Error: The configmap "aws-auth" does not exist when deploying an EKS cluster with manage_aws_auth_configmap = true
#2009
Comments
ezzatron
changed the title
Error: The configmap "aws-auth" does not exist when deploying a new EKS cluster with manage_aws_auth_configmap = trueError: The configmap "aws-auth" does not exist when deploying an EKS cluster with manage_aws_auth_configmap = true
|
thats odd that its stating that the terraform-aws-eks/examples/self_managed_node_group/main.tf Lines 61 to 63 in 69a815c create_aws_auth_configmap = true
manage_aws_auth_configmap = true |
|
Yeah, I assumed based on the docs that we shouldn't be setting |
|
yes, its safe to enable this. question: if the configmap doesn't exist, are your nodes connected to the control plane? |
|
As far as I can tell, the ConfigMap genuinely doesn't exist. In the console, the node group shows up under the cluster, which (I think) means that the nodes are connected to the control plane:
But since the config map doesn't exist, I can't see any of the resources inside the cluster of course:
|
|
hmm, somethings off. if the configmap doesn't exist then the nodes won't register because they lack authorization to do so |
|
let me try your repro and see |
|
Thanks for taking a look, let me know if I can help out with any other info. In the meantime I'm going to try enabling |
|
FWIW, adding
|
|
hmm, it is there but its not recognizing or patching it. I'll have to file an issue with the upstream Kubernetes provider in the morning to have them take a look |
|
No worries, thanks for your help 🙏 |
|
Experiencing this as well, using on Terraform 1.1.6. |
|
EDIT: it's because I didn't have the manage field set. With that enabled, I now get: |
|
I had the same issue, both the I'm using managed node groups as well. The way I solved it was to add a kubernetes provider. This here should be enough: /*
The following 2 data resources are used get around the fact that we have to wait
for the EKS cluster to be initialised before we can attempt to authenticate.
*/
data "aws_eks_cluster" "default" {
name = module.eks.cluster_id
}
data "aws_eks_cluster_auth" "default" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = data.aws_eks_cluster.default.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.default.token
}It's also a great way to authenticate to the EKS cluster instead of the example in the repo that forces the use of |
oy, good spot on not providing the provider and creds. I'll file a ticket for better error reporting on that upstream. Regarding the token vs exec - exec is what is recommended by the provider itself https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#exec-plugins |
|
yep, was able to confirm that was the issue and this now works as expected @ezzatron - we just forgot to put the provider auth provider "aws" {
region = "us-east-1"
}
provider "kubernetes" {
host = module.eks_main.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks_main.cluster_certificate_authority_data)
exec {
api_version = "client.authentication.k8s.io/v1alpha1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.eks_main.cluster_id]
}
}
data "aws_availability_zones" "available" {}
data "aws_caller_identity" "current" {}
module "vpc_example" {
source = "terraform-aws-modules/vpc/aws"
version = "~> 3.14.0"
name = "example"
cidr = "10.10.0.0/16"
azs = slice(data.aws_availability_zones.available.names, 0, 3)
enable_nat_gateway = true
private_subnets = ["10.10.1.0/24", "10.10.2.0/24", "10.10.3.0/24"]
public_subnets = ["10.10.11.0/24", "10.10.12.0/24", "10.10.13.0/24"]
database_subnets = ["10.10.21.0/24", "10.10.22.0/24", "10.10.23.0/24"]
public_subnet_tags = {
"kubernetes.io/role/elb" = 1
}
private_subnet_tags = {
"kubernetes.io/role/internal-elb" = 1
}
}
module "eks_main" {
source = "terraform-aws-modules/eks/aws"
version = "~> 18.20.1"
cluster_name = "main"
cluster_enabled_log_types = ["api", "audit", "authenticator", "controllerManager", "scheduler"]
cluster_endpoint_private_access = true
vpc_id = module.vpc_example.vpc_id
subnet_ids = module.vpc_example.private_subnets
eks_managed_node_groups = {
spot = {
create_launch_template = false
launch_template_name = ""
capacity_type = "SPOT"
instance_types = [
"m4.large",
"m5.large",
"m5a.large",
"m6i.large",
"t2.large",
"t3.large",
"t3a.large",
],
}
}
manage_aws_auth_configmap = true
aws_auth_roles = [
{
rolearn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/foo"
username = "sso-breakglass:{{SessionName}}"
groups = ["sso-breakglass"]
},
{
rolearn = "arn:aws:iam::${data.aws_caller_identity.current.account_id}:role/bar"
username = "sso-readall:{{SessionName}}"
groups = ["sso-readall"]
},
]
} |
|
@ezzatron are we able to close this with the solution posted above? |
|
✔️ For us, following setup worked while migrating EKS module from 17.22.0 to 18.20.2 data "aws_eks_cluster" "default" {
name = local.cluster_name
}
data "aws_eks_cluster_auth" "default" {
name = local.cluster_name
}
provider "kubernetes" {
host = data.aws_eks_cluster.default.endpoint
cluster_ca_certificate = base64decode(data.aws_eks_cluster.default.certificate_authority[0].data)
token = data.aws_eks_cluster_auth.default.token
}For data source fields 'aws_eks_cluster' and 'aws_eks_cluster_auth', name: We got the provider block from HashiCorp terraform provider git: https://github.com/hashicorp/terraform-provider-kubernetes/blob/main/_examples/eks/kubernetes-config/main.tf Versions:| Terraform | 1.1.8 | |
|
@narenaryan just be mindful that using that route the token can expire. The provider recommends the exec route if you can (requires awscli to be available where Terraform is execute) https://registry.terraform.io/providers/hashicorp/kubernetes/latest/docs#exec-plugins |
|
It seems to still be some issue. Tried both @bryantbiggs and @narenaryan propostions, and yes, it sometimes works as intended. Unfortunately from time to time I have :
on terraform plan stage. May be that it is not a eks module / kubernetes provider resource, but rather some issue with my deployment machine, but this is what I got for now. Was unable to find yet what was the underlying reason. |
|
@magnusseptim please feel free to investigate, add a 👍🏽 , or post a new issue upstream as there are well known issues with the Kubernetes provider https://github.com/hashicorp/terraform-provider-kubernetes/issues?q=is%3Aissue+is%3Aopen+sort%3Aupdated-desc+localhost |
|
When configuring the kubernetes provider using exec and no region, as per the advice above, I got the following error: I think it's because it assumes the AWS CLI is configured with a region which is not true in my environment. If the region is not set then the AWS CLI will attempt to contact the instance metadata service (IMDS) to detect the region. The IMDS call also fails in my CI/CD environment. Using the data "aws_eks_cluster_auth" "default" {
name = "my-eks-cluster-name"
}
provider "kubernetes" {
host = module.eks.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.default.token
} |
|
The exec command is sent to the awscli so you can set the region: provider "kubernetes" {
host = module.eks_main.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks_main.cluster_certificate_authority_data)
exec {
api_version = "client.authentication.k8s.io/v1alpha1"
command = "aws"
# This requires the awscli to be installed locally where Terraform is executed
args = ["eks", "get-token", "--cluster-name", module.eks_main.cluster_id, "--region", "us-east-1"]
}
} |
|
confirming its working with |
Me too. Using exec does not work. |
|
Still not working here :-(
`module "eks" { https://registry.terraform.io/modules/terraform-aws-modules/eks/aws/latestsource = "terraform-aws-modules/eks/aws" cluster_name = local.cluster_name vpc_id = module.vpc.vpc_id enable_irsa = true create_cluster_security_group = false manage_aws_auth_configmap = true aws_auth_users = [ |
Same thing happened to me, make sure you use the right profile. |
|
Im not sure what im doing wrong here. But my config looks like But when I run this, I get If I use just |
|
@jeunii you are using a role in the AWS provider which becomes the EKS default data "aws_eks_cluster_auth" "eks_auth" {
name = module.eks.cluster_id
}
provider "kubernetes" {
host = module.eks.cluster_endpoint
cluster_ca_certificate = base64decode(module.eks.cluster_certificate_authority_data)
token = data.aws_eks_cluster_auth.eks_auth.token
} |
|
tl;dr - your AWS provider identity needs to be the same identity in the Kubernetes/Helm/kubectl providers when using the |
|
thank you for your pointer. it worked. I was able to use when logged into the console, I see this message.
via the console I cannot see any nodes or k8s objects. also via the cli, I get I assume the next thing for me to do is to configure my own user ? I myself am a federated user via SSO. |
|
correct - here's an example to add an SSO group https://github.com/clowdhaus/eks-reference-architecture/blob/main/inferentia/us-east-1/eks.tf#L30-L37 |
|
@bryantbiggs Thanks. For now I just want to statically configure this. My SSO are is so for a simple case like this, shouldnt this suffice ? I already implemeted this but it did not seem to work |
|
|
|
As @bryantbiggs said it, my problem was my AWS provider is using a custom profile but my Kubernetes provider not. After do this I can manage aws-auth with the terraform module AWESOME!!!!! |
|
@jeunii you are trying to pass an entity of a role where the role ARN is required. See the example provided since this is what you are trying to accomplish. If you need to limit it further, create a custom SSO group and use that instead of the default Admin group |
|
Going to compile list of issues that I came across - is very generic & masks multiple issues.
I also tried with following which didn't work Both the above approaches use
Try adding following to your eks module to make sure this isn't the case.
Make sure you are on VPN or in the network you want to access cluster from. I'm sure there are more issues but just wanted to point out some of them that I came across. |
|
Folks, just wanted to report back that after dealing with the "Error: The configmap "aws-auth" does not exist" error for several days, I can concur that it most likely (in my case and as experienced by others) that it was an issue in connecting to the endpoint during the process. In my specific case, the source of my problem was with my corporate proxy where it would not accept the root certificate and terraform would report the aws-auth error and AWS CLI would report that I was using a self-signed cert which is not the case. Hoping this will help others or at least provide some insight... |
My issue solved. Thanks ! |
|
Thanks all for sharing this information and workarounds , actually I'm having the following issue "https://68E51D9223F166C1D6B7BDCDFD370F1F.gr7.region.eks.amazonaws.com/api/v1/namespaces/kube-system/configmaps/aws-auth": dial tcp 10.x.x.x:443: i/o timeout", it happens when run Terraform Cloud plan against eks module after turn on private endpoints in my EKS cluster, I already configured a bastion host that is able to reach our cluster, from my local I've configured a proxy that use ssm, even more I was able to run kubectl commands without problem to interact with the cluster but the issue is coming when run terraform cloud plan, Do you know if is there any workaround to pass an https_proxy variable with Terraform Cloud? I'll appreciate your comments in advance |
|
Another cause: I had set |
|
This is a constant headache: The map is there because I have: But it looks like it want to create the aws map on every run. I did not have yet successful run in creating EKS cluster with Terraform. This issue always pops up. Only solution is to import the map, and then re run again... not very automation friendly if I have to do manual task :( |
I think you just need to set |
|
I've encountered and fixed this issue multiple times. This is mainly because we provision with Terraform from a different account. The crux of the issue is:
To know definitively what entity it is, check your CloudTrail events and search for event name |
|
For users running into this issue and having issues with the exec provider. Also try using You could be running into issues like aws/aws-cli#6920 which can be caused, among other things, by having v1 of the aws cli installed from an apt package instead of a recent v2 version. The kubernetes provider doesn't seem to let you know when it couldn't connect because your aws cli is out of date. |
|
I needed to add this to get it to work, finally, This needs to run after eks creation, before module installation. |
If you've tried all of the above methods, but you couldn't, try like this.I had same problem
But I SOVLED this way !! First, I created EKS Cluster and API Endpoint was PRIVATE As it says in AWS Docs, you can only access EKS Cluster API-Server in Same VPC. If a API Endpoint is PRIVATE My Company is using TGW. so I Can Access VPC where created EKS Cluster. Anyway, the reason that occur a error is you couldn't access EKS Api-server !! SolveI proceed thinking that you are in the same VPC as EKS Cluster
click additional security group !!
and add rule like image !! allow 443 port Even if it's private, you can access eks cluster Api-server and can get aws-auth in kube-system !! By opening the 443 port, it allows you to connect to the EKS Api-server. Based on the EKS Api-server, 443 ports were closed, so you couldn't access it, and this error occurred. to sum up, |
|
We resolved our issue with a |
|
UPDATE: This works great for standing up a cluster, but breaks sometime later if you try another terraform apply. Removing the depends_on fixes that. Similar to this comment we solved this by adding depndencies. The data sources aren't populated until after all of the node groups have been created, so the token is fresher. |
|
I've face with the same issue. However - I had outdated aws cli version and aws-iam-authenticator. |
|
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further. |
and others
Description
When deploying an EKS cluster using
manage_aws_auth_configmap = true, the deploy fails with the error:Versions
Module version [Required]:
~> 18.20.1Terraform version: Terraform Cloud
Provider version(s):
aws v4.9.0cloudinit v2.2.0kubernetes v2.10.0tls v3.3.0Reproduction Code [Required]
Steps to reproduce the behavior:
manage_aws_auth_configmap = trueIn our case, we're using Terraform Cloud, but I'm unsure if that actually affects anything here. We were simply trying to create a new EKS cluster, and noticed this new setting. In the past we've had to use complex hacks to manage the
aws-authConfigMap, so this seemed like a better approach, but it doesn't seem to work.It's worth noting that running another apply doesn't fix the issue, so I don't think it's a timing issue.
Expected behavior
The cluster is created without error, and the
aws-authConfigMap contains the expected content.Actual behavior
The above error.
Additional context
The text was updated successfully, but these errors were encountered: