Why EKS ALB Controller fails to create due to lack of AddTag permissions

2023. 9. 19. 18:54Dev/EKS

728x90
반응형

Problem:

I tried to create a service in eks to provision NLB.
The aws load balancer controller version is v2.4.0
Code that worked fine 6 months ago now throws an insufficient permissions error.
Of course, adding the missing permissions to aws-load-balancer-controller solves the problem, but let's see why it happened.

 

 

Error:

58m         Warning   FailedDeployModel        service/integration                              

Failed deploy model due to AccessDenied: User: arn:aws:sts::1234567890:assumed-role/eks-alb-controller-hhfz6/1695108220719227138 is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:ap-northeast-2:1234567890:targetgroup/k8s-core-integrat-1c00c926fc/* because no identity-based policy allows the elasticloadbalancing:AddTags action...

 

The reason why

This is because the content of the iam-policy.json file provided by the official documentation has been updated when installing the loadbalancer controller.

 

v2.6.0 <-> v2.4.1

        {
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:AddTags"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:*:*:targetgroup/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/net/*/*",
                "arn:aws:elasticloadbalancing:*:*:loadbalancer/app/*/*"
            ],
            "Condition": {
                "StringEquals": {
                    "elasticloadbalancing:CreateAction": [
                        "CreateTargetGroup",
                        "CreateLoadBalancer"
                    ]
                },
                "Null": {
                    "aws:RequestTag/elbv2.k8s.aws/cluster": "false"
                }
            }
        },

This has been added.

Adding the above permissions to the role that serviceaccount sees should fix the problem.