-
Notifications
You must be signed in to change notification settings - Fork 198
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Cannot create load balancer in AWS #656
Comments
I'm not using kubicorn but I just ran into this today walking through the Getting Started with Amazon EKS guide. I followed the same exact steps I did last week, where I did not receive this error. I was able to get around it by attaching a new policy to the role I assigned to my EKS cluster but I wonder what changed? |
@stevenoctopus Which policy fixed the issue? |
I created a new policy, which allowed the service role I created for eks to perform iam:CreateServiceLinkedRole on the AWSServiceRoleForElasticLoadBalancing role in my account, and then attached that to the eks service role. However, I don't think that is correct to do. I found out AWS automatically created the AWSServiceRoleForElasticLoadBalancing role if you created a load balancer before January of this year. (I'm on my phone or I would link the docs where I found this) Nothing in my account was using the AWSServiceRoleForElasticLoadBalancing role so I wanted to try deleting it and starting the process over. I will try on Monday and report back my results. |
No luck deleting the role and trying again. I get the same error even when the AWSServiceRoleForElasticLoadBalancing role doesn't exist in my account. Very strange. There is a post about this in the AWS forums that I am also watching. |
Here is a policy you can attach to the EKS service role as a workaround for the time being. I subbed in the correct account ID for you already. |
Thanks for posting the additional context. Is |
It is, but it would be unwise to give EKS IAMFullAccess as it could
possibly delete/modify existing IAM services.
…On Mon, Jul 30, 2018, 6:09 PM Michelle Casbon ***@***.***> wrote:
Thanks for posting the additional context. Is iam:CreateServiceLinkedRole
not covered by IAMFullAccess?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
<#656 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/AD_VWrErdpnbYq3YdiSFYlnJ3rvms9RPks5uL4QggaJpZM4VfVLn>
.
|
Makes sense - this particular example is for a demo, so I'm less concerned for now & can reduce the scope once it's all working. The service account I created for kubicorn already has IAMFullAccess, so I'm not sure I understand how to apply this workaround. |
I'm seeing the following error when installing Kubeflow on a cluster generated with Kubicorn:
The user I created to run kubicorn has IAMFullAccess, as well as AutoScalingFullAccess, AmazonVPCFullAccess, & AmazonEC2FullAccess.
These are the steps I take to generate the cluster:
These are the commands for installing kubeflow with ksonnet:
When the pods come up, I see the above error in
kubectl describe svc tf-hub-lb
.The external IP in the service remains in pending state indefinitely.
Before installing kubeflow on a GKE cluster, I also run this command to assign cluster-wide RBAC privs:
It's possible that something similar is required for AWS.
The text was updated successfully, but these errors were encountered: