-
Notifications
You must be signed in to change notification settings - Fork 1.4k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[Help] Pod does not have the eks-pod-identity-token. #7709
Comments
Hi @laiminhtrung1997 - can you please share the exact commands you're running? |
Dear @TiberiuGC ,
|
Thank you for laying out all the steps! Given that you're creating the policy and role in advance, for this use case in particular, On a separate note, although unrelated to the issue, iam:
podIdentityAssociations:
- namespace: $NAMESPACE
serviceAccountName: $SERVICE_ACCOUNT
roleName: $IAM_ROLE
permissionPolicy:
Version: "2012-10-17"
Statement:
- Effect: Allow
Action:
- "autoscaling:DescribeAutoScalingGroups"
- "ec2:DescribeLaunchTemplateVersions"
Resource: '*' and run eksctl create podidentityassociation -f config.yaml |
Dear @TiberiuGC Regarding the upstream issue, you mentioned, is it caused by the association or the IAM Policy creation? What I mean is, should I wait for 15 seconds after creating the IAM Policy or after the association? As for the suggestion, the reason I do that is because I have multiple EKS clusters, and I want to use a single IAM Policy for all clusters by employing the ABAC concept. Each cluster will use its IAM Role. However, the AWS Service Route53 does not support ABAC, so I have to switch from creating IAM Policies to creating IAM Roles. This means I create a single IAM Role for all clusters, with each cluster having its IAM Policy. I think I will post a discussion about this in another post. |
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. |
Anyone can help me? |
What help do you need?
I have an issue with using EKS Pod Identity with the external-dns.
After I associated the IAM Role with ServiceAccount, I deployed the external-dns by using helm install immediately.
The issue is the pod external-dns is not mounted by the volume eks-pod-identity-token, so it cannot do some actions to AWS Service Route53.
I think there is a time delay after associating ServiceAccount with the IAM Role, or maybe something else. I have no idea.
So could someone please help me out with this scenario?
The text was updated successfully, but these errors were encountered: