[v2]SubscriptionRequiredException: The AWS Access Key Id needs a subscription for the service

[icyxp]

aws cn
region: cn-northwest-1

iam policy
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "iam:CreateServiceLinkedRole", "ec2:DescribeAccountAttributes", "ec2:DescribeAddresses", "ec2:DescribeInternetGateways", "ec2:DescribeVpcs", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeInstances", "ec2:DescribeNetworkInterfaces", "ec2:DescribeTags", "elasticloadbalancing:DescribeLoadBalancers", "elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeListeners", "elasticloadbalancing:DescribeListenerCertificates", "elasticloadbalancing:DescribeSSLPolicies", "elasticloadbalancing:DescribeRules", "elasticloadbalancing:DescribeTargetGroups", "elasticloadbalancing:DescribeTargetGroupAttributes", "elasticloadbalancing:DescribeTargetHealth", "elasticloadbalancing:DescribeTags" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "cognito-idp:DescribeUserPoolClient", "acm:ListCertificates", "acm:DescribeCertificate", "iam:ListServerCertificates", "iam:GetServerCertificate", "waf-regional:GetWebACL", "waf-regional:GetWebACLForResource", "waf-regional:AssociateWebACL", "waf-regional:DisassociateWebACL", "wafv2:GetWebACL", "wafv2:GetWebACLForResource", "wafv2:AssociateWebACL", "wafv2:DisassociateWebACL", "shield:GetSubscriptionState", "shield:DescribeProtection", "shield:CreateProtection", "shield:DeleteProtection" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateSecurityGroup" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:CreateTags" ], "Resource": "arn:aws-cn:ec2:*:*:security-group/*", "Condition": { "StringEquals": { "ec2:CreateAction": "CreateSecurityGroup" }, "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:CreateTags", "ec2:DeleteTags" ], "Resource": "arn:aws-cn:ec2:*:*:security-group/*", "Condition": { "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "true", "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "ec2:AuthorizeSecurityGroupIngress", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateLoadBalancer", "elasticloadbalancing:CreateTargetGroup" ], "Resource": "*", "Condition": { "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:CreateListener", "elasticloadbalancing:DeleteListener", "elasticloadbalancing:CreateRule", "elasticloadbalancing:DeleteRule" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:AddTags", "elasticloadbalancing:RemoveTags" ], "Resource": [ "arn:aws-cn:elasticloadbalancing:*:*:targetgroup/*/*", "arn:aws-cn:elasticloadbalancing:*:*:loadbalancer/net/*/*", "arn:aws-cn:elasticloadbalancing:*:*:loadbalancer/app/*/*" ], "Condition": { "Null": { "aws:RequestTag/elbv2.k8s.aws/cluster": "true", "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:ModifyLoadBalancerAttributes", "elasticloadbalancing:SetIpAddressType", "elasticloadbalancing:SetSecurityGroups", "elasticloadbalancing:SetSubnets", "elasticloadbalancing:DeleteLoadBalancer", "elasticloadbalancing:ModifyTargetGroup", "elasticloadbalancing:ModifyTargetGroupAttributes", "elasticloadbalancing:RegisterTargets", "elasticloadbalancing:DeregisterTargets", "elasticloadbalancing:DeleteTargetGroup" ], "Resource": "*", "Condition": { "Null": { "aws:ResourceTag/elbv2.k8s.aws/cluster": "false" } } }, { "Effect": "Allow", "Action": [ "elasticloadbalancing:SetWebAcl", "elasticloadbalancing:ModifyListener", "elasticloadbalancing:AddListenerCertificates", "elasticloadbalancing:RemoveListenerCertificates", "elasticloadbalancing:ModifyRule" ], "Resource": "*" } ] }

error:
`
{"level":"error","ts":1603940367.307082,"logger":"controller","msg":"Reconciler error","controller":"ingress","name":"openapi-gateway","namespace":"openapi-prod","error":"SubscriptionRequiredException: The AWS Access Key Id needs a subscription for the service\n\tstatus code: 400, request id: 436e78ca-e81a-4453-92ff-30927ec5a69c"}

{"level":"info","ts":1603940368.3373978,"logger":"controllers.ingress","msg":"successfully built model","model":"{"id":"platform-prod/passport","resources":{"AWS::EC2::SecurityGroup":{"ManagedLBSecurityGroup":{"spec":{"groupName":"k8s-platform-passport-2a688f3659","description":"[k8s] Managed SecurityGroup for LoadBalancer","tags":{"CreateTime":"20201028","EnvType":"prod","ImportantLevel":"very-important","Monitored":"Yes","Name":"passprot-prod","Owner":"peng.xu","Task":"DEVOPS-105","Team":"platform"},"ingress":[{"ipProtocol":"tcp","fromPort":80,"toPort":80,"ipRanges":[{"cidrIP":"0.0.0.0/0"}]},{"ipProtocol":"tcp","fromPort":443,"toPort":443,"ipRanges":[{"cidrIP":"0.0.0.0/0"}]}]}}},"AWS::ElasticLoadBalancingV2::Listener":{"443":{"spec":{"loadBalancerARN":{"$ref":"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN"},"port":443,"protocol":"HTTPS","defaultActions":[{"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"404"}}],"certificates":[{"certificateARN":"arn:aws-cn:iam::xxxxxx:server-certificate/a_com_20211103"}],"sslPolicy":"ELBSecurityPolicy-2016-08"}},"80":{"spec":{"loadBalancerARN":{"$ref":"#/resources/AWS::ElasticLoadBalancingV2::LoadBalancer/LoadBalancer/status/loadBalancerARN"},"port":80,"protocol":"HTTP","defaultActions":[{"type":"fixed-response","fixedResponseConfig":{"contentType":"text/plain","statusCode":"404"}}]}}},"AWS::ElasticLoadBalancingV2::ListenerRule":{"443:1":{"spec":{"listenerARN":{"$ref":"#/resources/AWS::ElasticLoadBalancingV2::Listener/443/status/listenerARN"},"priority":1,"actions":[{"type":"forward","forwardConfig":{"targetGroups":[{"targetGroupARN":{"$ref":"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/platform-prod/passport-w-platform-passport:http/status/targetGroupARN"}}]}}],"conditions":[{"field":"path-pattern","pathPatternConfig":{"values":["/"]}}]}},"80:1":{"spec":{"listenerARN":{"$ref":"#/resources/AWS::ElasticLoadBalancingV2::Listener/80/status/listenerARN"},"priority":1,"actions":[{"type":"redirect","redirectConfig":{"port":"443","protocol":"HTTPS","statusCode":"HTTP_301"}}],"conditions":[{"field":"path-pattern","pathPatternConfig":{"values":["/"]}}]}}},"AWS::ElasticLoadBalancingV2::LoadBalancer":{"LoadBalancer":{"spec":{"name":"k8s-platform-passport-d5995e9283","type":"application","scheme":"internet-facing","ipAddressType":"ipv4","subnetMapping":[{"subnetID":"subnet-03fdc85118291cf09"},{"subnetID":"subnet-0c809182d99c8c442"},{"subnetID":"subnet-0a090540c7857ce38"}],"securityGroups":[{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"}],"loadBalancerAttributes":[{"key":"access_logs.s3.bucket","value":"aws-logs-397751057748-cn-northwest-1"},{"key":"access_logs.s3.prefix","value":"alb/eks-passport-prod"},{"key":"idle_timeout.timeout_seconds","value":"80"},{"key":"access_logs.s3.enabled","value":"true"}],"tags":{"CreateTime":"20201028","EnvType":"prod","ImportantLevel":"very-important","Monitored":"Yes","Name":"passprot-prod","Owner":"peng.xu","Task":"DEVOPS-105","Team":"platform"}}}},"AWS::ElasticLoadBalancingV2::TargetGroup":{"platform-prod/passport-w-platform-passport:http":{"spec":{"name":"k8s-platform-wplatfor-86d71aa708","targetType":"ip","port":80,"protocol":"HTTP","healthCheckConfig":{"port":80,"protocol":"HTTP","path":"/manage/health","matcher":{"httpCode":"200"},"intervalSeconds":15,"timeoutSeconds":5,"healthyThresholdCount":2,"unhealthyThresholdCount":2},"tags":{"CreateTime":"20201028","EnvType":"prod","ImportantLevel":"very-important","Monitored":"Yes","Name":"passprot-prod","Owner":"peng.xu","Task":"DEVOPS-105","Team":"platform"}}}},"K8S::ElasticLoadBalancingV2::TargetGroupBinding":{"platform-prod/passport-w-platform-passport:http":{"spec":{"template":{"metadata":{"name":"k8s-platform-wplatfor-86d71aa708","namespace":"platform-prod","creationTimestamp":null},"spec":{"targetGroupARN":{"$ref":"#/resources/AWS::ElasticLoadBalancingV2::TargetGroup/platform-prod/passport-w-platform-passport:http/status/targetGroupARN"},"targetType":"ip","serviceRef":{"name":"w-platform-passport","port":"http"},"networking":{"ingress":[{"from":[{"securityGroup":{"groupID":{"$ref":"#/resources/AWS::EC2::SecurityGroup/ManagedLBSecurityGroup/status/groupID"}}}],"ports":[{"protocol":"TCP"}]}]}}}}}}}}"}
`

[DevOpserzhao]

in v2.0, Add the following parameters to deployment spec.args:

--enable-shield=false
--enable-waf=false
--enable-wafv2=false

[icyxp]

Yes, add these parameters can work. The reason is that AWS in China does not have WAF