ebs-csi-driver add-on role
Terraforming an IRSA role for use with aws-ebs-csi-driver EKS add-on and the community EKS module
I used to be able to add arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy to my node roles and everything just worked. But in more recent versions I started seeing this error: could not create volume in EC2: operation error EC2: CreateVolume, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded
It turns out the simple fix is to pass a role with that same policy to the pod.
Cluster setup before
This is a simplified version… but this is what it used to look like.
module "cluster" {
source = "terraform-aws-modules/eks/aws"
version = "~> 20.0"
cluster_name = var.cluster_name
cluster_version = var.cluster_version
[...details removed]
enable_irsa = true
cluster_addons = {
coredns = {
most_recent = true
}
kube-proxy = {
most_recent = true
}
aws-ebs-csi-driver = {
most_recent = true
}
}
}
Terraforming the role
This is how I create the role now.
data "aws_iam_policy_document" "ebs_csi_irsa" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]
principals {
type = "Federated"
identifiers = [module.cluster.oidc_provider_arn]
}
condition {
test = "StringEquals"
variable = "${module.cluster.oidc_provider}:sub"
values = [
"system:serviceaccount:kube-system:ebs-csi-controller-sa"
]
}
effect = "Allow"
}
}
resource "aws_iam_role" "ebs_csi" {
name = "ebs-csi"
assume_role_policy = data.aws_iam_policy_document.ebs_csi_irsa.json
}
resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
role = aws_iam_role.ebs_csi.name
}
Passing the role to the add-on
Then specify the role ARN…
cluster_addons = {
coredns = {
most_recent = true
}
kube-proxy = {
most_recent = true
}
aws-ebs-csi-driver = {
most_recent = true
service_account_role_arn = aws_iam_role.ebs_csi.arn
}
}
Finally…
If you’re adding this to an existing add-on, you might have to delete the ebs csi controller pods in kube-system.