AniketGole
Reputation: 1285
failed to sync *v1.Service: context deadline exceeded in external-dns on EKS for route53
Failed to create records in Route53 using externalDNS getting below error
failed to sync *v1.Service: context deadline exceeded
time="2023-08-02T13:07:48Z" level=fatal msg="records retrieval failed: failed to list hosted zones: AccessDenied: User: arn:aws:sts::602867777777:assumed-role/scm-main-demo-eks-nodes/i-0e5e31a1cd641fcf3 is not authorized to perform: route53:ListHostedZones because no identity-based policy allows the route53:ListHostedZones action\n\tstatus code: 403, request id: 1d737c73-8d6a-49ce-8590-e819058e70ed"
the user arn:aws:sts::602867777777:assumed-role/scm-main-demo-eks-nodes/i-0e5e31a1cd641fcf3 is not which i want to use but not sure from where this coming from.
Upvotes: 0
Views: 1412
Answers (1)
AniketGole
Reputation: 1285
issue resolved with below policy, please add last SID permission block in your IAM externalDNS policy
Version = "2012-10-17"
Statement = [
{
Effect = "Allow"
Action = [
"route53:GetHostedZone",
"route53:ListResourceRecordSets",
"route53:ListHostedZones",
"route53:ChangeResourceRecordSets",
"route53:GetHostedZoneCount",
"route53:ListHostedZonesByName"
]
Resource = "arn:aws:route53:::hostedzone/*"
},
{
Effect = "Allow"
Action = [
"eks:DescribeCluster"
]
Resource = "*"
},
{
"Sid": "Route53ListHostedZones",
"Effect": "Allow",
"Action": "route53:ListHostedZones",
"Resource": "*"
}
Upvotes: 0