eksctl `migrate-to-pod-identity` fails with "Association already exists"

`migrate-to-pod-identity` fails with "Association already exists"

Open cPu1 opened this issue 1 year ago • 0 comments

When running eksctl utils migrate-to-pod-identity --approve without the --remove-oidc-provider-trust-relationship flag, eksctl adds a new trust relationship for the pods.eks.amazonaws.com principal without removing the service account's role annotation, but a subsequent rerun causes it to fail with this error:

Error: creating pod identity association for service account "test" in namespace "kube-system": operation error EKS: CreatePodIdentityAssociation, https response error StatusCode: 409, RequestID: <redacted>, ResourceInUseException: Association already exists: <redacted>

Sample config:

---
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig

metadata:
  name: test
  region: us-west-2

iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: test
        namespace: kube-system
      wellKnownPolicies:
        awsLoadBalancerController: true

Steps to reproduce

Create IAM service accounts
Run eksctl utils migrate-to-pod-identity -f cluster.yaml --approve
Run eksctl utils migrate-to-pod-identity -f cluster.yaml --approve again

May 09 '24 14:05 cPu1

eksctl eksctl copied to clipboard

`migrate-to-pod-identity` fails with "Association already exists"

eksctl
eksctl copied to clipboard