Thread
#general
    h

    helpful-account-44059

    5 months ago
    Hi, i follow this guide and write the blew code to create aws eks's aws-ebs-csi-driver addon
    axios.default.get("<https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/master/docs/example-iam-policy.json>")
        .then((response) => {
            const eksEbsCsiDriverPolicy = new aws.iam.Policy("AmazonEKS_EBS_CSI_Driver_Policy", {
                path: "/",
                policy: JSON.stringify(response.data),
            });
    
            const eksEbsCsiDriverPolicyRole = new aws.iam.Role("AmazonEKS_EBS_CSI_Driver_Policy_Role", {
                assumeRolePolicy: `{
                      "Version": "2012-10-17",
                      "Statement": [
                        {
                          "Action": "sts:AssumeRole",
                          "Principal": {
                            "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
                          },
                          "Effect": "Allow",
                          "Sid": ""
                        }
                      ]
                    }`
            });
    
            new aws.iam.RolePolicyAttachment("policy-attach", {
                role: eksEbsCsiDriverPolicyRole.name,
                policyArn: eksEbsCsiDriverPolicy.arn,
            });
    
            const ebsCsiAddon = new aws.eks.Addon("aws-ebs-csi-driver", {
                clusterName: eksCluster.eksCluster.name,
                addonName: "aws-ebs-csi-driver",
                serviceAccountRoleArn: eksEbsCsiDriverPolicyRole.arn,
                resolveConflicts: "OVERWRITE",
            });
        });
    run this command,
    kubectl describe pvc ebs-claim
    , and got the error:
    Name:          ebs-claim
    Namespace:     default
    StorageClass:  ebs-sc
    Status:        Pending
    Volume:        
    Labels:        <none>
    Annotations:   <http://volume.beta.kubernetes.io/storage-provisioner|volume.beta.kubernetes.io/storage-provisioner>: <http://ebs.csi.aws.com|ebs.csi.aws.com>
                   <http://volume.kubernetes.io/selected-node|volume.kubernetes.io/selected-node>: ip-172-28-161-249.ap-southeast-1.compute.internal
    Finalizers:    [<http://kubernetes.io/pvc-protection|kubernetes.io/pvc-protection>]
    Capacity:      
    Access Modes:  
    VolumeMode:    Filesystem
    Used By:       app
    Events:
      Type     Reason              Age   From                                                                                      Message
      ----     ------              ----  ----                                                                                      -------
      Warning  ProvisioningFailed  103s  persistentvolume-controller                                                               <http://storageclass.storage.k8s.io|storageclass.storage.k8s.io> "ebs-sc" not found
      Warning  ProvisioningFailed  98s   ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
    caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
               status code: 403, request id: 08d8c9b1-d5c6-43b6-b0b4-8bcc9ffb0ca6
      Warning  ProvisioningFailed  97s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
    caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
               status code: 403, request id: 294b3cd6-bba8-45b7-a456-bf711ab8c9d4
      Warning  ProvisioningFailed  95s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
    caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
               status code: 403, request id: e994db08-fb40-40d0-a7ee-5a1bd91f03b1
      Warning  ProvisioningFailed  91s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
    caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
               status code: 403, request id: e3085d02-4dae-4c8b-bf24-3a082b028544
      Warning  ProvisioningFailed  83s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
    caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
               status code: 403, request id: 7ae3cb86-3fb5-4490-bc96-f3dd40009b99
      Warning  ProvisioningFailed  66s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
    caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
               status code: 403, request id: 5b4f043e-90f0-4e2b-b97e-782416eb7000
      Normal   Provisioning        34s (x7 over 101s)  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  External provisioner is provisioning volume for claim "default/ebs-claim"
      Warning  ProvisioningFailed  34s                 ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
    caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
              status code: 403, request id: 743b9abd-b0e8-471a-aa08-9507df6476b8
      Normal  ExternalProvisioning  5s (x9 over 101s)  persistentvolume-controller  waiting for a volume to be created, either by external provisioner "<http://ebs.csi.aws.com|ebs.csi.aws.com>" or manually created by system administrator
    anyone knowns how to fix it ?
    b

    billowy-army-68599

    5 months ago
    @helpful-account-44059 you need to set up iam roles for service accounts, this isn't a Pulumi problem
    h

    helpful-account-44059

    5 months ago
    yeah, after restart all the addon's pod, it seems ok