AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity

[anass-elbouanani]

Hi,

Velero failed to restore a backup with the following error:
restoring targetgroupbindings.elbv2.k8s.aws "vtargetgroupbinding.elbv2.k8s.aws" denied the request: unable to get target group IP address type: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
status code: 403

It seems that the error is caused by an AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity! But the velero role have the permissions to use the AsumeRole:
{
"Effect": "Allow",
"Principal": {
"Federated": "arn:aws:iam::acount-id:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/oidc-id"
},
"Action": "sts:AssumeRoleWithWebIdentity",
"Condition": {
"StringEquals": {
"oidc.eks.us-east-1.amazonaws.com/id/oidc-id:aud": "sts.amazonaws.com",
"oidc.eks.us-east-1.amazonaws.com/id/oidc-id:sub": "system:serviceaccount:velero:velero-server"
}
}
}

Do you have an idea why I am getting this error ?

Thank you in advance for your help.

Best Regards

[blackpiglet]

https://github.com/vmware-tanzu/velero-plugin-for-aws?tab=readme-ov-file#option-1-set-permissions-with-an-iam-user
It is related to the permission setting of the policy. I think adding the permission with the AWS load balance service should make it work.

[anass-elbouanani]

Many thanks for your help.
The issue was resolved after adding adding the permissions to the AWS load balance service role.