ebs-csi-driver add-on role

Ryan Graham
2 min readAug 5, 2024

--

Terraforming an IRSA role for use with aws-ebs-csi-driver EKS add-on and the community EKS module

I used to be able to add arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy to my node roles and everything just worked. But in more recent versions I started seeing this error: could not create volume in EC2: operation error EC2: CreateVolume, get identity: get credentials: failed to refresh cached credentials, no EC2 IMDS role found, operation error ec2imds: GetMetadata, request canceled, context deadline exceeded

It turns out the simple fix is to pass a role with that same policy to the pod.

Cluster setup before

This is a simplified version… but this is what it used to look like.

module "cluster" {
source = "terraform-aws-modules/eks/aws"
version = "~> 20.0"
cluster_name = var.cluster_name
cluster_version = var.cluster_version

[...details removed]

enable_irsa = true

cluster_addons = {
coredns = {
most_recent = true
}
kube-proxy = {
most_recent = true
}
aws-ebs-csi-driver = {
most_recent = true
}
}
}

Terraforming the role

This is how I create the role now.

data "aws_iam_policy_document" "ebs_csi_irsa" {
statement {
actions = ["sts:AssumeRoleWithWebIdentity"]

principals {
type = "Federated"
identifiers = [module.cluster.oidc_provider_arn]
}

condition {
test = "StringEquals"
variable = "${module.cluster.oidc_provider}:sub"

values = [
"system:serviceaccount:kube-system:ebs-csi-controller-sa"
]
}

effect = "Allow"
}
}

resource "aws_iam_role" "ebs_csi" {
name = "ebs-csi"
assume_role_policy = data.aws_iam_policy_document.ebs_csi_irsa.json
}

resource "aws_iam_role_policy_attachment" "AmazonEBSCSIDriverPolicy" {
policy_arn = "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
role = aws_iam_role.ebs_csi.name
}

Passing the role to the add-on

Then specify the role ARN…

  cluster_addons = {
coredns = {
most_recent = true
}
kube-proxy = {
most_recent = true
}
aws-ebs-csi-driver = {
most_recent = true
service_account_role_arn = aws_iam_role.ebs_csi.arn
}
}

Finally…

If you’re adding this to an existing add-on, you might have to delete the ebs csi controller pods in kube-system.

--

--

Responses (1)