provider-jet-aws
provider-jet-aws copied to clipboard
crossplane-contrib
Failing to create AWS IAM Role
What happened?
I wanted to create an AWS IAM Role using the jet-aws provider, yet it seems to fail already with the provided example manifest provided example manifest
How can we reproduce it?
I simply created the resource with the following manifest ...
apiVersion: iam.aws.jet.crossplane.io/v1alpha2
kind: Role
metadata:
name: sample-eks-cluster
spec:
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
providerConfigRef:
name: jet-aws-provider
... after a while I got the following final state ...
apiVersion: iam.aws.jet.crossplane.io/v1alpha2
kind: Role
metadata:
annotations:
crossplane.io/external-name: sample-eks-cluster
...
name: sample-eks-cluster
status:
atProvider: {}
conditions:
- lastTransitionTime: '2022-03-21T16:48:09Z'
message: >-
connect failed: cannot get terraform setup: failed to use pod service
account: unknown endpoint, could not resolve endpoint, partition: "aws",
service: "sts", region: "", known: [ap-northeast-2 eu-central-1
eu-west-2 sa-east-1 us-east-2-fips us-west-1 ap-east-1 ap-northeast-1
ap-southeast-2 aws-global ca-central-1 us-east-1-fips us-east-2
us-west-2 ap-southeast-1 eu-north-1 eu-south-1 eu-west-3 us-east-1
us-west-1-fips us-west-2-fips af-south-1 ap-south-1 eu-west-1
me-south-1]
reason: ReconcileError
status: 'False'
type: Synced
spec:
deletionPolicy: Delete
forProvider:
assumeRolePolicy: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}
providerConfigRef:
name: jet-aws-provider
What environment did it happen in?
Crossplane version: 1.6.1
- Cloud provider or hardware configuration = AWS
- Kubernetes version = k3s:v1.23.3-k3s1 (via vcluster)
- Kubernetes distribution = EKS
- OS = Bottlerocket OS 1.6.2 (aws-k8s-1.21)
- Kernel = 5.10.102
is the issue still relevant ? with static credentials everything is working as expected - did you using InjectedIdentity or assumeRoleARN for cross-account access ?
provider is running from master:
NAME READY SYNCED EXTERNAL-NAME AGE
role.iam.aws.jet.crossplane.io/sample-eks-cluster True True sample-eks-cluster 2m
Any updates?
I'm using spec.credentials.source: InjectedIdentity and it doesn't work, the same error message - couldn't find a region
We have the same problem when creating IAM roles with spec.credentials.source: InjectedIdentity... Any progress?
The same happens with policy:
status:
atProvider: {}
conditions:
- lastTransitionTime: '2022-06-27T14:14:41Z'
message: >-
connect failed: cannot get terraform setup: failed to use pod service
account: unknown endpoint, could not resolve endpoint, partition: "aws",
service: "sts", region: "", known: [ap-northeast-2 aws-global
eu-central-1 eu-west-2 us-east-2 eu-west-1 us-west-1-fips us-west-2-fips
sa-east-1 us-east-1 us-east-1-fips ap-south-1 ap-southeast-1
ap-southeast-2 eu-north-1 eu-south-1 us-east-2-fips us-west-1 us-west-2
me-south-1 af-south-1 ap-east-1 ap-northeast-1 ca-central-1 eu-west-3]
reason: ReconcileError
status: 'False'
type: Synced
