logger":"controller","msg":"Reconciler error","controller":"ingress","name":"ingress-2048","namespace":"default","error":"couldn't auto-discover subnets: WebIdentityErr: failed to retrieve credentials\ncaused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity\n\tstatus code: 403, request id: 09ed3739-df97-4933-ac48-bf6bd316fa13"}

could you please help me on this

Upvotes: 1

Views: 5541

Answers (1)

uni
uni

Reputation: 300

In your IAM role trusted relationship check if the region provided is correct, in my case that was the issue and i resolved it using correct region code.

"oidc.eks.us-east-1.amazonaws.com/id/${ID}:sub": "system:serviceaccount:kube-system:aws-load-balancer-controller"

${ID} = OIDC ID

Upvotes: 4

Related Questions