When setting up an AWS load balancer for an EKS cluster, you may run into issues with the ingress controller pods. The key is setting up proper identity and permissions.
The Issue
When I first set up the load balancer, the ingress controller logs showed errors like:
"Unexpected status code '400' while performing a GET on Application Gateway."
The internal error pointed to an identity issue:
"Identity not found" "error":"WebIdentityErr: failed to retrieve credentials\ncaused by: ValidationError: Request ARN is invalid\n\tstatus code: 400, request id: 7bc4d21e-49e7-48d9-aaaa-5b123456c1234"
Root Cause
The ingress controllers need rights to call the AWS APIs to manage the load balancer. This is done through a service account in the controller’s namespace.
If the service account is not configured properly, the controllers can’t authenticate and manage the load balancer.
The Fix
To fix, the service account needs proper annotations like:
"annotations": {
"eks.amazonaws.com/role-arn": <role_arn>
},
"labels": {
"app.kubernetes.io/component": "controller",
"app.kubernetes.io/name": <service_account>
},
"name": <my_service_account>,
"namespace": <my_namespace>,
}
The role ARN should match a policy allowing the necessary permissions.