Troubleshooting AWS Load Balancer with EKS
<p>When setting up an AWS load balancer for an EKS cluster, you may run into issues with the ingress controller pods. The key is setting up proper identity and permissions.</p>
<h1>The Issue</h1>
<p>When I first set up the load balancer, the ingress controller logs showed errors like:</p>
<pre>
"Unexpected status code '400' while performing a GET on Application Gateway."</pre>
<p>The internal error pointed to an identity issue:</p>
<pre>
"Identity not found"
"error":"WebIdentityErr: failed to retrieve credentials\ncaused by: ValidationError: Request ARN is invalid\n\tstatus code: 400, request id: 7bc4d21e-49e7-48d9-aaaa-5b123456c1234"</pre>
<h1>Root Cause</h1>
<p>The ingress controllers need rights to call the AWS APIs to manage the load balancer. This is done through a service account in the controller’s namespace.</p>
<p>If the service account is not configured properly, the controllers can’t authenticate and manage the load balancer.</p>
<h1>The Fix</h1>
<p>To fix, the service account needs proper annotations like:</p>
<pre>
"annotations": {
"eks.amazonaws.com/role-arn": <role_arn>
},
"labels": {
"app.kubernetes.io/component": "controller",
"app.kubernetes.io/name": <service_account>
},
"name": <my_service_account>,
"namespace": <my_namespace>,
}</pre>
<p>The role ARN should match a policy allowing the necessary permissions.</p>
<p><a href="https://medium.com/@jamal.publish/troubleshooting-aws-load-balancer-with-eks-0051a8bdd84c"><strong>Learn More</strong></a></p>