Skip to content

feat: Add IAM permissions for ELB svc-linked role creation by EKS cluster#902

Merged
dpiddockcmp merged 1 commit into
terraform-aws-modules:masterfrom
ivan-sukhomlyn:improvement_permissions_for_ELB_service_linked_role_creation
Jun 28, 2020
Merged

feat: Add IAM permissions for ELB svc-linked role creation by EKS cluster#902
dpiddockcmp merged 1 commit into
terraform-aws-modules:masterfrom
ivan-sukhomlyn:improvement_permissions_for_ELB_service_linked_role_creation

Conversation

@ivan-sukhomlyn

@ivan-sukhomlyn ivan-sukhomlyn commented May 31, 2020
edited
Loading

Copy link
Copy Markdown
Contributor

PR o'clock

Description

AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service.

#900

Checklist

@ivan-sukhomlyn ivan-sukhomlyn force-pushed the improvement_permissions_for_ELB_service_linked_role_creation branch 2 times, most recently from 713c9c1 to 27c9e45 Compare May 31, 2020 18:27
jfryman
jfryman reviewed Jun 4, 2020
View reviewed changes
Comment thread cluster.tf Outdated

statement {
effect = "Allow"
actions = ["ec2:DescribeAccountAttributes"]

@jfryman jfryman Jun 4, 2020
edited
Loading

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi!

Ran into this same issue, and ended up needing ec2:DescribeInternetGateways in addition to the above IAM access action.

Thanks for the fix. 🙇

@ivan-sukhomlyn ivan-sukhomlyn Jun 9, 2020

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi James,

Thank you for the suggestion regarding ec2:DescribeInternetGateways permissions that must be attached to the IAM role as well.

@ivan-sukhomlyn ivan-sukhomlyn mentioned this pull request Jun 9, 2020
Closed
4 tasks
@ivan-sukhomlyn ivan-sukhomlyn force-pushed the improvement_permissions_for_ELB_service_linked_role_creation branch from 27c9e45 to 8317af9 Compare June 9, 2020 20:50
@ivan-sukhomlyn
improvement: IAM permissions for ELB svc-linked role creation by EKS
f2842da 
AmazonEKSClusterPolicy IAM policy doesn't contain all necessary
permissions to create ELB service-linked role required during
LB provisioning at AWS by K8S Service.

terraform-aws-modules#900
terraform-aws-modules#183 (comment)
@ivan-sukhomlyn ivan-sukhomlyn force-pushed the improvement_permissions_for_ELB_service_linked_role_creation branch from 8317af9 to f2842da Compare June 9, 2020 20:59
@nathan-vp

nathan-vp commented Jun 11, 2020

Copy link
Copy Markdown

We also encounter the same issue, would be cool if this can be merged

@barryib barryib changed the title improvement: IAM permissions for ELB svc-linked role creation by EKS cluster feat: Add IAM permissions for ELB svc-linked role creation by EKS cluster Jun 24, 2020
@barryib

barryib commented Jun 24, 2020

Copy link
Copy Markdown
Member

@dpiddockcmp can you please review this.

dpiddockcmp
dpiddockcmp approved these changes Jun 28, 2020
View reviewed changes

@dpiddockcmp dpiddockcmp left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Multiple people confirmed the issue exists and that this is the fix.

Looking through CloudTrail this change at least makes first creation of LBs a lot faster, as kubernetes only needs to attempt it once. Before the change it took 3 attempts in a sample account which had the service account deleted.

@dpiddockcmp dpiddockcmp merged commit 9a0e548 into terraform-aws-modules:master Jun 28, 2020
@ivan-sukhomlyn ivan-sukhomlyn deleted the improvement_permissions_for_ELB_service_linked_role_creation branch June 28, 2020 13:55
@ivan-sukhomlyn

ivan-sukhomlyn commented Jun 28, 2020

Copy link
Copy Markdown
Contributor Author

@barryib @dpiddockcmp Thank you guys

@lfreeman lfreeman mentioned this pull request Jul 9, 2020
Open
@lzecca78 lzecca78 mentioned this pull request Sep 15, 2020
Closed
barryib pushed a commit to Polyconseil/terraform-aws-eks that referenced this pull request Oct 25, 2020
@ivan-sukhomlyn
feat: Add IAM permissions for ELB svc-linked role creation by EKS clu…
ae7afb3 
…ster (terraform-aws-modules#902)

AmazonEKSClusterPolicy IAM policy doesn't contain all necessary permissions to create ELB service-linked role required during LB provisioning at AWS by K8S Service.

terraform-aws-modules#900
terraform-aws-modules#183 (comment)
@danvbloomberg danvbloomberg mentioned this pull request Feb 5, 2021
Merged
2 tasks
@github-actions

github-actions Bot commented Nov 17, 2022

Copy link
Copy Markdown

I'm going to lock this pull request because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems related to this change, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions Bot locked as resolved and limited conversation to collaborators Nov 17, 2022
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Reviewers

2 more reviewers

@jfryman jfryman jfryman left review comments

@dpiddockcmp dpiddockcmp dpiddockcmp approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

@dpiddockcmp dpiddockcmp

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@ivan-sukhomlyn @nathan-vp @barryib @jfryman @dpiddockcmp