Missing Permissions for AWS Load Balancer Pod Identity

[derek-howard]

Description

There seems to be a missing permission that is required for the AWS load balancer controller to function properly.

ec2:GetSecurityGroupsForVpc

• ✋ I have searched the open/closed issues and my issue is not listed.

Versions

• Module version [Required]: 1.6.1

• Terraform version: v1.9.6

• Provider version(s):

  • hashicorp/time v0.12.0
  • hashicorp/cloudinit v2.3.4
  • hashicorp/null v3.2.2
  • hashicorp/aws v5.65.0
  • hashicorp/random v3.6.2
  • hashicorp/tls v4.0.5

Reproduction Code [Required]

module "aws_lb_controller_pod_identity" {
  source = "terraform-aws-modules/eks-pod-identity/aws"
  version = "1.6.1"

  name            = "aws-lbc-${module.eks.cluster_name}"
  use_name_prefix = false
  description     = "AWS EKS ALB Controller Driver role"

  attach_aws_lb_controller_policy = true
  aws_lb_controller_policy_name   = "${module.eks.cluster_name}-lb-controller"
  policy_name_prefix              = "${module.eks.cluster_name}-"

  tags = { Cluster = module.eks.cluster_name }

  # Pod Identity Associations
  association_defaults = {
    namespace       = "kube-system"
    service_account = local.load_balancer_controller_service_account_name
  }

  associations = {
    one = {
      cluster_name = module.eks.cluster_name
    }
  }

  depends_on = [module.eks.cluster_addons]
}

Steps to reproduce the behavior:

Workspaces: No

Cleared Cache: Yes

Steps for reproduction of issue:

• Deploy AWS load balancer controller pod identity via module above
• Deploy AWS load balancer controller helm chart (v1.9.0) to EKS (v1.31)
• Deploy ArgoCD helm chart (7.6.12) to EKS

Expected behavior

Provision AWS ALB for ArgoCD Ingress resource

Actual behavior

Fails to provision AWS ALB with a permissions denied error for the permission ec2:GetSecurityGroupsForVpc

Additional context

Direct error from AWS load balancer controller pod:

Reconciler error","controller":"ingress","object":{"name":"core"},"namespace":"","name":"core","reconcileID":"","error":"operation error Elastic Load Balancing v2: CreateLoadBalancer, https response error StatusCode: 403, RequestID: cd7592df-8a02-41bb-8d69-d86aa57b8996, api error AccessDenied: User: arn:aws:sts::000000000000:assumed-role/aws-lbc-main/eks-main-aws-load-b-d4a16fdd-3080-4fd8-8356-90f21bb153b8 is not authorized to perform: ec2:GetSecurityGroupsForVpc

AWS Managed Policy: ElasticLoadBalancingFullAccess

https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ElasticLoadBalancingFullAccess.html

Current version v8 contains the right for "GetSecurityGroupsForVpc"
but version v7 does not.
This policy was updated 4 days ago, October 24, 2024, 22:21 UTC
https://docs.aws.amazon.com/aws-managed-policy/latest/reference/ElasticLoadBalancingFullAccess.html
It seems AWS changed some required rights, but I could not find any announcements or release notes regarding this change.

Documentation from AWS for the load balancer controller here, and the documentation in git is not updated.
https://docs.aws.amazon.com/eks/latest/userguide/lbc-helm.html

[antonbabenko]

This issue has been resolved in version 1.7.0 🎉