external-dns: Unable to use regional STS VPC endpoint

What would you like to be added: As described in #1470, EKS clusters without outbound internet access fail to register records in route53. The failure is described in #1470:

time="2021-01-29T15:16:13Z" level=error msg="records retrieval failed: failed to list hosted zones: WebIdentityErr: failed to retrieve credentials\ncaused by: RequestError: send request failed\ncaused by: Post \"https://sts.amazonaws.com/\": dial tcp 54.239.29.25:443: i/o timeout"

Why is this needed: external-dns should provide options to configure the usage of sts vpc endpoints instead of the public endpoint sts.amazonaws.com. Those would be accessible by private EKS clusters with no internet access.

About this issue

  • Original URL
  • State: closed
  • Created 3 years ago
  • Comments: 15 (3 by maintainers)

Most upvoted comments

@fitchtech that is not correct, if you try to run dig sts.amazonaws.com inside an EC2 instance which is in a private subnet without Internet Access but with regional sts vpc endpoint configured, it will resolve to the STS public IP. The only endpoint that will resolve the private IP of the VPC Endpoint ENI will be sts.<region-name>.amazonaws.com

+4
rodrigoechaide on Oct 14, 2021
Read more comments on GitHub
← external-dns: Unable to use IAM Service Account on GKE
external-dns: Unknown Serviceaccount error →