https://pulumi.com logo
Join Slack
Channels
announcements
automation-api
aws
azure
blog-posts
built-with-pulumi
cloudengineering
cloudengineering-support
content-share
contribex
contribute
docs
dotnet
finops
general
getting-started
gitlab
golang
google-cloud
hackathon-03-19-2020
hacktoberfest
install
java
jobs
kubernetes
learn-pulumi-events
linen
localstack
multi-language-hackathon
office-hours
oracle-cloud-infrastructure
plugin-framework
pulumi-cdk
pulumi-crosscode
pulumi-deployments
pulumi-kubernetes-operator
pulumi-service
pulumiverse
python
registry
status
testingtesting123
testingtesting321
typescript
welcome
workshops
yaml
Powered by Linen
Title
h

helpful-account-44059

04/12/2022, 12:57 PM
Hi, i follow this guide and write the blew code to create aws eks's aws-ebs-csi-driver addon 
axios.default.get("<https://raw.githubusercontent.com/kubernetes-sigs/aws-ebs-csi-driver/master/docs/example-iam-policy.json>")
    .then((response) => {
        const eksEbsCsiDriverPolicy = new aws.iam.Policy("AmazonEKS_EBS_CSI_Driver_Policy", {
            path: "/",
            policy: JSON.stringify(response.data),
        });

        const eksEbsCsiDriverPolicyRole = new aws.iam.Role("AmazonEKS_EBS_CSI_Driver_Policy_Role", {
            assumeRolePolicy: `{
                  "Version": "2012-10-17",
                  "Statement": [
                    {
                      "Action": "sts:AssumeRole",
                      "Principal": {
                        "Service": "<http://ec2.amazonaws.com|ec2.amazonaws.com>"
                      },
                      "Effect": "Allow",
                      "Sid": ""
                    }
                  ]
                }`
        });

        new aws.iam.RolePolicyAttachment("policy-attach", {
            role: eksEbsCsiDriverPolicyRole.name,
            policyArn: eksEbsCsiDriverPolicy.arn,
        });

        const ebsCsiAddon = new aws.eks.Addon("aws-ebs-csi-driver", {
            clusterName: eksCluster.eksCluster.name,
            addonName: "aws-ebs-csi-driver",
            serviceAccountRoleArn: eksEbsCsiDriverPolicyRole.arn,
            resolveConflicts: "OVERWRITE",
        });
    });
run this command, 
kubectl describe pvc ebs-claim
, and got the error: 
Name:          ebs-claim
Namespace:     default
StorageClass:  ebs-sc
Status:        Pending
Volume:        
Labels:        <none>
Annotations:   <http://volume.beta.kubernetes.io/storage-provisioner|volume.beta.kubernetes.io/storage-provisioner>: <http://ebs.csi.aws.com|ebs.csi.aws.com>
               <http://volume.kubernetes.io/selected-node|volume.kubernetes.io/selected-node>: ip-172-28-161-249.ap-southeast-1.compute.internal
Finalizers:    [<http://kubernetes.io/pvc-protection|kubernetes.io/pvc-protection>]
Capacity:      
Access Modes:  
VolumeMode:    Filesystem
Used By:       app
Events:
  Type     Reason              Age   From                                                                                      Message
  ----     ------              ----  ----                                                                                      -------
  Warning  ProvisioningFailed  103s  persistentvolume-controller                                                               <http://storageclass.storage.k8s.io|storageclass.storage.k8s.io> "ebs-sc" not found
  Warning  ProvisioningFailed  98s   ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
           status code: 403, request id: 08d8c9b1-d5c6-43b6-b0b4-8bcc9ffb0ca6
  Warning  ProvisioningFailed  97s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
           status code: 403, request id: 294b3cd6-bba8-45b7-a456-bf711ab8c9d4
  Warning  ProvisioningFailed  95s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
           status code: 403, request id: e994db08-fb40-40d0-a7ee-5a1bd91f03b1
  Warning  ProvisioningFailed  91s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
           status code: 403, request id: e3085d02-4dae-4c8b-bf24-3a082b028544
  Warning  ProvisioningFailed  83s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
           status code: 403, request id: 7ae3cb86-3fb5-4490-bc96-f3dd40009b99
  Warning  ProvisioningFailed  66s  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
           status code: 403, request id: 5b4f043e-90f0-4e2b-b97e-782416eb7000
  Normal   Provisioning        34s (x7 over 101s)  ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  External provisioner is provisioning volume for claim "default/ebs-claim"
  Warning  ProvisioningFailed  34s                 ebs.csi.aws.com_ebs-csi-controller-5fdd7948b6-zx94h_dce2f430-e960-4ce1-9fb5-e997ca6cd4e3  failed to provision volume with StorageClass "ebs-sc": rpc error: code = Internal desc = Could not create volume "pvc-4b7cadcc-c2b7-413a-a5e0-d366da9b912c": could not create volume in EC2: WebIdentityErr: failed to retrieve credentials
caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity
          status code: 403, request id: 743b9abd-b0e8-471a-aa08-9507df6476b8
  Normal  ExternalProvisioning  5s (x9 over 101s)  persistentvolume-controller  waiting for a volume to be created, either by external provisioner "<http://ebs.csi.aws.com|ebs.csi.aws.com>" or manually created by system administrator
anyone knowns how to fix it ?
b

billowy-army-68599

04/12/2022, 2:04 PM
@helpful-account-44059 you need to set up iam roles for service accounts, this isn't a Pulumi problem
h

helpful-account-44059

04/12/2022, 2:07 PM
yeah, after restart all the addon's pod, it seems ok
View count: 364
Back to #generalJoin thread in Slack