Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ec2:DescribeVpcs missing from documentation as required for TargetGroupBinding SA minimal permissions #2542

Closed
cdhesse opened this issue Mar 10, 2022 · 1 comment · Fixed by #2554
Closed

ec2:DescribeVpcs missing from documentation as required for TargetGroupBinding SA minimal permissions #2542

cdhesse opened this issue Mar 10, 2022 · 1 comment · Fixed by #2554
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation.

Comments

@cdhesse
Copy link

cdhesse commented Mar 10, 2022
edited
Loading

Describe the bug
IAM Permissions for TargetGroupBinding only, states the following permissions:

{
    "Statement": [
        {
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeInstances",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets"
            ],
            "Effect": "Allow",
            "Resource": "*"
        }
    ],
    "Version": "2012-10-17"
}

It is missing "ec2:DescribeVpcs".

Steps to reproduce
Deploy the custom resource for TargetGroupBinding providing the SA with the permissions specified. The logs state "unauthorized", but don't indicate what is causing the error. Looking in CloudTrail you can find the offending "DescribeVpcs" call failing. Adding this permission fixes the error and the target group is updated.

Expected outcome
The aws-load-balancer-controller service account should work with the permissions documented.

Environment

  • AWS Load Balancer controller version 2.4.0
  • Kubernetes version 1.21
  • Using EKS (yes/no), if so version? yes

Additional Context:
@kishorj
Copy link
Collaborator

kishorj commented Mar 10, 2022

/kind documentation

@k8s-ci-robot k8s-ci-robot added the kind/documentation Categorizes issue or PR as related to documentation. label Mar 10, 2022
@kishorj kishorj added the good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. label Mar 10, 2022
@cdhesse cdhesse mentioned this issue Mar 12, 2022
Merged
1 task
@kishorj kishorj mentioned this issue Mar 15, 2022
Merged
6 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
good first issue Denotes an issue ready for a new contributor, according to the "help wanted" guidelines. kind/documentation Categorizes issue or PR as related to documentation.
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

update iam permissions for TGB only configuration kishorj/aws-load-balancer-controller
3 participants
@cdhesse @kishorj @k8s-ci-robot