Aws-cdk: [aws-eks] attribute error when adding SA to existing EKS cluster
I'm trying to add a SA following the guide here:
https://docs.aws.amazon.com/cdk/api/latest/docs/aws-eks-readme.html#service-accounts
to an existing EKS cluster deployed with CDK (version 1.15 and 1.16, both tested)
Issuing "cdk deploy" an "attribute error" is raised on Custom::AWSCDKOpenIdConnectProvider action
Reproduction Steps
simply adding:
const sa = cluster.addServiceAccount('MyServiceAccount');
to an existing EKS cdk stack
Error Log
10/33 | 1:30:10 PM | CREATE_FAILED | Custom::AWSCDKOpenIdConnectProvider | EksStack/eks/OpenIdConnectProvider/Resource/Default (eksOpenIdConnectProviderA19AE8AF) CustomResource attribute error: Vendor response doesn't contain OpenIdConnectIssuerUrl key in object arn:aws:cloudformation:us-east-1:<account-id>:stack/*****-eks/74463170-7f06-11ea-8a97-12217e59f19f|eksB49B8EA3|d4bd0a87-4326-4ed2-b473-99471c6b71e5 in S3 bucket cloudformation-custom-resource-storage-useast1
new CustomResource (/usr/src/packages/infrastructure/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
\_ new OpenIdConnectProvider (/usr/src/packages/infrastructure/node_modules/@aws-cdk/aws-iam/lib/oidc-provider.ts:120:22)
\_ Cluster.get openIdConnectProvider [as openIdConnectProvider] (/usr/src/packages/infrastructure/node_modules/@aws-cdk/aws-eks/lib/cluster.ts:663:37)
\_ new ServiceAccount (/usr/src/packages/infrastructure/node_modules/@aws-cdk/aws-eks/lib/service-account.ts:72:58)
\_ Cluster.addServiceAccount (/usr/src/packages/infrastructure/node_modules/@aws-cdk/aws-eks/lib/cluster.ts:725:12)
\_ new EksResourcesStack (/usr/src/packages/infrastructure/lib/eks-resources-stack.ts:60:24)
\_ Object.<anonymous> (/usr/src/packages/infrastructure/bin/infrastructure.ts:45:19)
\_ Module._compile (internal/modules/cjs/loader.js:1133:30)
\_ Module.m._compile (/usr/src/packages/infrastructure/node_modules/ts-node/src/index.ts:858:23)
\_ Module._extensions..js (internal/modules/cjs/loader.js:1153:10)
\_ Object.require.extensions.<computed> [as .ts] (/usr/src/packages/infrastructure/node_modules/ts-node/src/index.ts:861:12)
\_ Module.load (internal/modules/cjs/loader.js:977:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:877:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ main (/usr/src/packages/infrastructure/node_modules/ts-node/src/bin.ts:227:14)
\_ Object.<anonymous> (/usr/src/packages/infrastructure/node_modules/ts-node/src/bin.ts:513:3)
\_ Module._compile (internal/modules/cjs/loader.js:1133:30)
\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1153:10)
\_ Module.load (internal/modules/cjs/loader.js:977:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:877:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ /usr/local/lib/node_modules/npm/node_modules/libnpx/index.js:268:14
11/33 | 1:30:10 PM | CREATE_FAILED | Custom::AWSCDKCfnJson | EksStack/eks/MySA/ConditionJson/Resource/Default (eksMySAConditionJson16C35317) CustomResource attribute error: Vendor response doesn't contain OpenIdConnectIssuer key in object arn:aws:cloudformation:us-east-1:<account-id>:stack/*******-eks/74463170-7f06-11ea-8a97-12217e59f19f|eksB49B8EA3|d4bd0a87-4326-4ed2-b473-99471c6b71e5 in S3 bucket cloudformation-custom-resource-storage-useast1
new CustomResource (/usr/src/packages/infrastructure/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
\_ new CfnJson (/usr/src/packages/infrastructure/node_modules/@aws-cdk/core/lib/cfn-json.ts:54:22)
\_ new ServiceAccount (/usr/src/packages/infrastructure/node_modules/@aws-cdk/aws-eks/lib/service-account.ts:66:24)
\_ Cluster.addServiceAccount (/usr/src/packages/infrastructure/node_modules/@aws-cdk/aws-eks/lib/cluster.ts:725:12)
\_ new EksResourcesStack (/usr/src/packages/infrastructure/lib/eks-resources-stack.ts:60:24)
\_ Object.<anonymous> (/usr/src/packages/infrastructure/bin/infrastructure.ts:45:19)
\_ Module._compile (internal/modules/cjs/loader.js:1133:30)
\_ Module.m._compile (/usr/src/packages/infrastructure/node_modules/ts-node/src/index.ts:858:23)
\_ Module._extensions..js (internal/modules/cjs/loader.js:1153:10)
\_ Object.require.extensions.<computed> [as .ts] (/usr/src/packages/infrastructure/node_modules/ts-node/src/index.ts:861:12)
\_ Module.load (internal/modules/cjs/loader.js:977:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:877:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ main (/usr/src/packages/infrastructure/node_modules/ts-node/src/bin.ts:227:14)
\_ Object.<anonymous> (/usr/src/packages/infrastructure/node_modules/ts-node/src/bin.ts:513:3)
\_ Module._compile (internal/modules/cjs/loader.js:1133:30)
\_ Object.Module._extensions..js (internal/modules/cjs/loader.js:1153:10)
\_ Module.load (internal/modules/cjs/loader.js:977:32)
\_ Function.Module._load (internal/modules/cjs/loader.js:877:14)
\_ Function.executeUserEntryPoint [as runMain] (internal/modules/run_main.js:74:12)
\_ /usr/local/lib/node_modules/npm/node_modules/libnpx/index.js:268:14
Environment
- CLI Version : 1.42.0
- Framework Version: 1.42.0
- OS : Ubuntu
- Language : Typescript
Other
Trying a brand new EKS cluster, it just works fine
Thank you
This is :bug: Bug Report
andrea-spoldi
All 3 comments
I can confirm it's a regression bug.
I have an EKS cluster created with IRSA via CDK 1.41.0, I met the same error after upgrading CDK to 1.42.1 picking up multiple service accounts support.
zxkane
on 2 Jun 2020
👍1
I have same issue here.
create IRSA on existing EKS cluster have same error log.
but if create new cluster with after v1.40.0 version is fine
RicoToothless
on 3 Jun 2020
👍1
Fix is pending as part of #8317
eladb
on 9 Jun 2020
Was this page helpful?
0 / 5 - 0 ratings
Related issues
mirazmamun
路
3Comments
NukaCody
路
3Comments
kawamoto
路
3Comments
v-do
路
3Comments
eladb
路
3Comments