Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

iam:PassRole not working with provided CFN template in AWS China #6843

Closed
artem-nefedov opened this issue Aug 22, 2024 · 1 comment · Fixed by #6839
Closed

iam:PassRole not working with provided CFN template in AWS China #6843

artem-nefedov opened this issue Aug 22, 2024 · 1 comment · Fixed by #6839
Labels
bug Something isn't working needs-triage Issues that need to be triaged

Comments

@artem-nefedov
Copy link
Contributor

Description

Observed Behavior:

When deploying to AWS China using CloudFormation template advised in official docs, NodeClaims get stuck in unknown status and User <role> is not authorized to perform: iam:PassRole on resource... error is seen in the status message.

Manually editing policy and changing "iam:PassedToService": "ec2.amazonaws.com" to "iam:PassedToService": "ec2.amazonaws.com.cn" fixes the problem, and NodeClaims work fine after that.

However, if I fix this in the CFN (see #6839) and try to create everything from scratch, it instead fails with the same error when reconciling EC2NodeClass, which now gets stuck in unknown status instead of NodeClaim.

Versions:

  • Chart Version: 1.0.0
  • Kubernetes Version (kubectl version): EKS 1.30
  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment
@artem-nefedov artem-nefedov added bug Something isn't working needs-triage Issues that need to be triaged labels Aug 22, 2024
@artem-nefedov
Copy link
Contributor Author

The problem goes away if condition in iam:PassRole is completely removed.
It's not elegant, but it works.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
bug Something isn't working needs-triage Issues that need to be triaged
Projects
None yet
1 participant