Missing permission in docs #3917
Comments
|
Just some additional information, same for controller version 1.8.1 and 1.9.2. https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ElasticLoadBalancingFullAccess.html Current version v8 contains the right for "GetSecurityGroupsForVpc" If anyone also can find an announcement for this change by AWS, it would be great. |
|
I just talked with the ELB team, and this is unexpected behavior. For anyone else that runs into this issue you can add Here's the PR to augment the IAM policy: https://github.com/kubernetes-sigs/aws-load-balancer-controller/pull/3921/files |
Describe the problem
There seems to be a missing permission that is required for the AWS load balancer controller to function properly, however, I have deployed the exact same AWS load balancer controller helm chart, with the same values, to other AWS accounts and never encountered this issue. Same Terraform code as well. So, I am lost here.
ec2:GetSecurityGroupsForVpc
Steps to reproduce
Deploy Terraform code for base infrastructure, including EKS.
Deploy AWS load balancer controller pod identity, with the permissions here
Deploy the AWS load balancer controller helm chart, v1.9.0
Deploy ArgoCD helm chart. Target groups get provisioned just fine, but fails to create the ALB.
Expected outcome
Successful provisioning of ALB
Environment
Additional Context:
Reconciler error","controller":"ingress","object":{"name":"core"},"namespace":"","name":"core","reconcileID":"","error":"operation error Elastic Load Balancing v2: CreateLoadBalancer, https response error StatusCode: 403, RequestID: cd7592df-8a02-41bb-8d69-d86aa57b8996, api error AccessDenied: User: arn:aws:sts::000000000000:assumed-role/aws-lbc-main/eks-main-aws-load-b-d4a16fdd-3080-4fd8-8356-90f21bb153b8 is not authorized to perform: ec2:GetSecurityGroupsForVpc
The text was updated successfully, but these errors were encountered: