Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

feat: Add IAM permissions for ELB svc-linked role creation by EKS cluster #902

Merged
merged 1 commit into from
Jun 28, 2020
Merged

feat: Add IAM permissions for ELB svc-linked role creation by EKS cluster #902

merged 1 commit into from
Jun 28, 2020

Conversation

ivan-sukhomlyn
Copy link
Contributor

@ivan-sukhomlyn ivan-sukhomlyn commented May 31, 2020
edited
Loading

PR o'clock

Description

AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service.

#900

Checklist

@ivan-sukhomlyn ivan-sukhomlyn force-pushed the improvement_permissions_for_ELB_service_linked_role_creation branch 2 times, most recently from 713c9c1 to 27c9e45 Compare May 31, 2020 18:27
jfryman
jfryman reviewed Jun 4, 2020
View reviewed changes
cluster.tf Outdated

statement {
effect = "Allow"
actions = ["ec2:DescribeAccountAttributes"]
Copy link

@jfryman jfryman Jun 4, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi!

Ran into this same issue, and ended up needing ec2:DescribeInternetGateways in addition to the above IAM access action.

Thanks for the fix. 🙇

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi James,

Thank you for the suggestion regarding ec2:DescribeInternetGateways permissions that must be attached to the IAM role as well.

@ivan-sukhomlyn ivan-sukhomlyn mentioned this pull request Jun 9, 2020
Closed
4 tasks
@ivan-sukhomlyn ivan-sukhomlyn force-pushed the improvement_permissions_for_ELB_service_linked_role_creation branch from 27c9e45 to 8317af9 Compare June 9, 2020 20:50
@ivan-sukhomlyn
improvement: IAM permissions for ELB svc-linked role creation by EKS
f2842da 
AmazonEKSClusterPolicy IAM policy doesn't contain all necessary
permissions to create ELB service-linked role required during
LB provisioning at AWS by K8S Service.

terraform-aws-modules#900
terraform-aws-modules#183 (comment)
@ivan-sukhomlyn ivan-sukhomlyn force-pushed the improvement_permissions_for_ELB_service_linked_role_creation branch from 8317af9 to f2842da Compare June 9, 2020 20:59
@nathan-vp
Copy link

We also encounter the same issue, would be cool if this can be merged

@barryib barryib changed the title improvement: IAM permissions for ELB svc-linked role creation by EKS cluster feat: Add IAM permissions for ELB svc-linked role creation by EKS cluster Jun 24, 2020
@barryib
Copy link
Member

barryib commented Jun 24, 2020

@dpiddockcmp can you please review this.

dpiddockcmp
dpiddockcmp approved these changes Jun 28, 2020
View reviewed changes
Copy link
Contributor

@dpiddockcmp dpiddockcmp left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple people confirmed the issue exists and that this is the fix.

Looking through CloudTrail this change at least makes first creation of LBs a lot faster, as kubernetes only needs to attempt it once. Before the change it took 3 attempts in a sample account which had the service account deleted.

@dpiddockcmp dpiddockcmp merged commit 9a0e548 into terraform-aws-modules:master Jun 28, 2020
@ivan-sukhomlyn ivan-sukhomlyn deleted the improvement_permissions_for_ELB_service_linked_role_creation branch June 28, 2020 13:55
@ivan-sukhomlyn
Copy link
Contributor Author

@barryib @dpiddockcmp Thank you guys

@lfreeman lfreeman mentioned this pull request Jul 9, 2020
Open
@lzecca78 lzecca78 mentioned this pull request Sep 15, 2020
Closed
barryib pushed a commit to Polyconseil/terraform-aws-eks that referenced this pull request Oct 25, 2020
@ivan-sukhomlyn
feat: Add IAM permissions for ELB svc-linked role creation by EKS clu…
ae7afb3 
…ster (terraform-aws-modules#902)

AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service.

terraform-aws-modules#900
terraform-aws-modules#183 (comment)
@danvbloomberg danvbloomberg mentioned this pull request Feb 5, 2021
Merged
2 tasks
@github-actions
Copy link

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Nov 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers

@jfryman jfryman jfryman left review comments

@dpiddockcmp dpiddockcmp dpiddockcmp approved these changes

Assignees

@dpiddockcmp dpiddockcmp

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
5 participants
@ivan-sukhomlyn @nathan-vp @barryib @jfryman @dpiddockcmp