eksctl-io
[Bug] Upgrade nodegroup runs forever when DescribeUpdate permission is missing
What were you trying to accomplish?
I was trying to invoke eksctl upgrade nodegroup ... for a managed node group with an IAM role that was lacking the eks:DescribeUpdate permission.
What happened?
Instead of throwing an 403 forbidden error, eksctl simply continued to run until the operation timed out.
How to reproduce it?
Authenticate with an IAM role that has permissions for cloudformation:ListStacks, eks:DescribeCluster, eks:DescribeNodegroup and eks:UpdateNodegroup* but not for eks:DescribeUpdate and issue an eksctl upgrade nodegroup ... for a managed node group.
Logs
The output logs like this...
2022-07-14 11:45:24 [ℹ] waiting for upgrade of nodegroup "my-node-group" to complete
2022-07-14 11:45:24 [▶]
2022-07-14 11:45:54 [▶]
...with the empty line being repeated (on --verbose=9) every 30 seconds until the operation times out.
Anything else we need to know?
Container running the image weaveworks/eksctl:v0.105.0 inside EKS k8s v1.21 with AWS Web Identity IAM role (service account IAM role).
Versions
Docker-based eksctl: weaveworks/eksctl:v0.105.0
Hello Obirah :wave: Thank you for opening an issue in eksctl project. The team will review the issue and aim to respond within 1-3 business days. Meanwhile, please read about the Contribution and Code of Conduct guidelines here. You can find out more information about eksctl on our website
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days.
This issue was closed because it has been stalled for 5 days with no activity.