Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

eks: policy does not exist or is not attachable in China regions #24743

Closed
pahud opened this issue Mar 22, 2023 · 3 comments · Fixed by #25215
Closed

eks: policy does not exist or is not attachable in China regions #24743

pahud opened this issue Mar 22, 2023 · 3 comments · Fixed by #25215
Assignees
@pahud
Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p1

Comments

@pahud
Copy link
Contributor

pahud commented Mar 22, 2023
edited
Loading

Describe the bug

When I deployed eks cluster to cn-north-1 I got the error:

Policy arn:aws-cn:iam::aws:policy/AmazonElasticContainerRegistryPublicReadOnly does not exist or is not attachable. (Service: AmazonIdentityManagement; Status Code: 404; Error Code: NoSuchEntity; Request ID: 084210a1-3251-4868-9420-f5e47d62f66a; Proxy: null)

image

Expected Behavior

successful deployment

Current Behavior

fail to deploy with the error message above.

Reproduction Steps

      const cluster = new eks.Cluster(this, 'Cluster', {
        vpc,
        version: eks.KubernetesVersion.V1_25,
        kubectlLayer: new KubectlLayer(this, 'KubectlLayer'),
        defaultCapacity: 0,
      })

Possible Solution

ECR Public is not available in AWS China regions and the AmazonElasticContainerRegistryPublicReadOnly is not available. We probably should exclude it when deploying in China regions. And this brings up another issue - if the eks cluster in China is trying to helm install charts from ECR public, it should not run the aws ecr-public commands like this:

aws-cdk/packages/@aws-cdk/aws-eks/lib/kubectl-handler/helm/__init__.py

Line 115 in a51346e

f"aws ecr-public get-login-password --region us-east-1 | " \

We probably should fix that in a separate PR.

Additional Information/Context

No response

CDK CLI Version

2.69.0

Framework Version

No response

Node.js Version

v19.6.0

OS

mac os x

Language

Typescript

Language Version

No response

Other information

No response
@pahud pahud added bug This issue is a bug. needs-triage This issue or PR still needs to be triaged. labels Mar 22, 2023
@github-actions github-actions bot added the @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service label Mar 22, 2023
@pahud pahud added p1 effort/small Small work item – less than a day of effort and removed @aws-cdk/aws-eks Related to Amazon Elastic Kubernetes Service needs-triage This issue or PR still needs to be triaged. labels Mar 22, 2023
@pahud pahud self-assigned this Mar 22, 2023
@pahud
Copy link
Contributor Author

pahud commented Mar 22, 2023

PR underway.

This was referenced Mar 22, 2023
Open
Closed
@wongma7
Copy link
Member

wongma7 commented Mar 28, 2023

it also affects govcloud #24808.

I'm not sure if I can downgrade CDK to work around the issue because the cluster is 1.25 and changelog says I need 2.69.0 for 1.25 support

This was referenced Apr 18, 2023
Closed
Merged
@mergify mergify bot closed this as completed in #25215 Apr 21, 2023
mergify bot pushed a commit that referenced this issue Apr 21, 2023
@pahud
fix(eks): policy does not exist or is not attachable in China and Gov…
ea65415 
…Cloud regions (#25215)

Reopening this PR because #25170 was closed by accident.

As ECR Public is not available in China regions and GovCloud, `AmazonElasticContainerRegistryPublicReadOnly` IAM managed policy would not be available in those affected regions and should not be attached to the role. This PR implements a CfnCondition to determine if ECR public is available based on `Aws.Partition` of the deploying region and conditionally attach `AmazonElasticContainerRegistryPublicReadOnly` to the kubectl-provider handler role. 

This PR has been tested in the following regions:

- [x] *cn-north-1
- [x] *cn-northwest-1
- [x] us-east-1

* I can confirm the role is created correctly in cn regions but due to 
   - #24358 
   - #24696  
The cluster and nodegroup are still failing to create in CN.

Closes #24743 #24808 #25178
@github-actions
Copy link

⚠️COMMENT VISIBILITY WARNING⚠️

Comments on closed issues are hard for our team to see.
If you need more assistance, please either tag a team member or open a new issue that references this one.
If you wish to keep having a conversation with other community members under this issue feel free to do so.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@pahud pahud

Labels
bug This issue is a bug. effort/small Small work item – less than a day of effort p1
Projects
None yet
Milestone
No milestone
2 participants
@pahud @wongma7