https://pulumi.com logo
g

glamorous-australia-21342

04/01/2021, 7:20 PM
We're having some problems trying to perform an
up
on an existing cluster in EKS. I determined that we needed to associate an AWS IAM Role with a Kubernetes group in order for us to connect to each other's clusters. Now however after changing the CI from the original IAM user to a service account that assumes the role we get the following error on
up
.
Copy code
Configured Kubernetes cluster is unreachable: unable to load schema information from the API server: the server has asked for the client to provide credentials
We have our Pulumi code outputting the kubeconfig file and its the same one I am currently connected with so it can't be that the cert is expired or the kubeconfig is invalid. Any help is appreciated.
b

billowy-army-68599

04/01/2021, 7:37 PM
so if you look at the kubeconfig, it actually uses
aws eks get-token
https://github.com/pulumi/pulumi-eks/blob/c5fcceb8746b0ae2c1ef859fe1a7e4f70ec12398/nodejs/eks/cluster.ts#L187 So it may be your AWS IAM role might not have permission to do that
g

glamorous-australia-21342

04/01/2021, 7:59 PM
I bound it to the administrator policy for testing
b

billowy-army-68599

04/01/2021, 8:05 PM
makes sense, ultimately that message is coming from kubectl not having access
g

glamorous-australia-21342

04/01/2021, 8:06 PM
ok thats good information
so its a kubectl error not a aws error
is this discussion relevant?
i want to use the links in these comments but they seem dead
would i need to use that?
b

billowy-army-68599

04/01/2021, 8:11 PM
yes i think that's what's missing, you'd need to add it to the
aws-auth
configmap
g

glamorous-australia-21342

04/01/2021, 8:13 PM
i did that already with the
rolemappings
in the cluster
the role is in the configmap
b

billowy-army-68599

04/01/2021, 8:15 PM
ah interesting. in your ci pipeline, can you maybe try a kubectl command with the generated kubeconfig?
g

glamorous-australia-21342

04/01/2021, 8:32 PM
that's an idea!
Turns out pulumi needs to also know what the role is via @billowy-army-68599
Copy code
providerCredentialOpts
b

billowy-army-68599

04/06/2021, 4:04 PM
did you get it fixed?
g

glamorous-australia-21342

04/06/2021, 6:33 PM
yeah we had a support call with pulumi
the pulumi code also has to be aware of the role
4 Views