Open in app

Sign in

Write

Sign in

ebs-csi-driver add-on role

Ryan Graham
2 min readAug 5, 2024

--

Terraforming an IRSA role for use with aws-ebs-csi-driver EKS add-on and the community EKS module

I used to be able to add arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy to my node roles and everything just worked. But in more recent versions I started seeing this error: could not create volume in EC2: operation error EC2: CreateVolume, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

It turns out the simple fix is to pass a role with that same policy to the pod.

Cluster setup before

This is a simplified version… but this is what it used to look like.

module "cluster" {
  source          = "terraform-aws-modules/eks/aws"
  version         = "~> 20.0"
  cluster_name    = var.cluster_name
  cluster_version = var.cluster_version

[...details removed]

  enable_irsa = true

  cluster_addons = {
    coredns = {
      most_recent = true
    }
    kube-proxy = {
      most_recent = true
    }
    aws-ebs-csi-driver = {
      most_recent = true
    }
  }
}

Terraforming the role

This is how I create the role now.

data "aws_iam_policy_document" "ebs_csi_irsa" {
  statement {
    actions = ["sts:AssumeRoleWithWebIdentity"]

    principals {
      type        = "Federated"
      identifiers = [module.cluster.oidc_provider_arn]
    }

    condition {
      test     = "StringEquals"
      variable = "${module.cluster.oidc_provider}:sub"

      values = [
        "system:serviceaccount:kube-system:ebs-csi-controller-sa"
      ]
    }

    effect = "Allow"
  }
}

resource "aws_iam_role" "ebs_csi" {
  name               = "ebs-csi"
  assume_role_policy = data.aws_iam_policy_document.ebs_csi_irsa.json
}

resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
  policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
  role       = aws_iam_role.ebs_csi.name
}

Passing the role to the add-on

Then specify the role ARN…

  cluster_addons = {
    coredns = {
      most_recent = true
    }
    kube-proxy = {
      most_recent = true
    }
    aws-ebs-csi-driver = {
      most_recent              = true
      service_account_role_arn = aws_iam_role.ebs_csi.arn
    }
  }

Finally…

If you’re adding this to an existing add-on, you might have to delete the ebs csi controller pods in kube-system.

--

--

Ryan Graham
Ryan Graham

Written by Ryan Graham

29 Followers
9 Following

Let's connect on LinkedIn! https://www.linkedin.com/in/ryandeangraham/

Responses (1)

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams