AWS EKS event, could not create volume in EC2

2023. 6. 2. 17:13Dev/EKS

728x90
반응형

I am working to create pod on AWS EKS. Pod STATUS is Pending, CreahLoopBackOff, Error.

I hit the command.

kubectl get event -n <namespace>

3m34s       Warning   ProvisioningFailed     persistentvolumeclaim/etcd-data-etcd-0   
failed to provision volume with StorageClass "gp2": rpc error: code = Internal
desc = Could not create volume "pvc-7ddb4a8a-4346-4d02-ba80-83b3da72630d": could not create volume in EC2: UnauthorizedOperation: You are not authorized to perform this operation.
Encoded authorization failure message: O8GnSy5kjo7CJiNx9Ui-V15eRJNwnwOLWPGIwER-7JhBT_JY4FB-1NYZZkiVHJo0Zvs4ClGmrcezkdOsS-T4IIZo9IcQPPTZPzGHVKuiETg5mLjNB8TL3l1185lY_2X1qkIWqDDlpme-eP2jelhkL66O_qtIZzXWx4YzPsl18mMsxRUK8GCraXqNekPAmSELQl1wuhalTbECh3m433JaRsn_QRK6DZQSCVJFvVhLUnSU9NylWCljdBOGz3Cl8CzOOMs1DvGq5Nsc9UGqd_tbY0x7AWh8t884ujdk3p5lCEjX6E6z92c-jatpb1Ljqz6Gaa-b2FsY5sHy3ZcHDX8UKMkk6KBcQgvKeF30L_wOB4ZZwcNwTSP8wjZWLsd3PiOEmQZjut3MiMF0anvRSA2EEYmmHFNAul74qepzYaGntOc0c6lE9P4doH2TWCUshTpCJo8-v9a0fSi8Do9LBYK_65VzTSXQ8igRhNCAZZ20RQtPRGYiSl-yhnsWHmWg0UoeAFuKN816CUhdFr9TE3iOFeKIm6SXmDA_JF-pPFatEiu8KpN6XBqR__LzV2U499Mia0lQ0-1j8hFxpZfEVhf9SHF0I8SfC6yU_OTff-3waNx2OiHV1zfndHvcc9okudZK5PC535hSepoED1cwwp25Vk...

 

How to decode message?

aws sts decode-authorization-message --encoded-message KDmmJmkLKm...iUtfAa

 

Result

{
    "DecodedMessage": "{\"allowed\":false,\"explicitDeny\":false,\"matchedStatements\":{\"items\":[]},\"failures\":{\"items\":[]},\"context\":{\"principal\":{\"id\":\"AROASZKW6LWYEK6RY2:i-0f857d5f36f428a2\",\"arn\":\"arn:aws:sts::111122223333:assumed-role/eksctl-host-cluster-nodegroup-ng-NodeInstanceRole-1NP941QSJS/i-0f857d5f376f428a2\"},\"action\":\"ec2:CreateVolume\",\"resource\":\"arn:aws:ec2:ap-northeast-2:111122223333:volume/*\",\"conditions\":{\"items\":[{\"key\":\"aws:Resource\",\"values\":{\"items\":[{\"value\":\"volume/*\"}]}},{\"key\":\"aws:Account\",\"values\":{\"items\":[{\"value\":\"111122223333\"}]}},{\"key\":\"ec2:AvailabilityZone\",\"values\":{\"items\":[{\"value\":\"ap-northeast-2c\"}]}},{\"key\":\"ec2:Encrypted\",\"values\":{\"items\":[{\"value\":\"false\"}]}},{\"key\":\"ec2:VolumeType\",\"values\":{\"items\":[{\"value\":\"gp2\"}]}},{\"key\":\"aws:Region\",\"values\":{\"items\":[{\"value\":\"ap-northeast-2\"}]}},{\"key\":\"aws:Service\",\"values\":{\"items\":[{\"value\":\"ec2\"}]}},{\"key\":\"ec2:VolumeID\",\"values\":{\"items\":[{\"value\":\"*\"}]}},{\"key\":\"ec2:VolumeSize\",\"values\":{\"items\":[{\"value\":\"5\"}]}},{\"key\":\"aws:Type\",\"values\":{\"items\":[{\"value\":\"volume\"}]}},{\"key\":\"ec2:Region\",\"values\":{\"items\":[{\"value\":\"ap-northeast-2\"}]}},{\"key\":\"aws:ARN\",\"values\":{\"items\":[{\"value\":\"arn:aws:ec2:ap-northeast-2:111122223333:volume/*\"}]}}]}}}"
}

Add a command to change it to a more readable format.

aws sts decode-authorization-message --encoded-message 'KDmmJmkLKm...iUtfAa' | sed 's/\\"/"/g' | sed 's/^"//' | sed 's/"$//'