Failed deploy model due to AccessDenied: because no identity-based policy allows the elasticloadbalancing:AddTags action status code: 403, request i

[dkliss]

Hi,

I have been using Kubespray with aws-load-balancer-controller for over a year now. Today, out of no where, when I tried to reinstall my application, which needs a NLB, i start to get error below:

Warning FailedDeployModel 6s (x5 over 46s) service (combined from similar events): Failed deploy model due to AccessDenied: is not authorized to perform: elasticloadbalancing:AddTags on resource: arn:aws:elasticloadbalancing:us-east-1:* because no identity-based policy allows the elasticloadbalancing:AddTags action
status code: 403, request id: cea0bfaf-f4545-41d4-95a9-ba14c3442wed

I reinstalled the packages using command below and the controller PODs were installed correctly, but above error still exists.

helm install aws-load-balancer-controller eks/aws-load-balancer-controller -n kube-system --set clusterName=test

Has there been a change? I had almost same setup for over a year and never experienced this issue before.

Describe the bug
A concise description of what the bug is.

Steps to reproduce

Expected outcome
A concise description of what you expected to happen.

Environment

• AWS Load Balancer controller version
• Kubernetes version
• Using EKS (yes/no), if so version?

Additional Context:

[dkliss]

ISSUE FIXED By changing below from IAM role applied to a node. Not clear, why this happened out of no where.

REF: #2692

BEFORE FIX:

  "Condition": {
              "Null": {
                  "aws:RequestTag/elbv2.k8s.aws/cluster": "true",
                  "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
              }
          }

AFTER FIX: Remove "aws:RequestTag/elbv2.k8s.aws/cluster": "true"

 "Condition": {
                "Null": {
                    "aws:ResourceTag/elbv2.k8s.aws/cluster": "false"
                }
            }