AWS EKS Access Policy Association - ResourceNotFoundException: PrincipalArn Not Found

[janavenkat]

Description

Am using the resource eks_access_policy_association and encountering an error.

│ Error: creating EKS Access Policy Association (eks#arn:aws:iam::xxx:role/xxx#arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy): operation error EKS: AssociateAccessPolicy, https response error StatusCode: 404, ResourceNotFoundException: The specified principalArn could not be found. You can view your available access entries with 'list-access-entries'.

1. Terraform has the proper IAM access required for this resource, as outlined in the AWS documentation.
2. Principal ARN is presented in the AWS account
3. I am able to create the access entry manually in the AWS console."

Versions

• Module version [Required]: 20.8.3

• Terraform version: 1.7.0

• Provider version(s): 5.0

Reproduction Code [Required]

Steps to reproduce the behavior:

resource "aws_eks_access_policy_association" "access-policy" {
  cluster_name  = "test-cluster"
  policy_arn    = "arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy"
  principal_arn = "arn:aws:iam::xx:role/xx"

  access_scope {
    type       = "cluster"
  }
}

Expected behavior

It should able to attache the access entry

Actual behavior

│ Error: creating EKS Access Policy Association (eks#arn:aws:iam::xxx:role/xxx#arn:aws:eks::aws:cluster-access-policy/AmazonEKSClusterAdminPolicy): operation error EKS: AssociateAccessPolicy, https response error StatusCode: 404, ResourceNotFoundException: The specified principalArn could not be found. You can view your available access entries with 'list-access-entries'.

[manjot-randhawa]

I was facing the same issue. Looks like aws_eks_access_policy_association needs complete arn, not just friendly IAM role name.

Friendly: arn:aws:iam::xx:role/xx
Complete: arn:aws:iam::xx:role/aws-reserved/sso/<region>/xx

[janavenkat]

I was facing the same issue. Looks like aws_eks_access_policy_association needs complete arn, not just friendly IAM role name.

Friendly: arn:aws:iam::xx:role/xx Complete: arn:aws:iam::xx:role/aws-reserved/sso/<region>/xx

Not sure if that's the case. So how to you get the complete URL?

[manjot-randhawa]

From the IAM console and copy the ARN for your role. If that's already the complete arn, then this might not be the case.

[janavenkat]

@bryantbiggs Looking forward for the help. If any inputs are needed from my side, I'm happy to help.

[bryantbiggs]

We need a reproduction in order to help troubleshoot - otherwise we have no idea what you might be trying to do

[bryantbiggs]

this is not related to the module - you need to pass the full, valid arn

[janavenkat]

I passed the full valid arn @bryantbiggs

[janavenkat]

So whats the best place to create this issue?

[bryantbiggs]

1. You are opening an issue with the bare resource which is why I have closed this as not applicable to the module. If you are using the module and its an issue, thats a different story
2. You have not provided a full reproduction - a reproduction means someone can run the code that you have provided and are able to reproduce the error on their end. Without that, its hard to say where you should create the issue
3. You aren't reading the error message The specified principalArn could not be found. You can view your available access entries with 'list-access-entries'. - have you checked that the role you are providing is listed in the cluster access entries? You need two parts - the access entry and then the policy association, you are only showing one of those with xxx out details so ... very hard to help you out here with the lack of proper details