can’t seem to get the simple EKS with Fargate exam...
# kubernetes
w
can’t seem to get the simple EKS with Fargate example to work, the IAM user I’m using has the
AdministratorAccess
policy
Copy code
import * as pulumi from "@pulumi/pulumi";
import * as awsx from "@pulumi/awsx";
import * as aws from "@pulumi/aws";
import * as eks from "@pulumi/eks";

export const createCluster = (stackName: string) => {
  const vpc = new awsx.ec2.Vpc(`${stackName}-eks-cluster`, {
    numberOfAvailabilityZones: "all",
  });

  const rolesSSOAdmin = pulumi.output(aws.iam.getRoles({
    nameRegex: ".*AWSReservedSSO_AWSAdministratorAccess.*",
  }))

  const cluster = new eks.Cluster(stackName, {
    fargate: true,
    vpcId: vpc.id,
    createOidcProvider: true,
    privateSubnetIds: vpc.privateSubnetIds,
    publicSubnetIds: vpc.publicSubnetIds,
    enabledClusterLogTypes: [
      "api",
      "audit",
      "authenticator",
      "controllerManager",
      "scheduler",
    ],
    roleMappings: [
      {
        groups: ["system:masters"],
        roleArn: rolesSSOAdmin.arns[0],
        username: "pulumi:admin-usr",
      },
    ],
  });

  return cluster;
};
error:
Copy code
eks:index:VpcCni (prod-vpc-cni):
    error: Command failed: kubectl apply -f /var/folders/07/53v8pkz52xd_324b5n15b9l40000gn/T/tmp-369306DJMe7fe12yG.tmp
    error: You must be logged in to the server (the server has asked for the client to provide credentials)
ideas?
b
@white-chef-55657 that's coming from the
kubectl
configuration that gets created. When an EKS cluster is created, it also creates a kubeconfig and a provider. I would export the
kubeconfig
from the EKS cluster and verify your AWS credentials have adequate access. The
roleMappings
are usually to blame
w
ah.. I had the key/secret configured in the stack config, but I realize now that kubectl won’t be using these.. I must also set the env vars for the key/secret - which makes the config vars redundant
you think it’s worth having the eks provider add the aws key/secret from the stack config to the environment? I don’t mind opening a PR with that
b
that's not really a practice we see all that often tbh. Most people configure the provider using AWS profiles or externally to Pulumi, or use IAM roles
w
right, so configuring AWS profiles is essentially the same as setting the env vars this means I cannot rely solely on the pulumi stack config for credentials
the benefit of the pulumi stack config is the encrypted secrets, where as with env vars I don’t have that
b
understood, would be best to file an issue with your use case I think
w
will do, thanks
110 Views