NodeGroup create fails on iam:passRole when path is a boundary requirement. #2847
Comments
michaelbeaumont
added
the
priority/important-soon
|
Hey @ChristopherMotesHalfaker , I could not reproduce the issue on
Is this referring to the work done as part of #2689 ? You are correct that when you now provide a Is the problem that your |
|
0.32.0 Fails with the same error. |
@ChristopherMotesHalfaker if you update your passRole to match the compressed ARN does it work? |
|
Do you mean update passRole in the boundary? The contents of that boundary policy is out my team's control. If you mean somewhere else, you'll need to be more concise. |
|
Is it possible to just get a boolean Like compressNodeARN: true, so we can set it to false? |
|
@ChristopherMotesHalfaker Looking at https://docs.aws.amazon.com/eks/latest/userguide/troubleshooting_iam.html#security-iam-troubleshoot-ConfigMap, it seems like using a role with a path shouldn't work so I'm surprised that it ever worked. What does the |
|
The path is compressed in the aws-auth config map. The failure happens when cloudformation tries to use the compressed ARN in NodeRole. We can't pass that through our boundary. Maybe if I give you more insight to our workflow
Everything works as expected until step 5 with version >=0.30.0. Once step 4 is completed, I can manually create a node group, from the console. The console only allows me to select from a dropdown that has the fully pathed ARN. |
|
The interaction between cloudformation, the role and the boundary is clear. But when I create a managed nodegroup from the console using a role ARN with a path, it ends up pathed in Are you adding the compressed role ARN to |
|
Yup, we re-write aws-auth after cluster creation and before node creation. It's the only way we could get it to work. We'll need to keep our nodegroup configs separate from the cluster config for routine updates. |
|
@ChristopherMotesHalfaker if we were to fix this by compressing the path ourselves in the config map for managed nodes, would that allow you to skip rewriting |
|
Probably not. This isn't the only role we control in aws-auth. |
|
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
What happened?
Node Groups will not create when an IAM path is required for IAM:passRole. Since 0.30.0, the path section from instanceRoleARN is compressed prior creating the resource. Recently tested with 0.32.0-rc.0
Works successfully with 0.29.2
What you expected to happen?
Nodegroups create
How to reproduce it?
Anything else we need to know?
We're using an IAM Instance Role to create/update clusters and nodegroups with many boundary restrictions.
Versions
Please paste in the output of these commands:
Logs
[✖] unexpected status "ROLLBACK_IN_PROGRESS" while waiting for CloudFormation stack "eksctl-mycluster-nodegroup-myNode"
[ℹ] fetching stack events in attempt to troubleshoot the root cause of the failure
[✖] AWS::EKS::Nodegroup/ManagedNodeGroup: CREATE_FAILED – "User: arn:partition:sts::AccountId:assumed-role/boundryRequirement-jenkins-role/i-instanceId is not authorized to perform: iam:PassRole on resource: arn:partition:iam::AccountId:role/boundryRequirement-eks-managed-node (Service: AmazonEKS; Status Code: 403; Error Code: AccessDeniedException; Request ID: requestId; Proxy: null)"
[ℹ] 1 error(s) occurred and nodegroups haven't been created properly, you may wish to check CloudFormation console
[ℹ] to cleanup resources, run 'eksctl delete nodegroup --region= --cluster=mycluster --name=' for each of the failed nodegroup
[✖] waiting for CloudFormation stack "eksctl-mycluster-nodegroup-myNode": ResourceNotReady: failed waiting for successful resource state
The text was updated successfully, but these errors were encountered: