Closed
Description
The policy for AWS VPC CNI has
condition {
test = "StringEquals"
variable = "aws:ResourceTag/eks-cluster-arn"
values = ["$${aws:PrincipalTag/eks-cluster-arn}"]
}
but there is no clear example how to use it: ie. do I need to add this extra tag to some resources (node group?) or with ADDITIONAL_ENI_TAGS variable for vpc-cni addon.
With this policy IAM rejects CreateNetworkInterface and AttachNetworkInterface requests.
Activity
bryantbiggs commentedon Dec 22, 2023
Users do not need to do anything for these tags, they are embedded into the API calls. The VPC CNI currently does not support pod identity which is why its failing for you
dex4er commentedon Dec 22, 2023
It is not true: with
amazon-k8s-cni:v1.15.5-eksbuild.1
andeverything is fine. Is it an error in the policy or I must use VPC CNI version that explicitly supports those tags?
dex4er commentedon Jan 2, 2024
v1.16.0 fails with the standard policy (
attach_aws_vpc_cni_policy = true
,aws_vpc_cni_enable_ipv4 = true
) too. All is fine when I usearn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
.Do I miss
ADDITIONAL_ENI_TAGS
? The documentation says VPC CNI addscluster.k8s.amazonaws.com/name
tag to the resources rather thaneks-cluster-arn
?bryantbiggs commentedon Mar 19, 2024
the session tag based policies have been removed - when the upstream projects update their policies to support, we can re-evaluate adding them here
github-actions commentedon Apr 19, 2024
I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.