community icon indicating copy to clipboard operation
community copied to clipboard

Published 20 hours ago verified publisher icon aws-controllers-k8s

IAM ACK Controller can't sync resources.

Open juldrixx opened this issue 1 year ago • 0 comments

Describe the bug When creating a Policy or a Role the resource can't be synced and failed on Late initiallization. And when referencing the a Policy in a Role it can't be attached because it's not synced. Even so the Policy and the Role are created in AWS but not attached to each other.

Steps to reproduce

  • Instantiate the IAM ACK Controller
  • Create a Role and a Policy:
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Role
metadata:
  name: my-role-eks
  namespace: my-namespace
spec:
  name: my-role-eks
  assumeRolePolicyDocument: >
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Principal": {
                    "Federated": "arn:aws:iam::XXXXXX:oidc-provider/oidc.eks.eu-west-3.amazonaws.com/id/XXXXXX"
                },
                "Action": "sts:AssumeRoleWithWebIdentity",
                "Condition": {
                    "StringEquals": {
                        "oidc.eks.eu-west-3.amazonaws.com/id/XXXXX:aud": "sts.amazonaws.com",
                        "oidc.eks.eu-west-3.amazonaws.com/id/XXXX:sub": "system:serviceaccount:my-namespace:my-sa"
                    }
                }
            }
        ]
    }
  policyRefs:
    - from:
        name: my-policy-eks
---
apiVersion: iam.services.k8s.aws/v1alpha1
kind: Policy
metadata:
  name: my-policy-eks
  namespace: my-namespace
spec:
  name: my-policy-eks
  policyDocument: >
    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "s3:*"
                ],
                "Resource": "*"
            }
        ]
    }

You should see those status:

Status:
 Ack Resource Metadata:
   Arn:               arn:aws:iam::XXXXX:policy/my-policy-eks
   Owner Account ID:  XXXX
   Region:            eu-west-3
 Attachment Count:    0
 Conditions:
   Last Transition Time:            2023-10-26T08:02:23Z
   Message:                         Late initialization did not complete, requeuing with delay of 5 seconds
   Reason:                          Delayed Late Initialization
   Status:                          False
   Type:                            ACK.LateInitialized
   Last Transition Time:            2023-10-26T08:02:23Z
   Status:                          False
   Type:                            ACK.ResourceSynced
 Create Date:                       2023-10-26T08:02:00Z
 Default Version ID:                v1
 Is Attachable:                     true
 Permissions Boundary Usage Count:  0
 Policy ID:                         ANPAZEZEACPMGH3I7F6XG
 Update Date:                       2023-10-26T08:02:00Z
Events:                              <none>
---
Status:
 Conditions:
   Last Transition Time:  2023-10-26T08:03:22Z
   Message:               Reference resolution failed
   Reason:                the referenced resource is not synced yet. resource:Policy, namespace:my-namespace, name:my-policy-eks
   Status:                Unknown
   Type:                  ACK.ReferencesResolved
Events:                    <none>

Expected outcome You should have the Role and the Policy in AWS, with the Policy attached to the Role.

Environment

  • Kubernetes version: 1.28
  • Using EKS (yes/no), if so version? 1.28
  • AWS service targeted (S3, RDS, etc.) IAM

juldrixx avatar Oct 26 '23 17:10 juldrixx