aws-load-balancer-controller: Error: AccessDeniedException when creating ALB

Hello,

I get the following error when I try to create the ALB

kubebuilder/controller "msg"="Reconciler error" "error"="failed to build LoadBalancer configuration due to failed to get AWS tags. Error: AccessDeniedException: User: arn:aws:sts::1122334455:assumed-role/eksctl-devops-nodegroup-ng-1-work-NodeInstanceRole-J08FDJHIWPI7/i-000000000000 is not authorized to perform: tag:GetResources\n\tstatus code: 400, request id: 94d614a1-c05d-4b92-8ad6-86b450407f6a"  "Controller"="alb-ingress-controller" "Request"={"Namespace":"superset","Name":"superset-ingress"}

I tried creating the access permissions not with kube2iam but rather with the IRSA and then basically followed these steps. I have the feeling however that I am missing something. I would expect for the pod to need proper access to create the ALB, not the node. Is there some specific configuration that needs to be done in the controller manifest to work with IRSA?

Thank you.

About this issue

  • Original URL
  • State: closed
  • Created 5 years ago
  • Reactions: 5
  • Comments: 18 (2 by maintainers)

Most upvoted comments

I think i can do a change in next release to force use regional sts and remove dependency on RGT(which don’t have private link)

+1
M00nF1sh on Feb 21, 2020
Read more comments on GitHub
← aws-load-balancer-controller: Docker image aws-load-balancer-controller:v2.2.4 cannot be download
aws-load-balancer-controller: Error adding targets to target group,InvalidInstanceID: There are multiple interfaces attached to instance →