Terraform-aws-eks: aws_auth config fails to apply while getting started

Created on 22 Aug 2018 · 3Comments · Source: terraform-aws-modules/terraform-aws-eks

I have issues

I'm submitting a...

[x] bug report
[ ] feature request
[ ] support request
[ ] kudos, thank you, warm fuzzy

What is the current behavior?

Terraform apply fails with

* module.eks.null_resource.update_config_map_aws_auth: Error running command 'kubectl apply -f ./config-map-aws-auth_beam-eks.yaml --kubeconfig ./kubeconfig_beam-eks': exit status 1. Output: error: unable to recognize "./config-map-aws-auth_beam-eks.yaml": Unauthorized

If this is a bug, how to reproduce? Please include a code sample if relevvant.

This is my configuration for the eks module.

I have a really basic vpc created via terraform-aws-modules/vpc/aws.

module "eks" {
  source       = "terraform-aws-modules/eks/aws"
  cluster_name = "beam-eks"
  subnets      = "${module.vpc.public_subnets}"
  vpc_id       = "${module.vpc.vpc_id}"
}

What's the expected behavior?

Apply succeeds

Are you able to fix this problem and submit a PR? Link here if you have already.

Environment details

Affected module version: "1.4.0"
OS: MacOS 10.13.3 (17D47)
Terraform v0.11.8
provider.aws v1.33.0
provider.http v1.0.1
provider.local v1.1.0
provider.null v1.0.0
provider.template v1.0.0

Source

tonyxiao

Most helpful comment

Ah sweet, I ended up using

kubeconfig_aws_authenticator_additional_args = ["-r", "${var.aws_authenticator_role}"]

and it works like a charm. It would be awesome to add some notes into the doc for multi-account aws architecture support.

tonyxiao on 23 Aug 2018

👍3

All 3 comments

Upon further investigation, it appears that this is only an issue when I have manage_aws_auth set to true. It turns out that my aws provider uses assume_role, and this module uses local exec loses the assumed role and thus isn't able to execute the operation.

tonyxiao on 22 Aug 2018

Hi @tonyxiao
We also use assumed roles, like this:

$ aws sts get-caller-identity
{
    "UserId": "AROAXXXXXXXXXXX:[email protected]",
    "Account": "99999999999",
    "Arn": "arn:aws:sts::99999999999:assumed-role/sso-xxxxxxx/[email protected]"
}

To get it to work with the kubeconfig from this terraform module I did this:

Ensure your assumed role details are set in a profile. e.g. in ~/.aws/config:

[profile profile1]
region = eu-west-1
google_config.ask_role = True
google_config.duration = 43200
google_config.role_arn = arn:aws:iam::assumed-role/sso-xxxxxxx/[email protected]
google_config.google_username = [email protected]
google_config.keyring = False

Then set the AWS profile in

module "cluster1" {
  source             = "[email protected]:terraform-aws-modules/terraform-aws-eks.git?ref=v1.4.0"
  cluster_name       = "cluster1"

  kubeconfig_aws_authenticator_env_variables = {
    AWS_PROFILE = "profile1"
  }

Then it works seamlessly. I hope that helps!

max-rocket-internet on 23 Aug 2018

👍2

Ah sweet, I ended up using

kubeconfig_aws_authenticator_additional_args = ["-r", "${var.aws_authenticator_role}"]

and it works like a charm. It would be awesome to add some notes into the doc for multi-account aws architecture support.

tonyxiao on 23 Aug 2018

👍3

Was this page helpful?

0 / 5 - 0 ratings

Related issues

Error creating EKS Node Group when manage_cluster_iam_resources set to false: ResourceNotFoundException: No cluster found for name

kobemtl · 4Comments

stop making this module hard to integrate with terragrunt

einyx · 4Comments

Open PR to remove providers from module

gb-ckedzierski · 5Comments

Better options for spot instances: Support aws_ec2_fleet or aws_spot_fleet_request

max-rocket-internet · 3Comments

OIDC Identity Issuer Option

joshkurz · 4Comments