Troubleshooting AWS Load Balancer with EKS

<p>When setting up an AWS load balancer for an EKS cluster, you may run into issues with the ingress controller pods. The key is setting up proper identity and permissions.</p> <h1>The Issue</h1> <p>When I first set up the load balancer, the ingress controller logs showed errors like:</p> <pre> "Unexpected status code '400' while performing a GET on Application Gateway."</pre> <p>The internal error pointed to an identity issue:</p> <pre> "Identity not found" "error":"WebIdentityErr: failed to retrieve credentials\ncaused by: ValidationError: Request ARN is invalid\n\tstatus code: 400, request id: 7bc4d21e-49e7-48d9-aaaa-5b123456c1234"</pre> <h1>Root Cause</h1> <p>The ingress controllers need rights to call the AWS APIs to manage the load balancer. This is done through a service account in the controller’s namespace.</p> <p>If the service account is not configured properly, the controllers can’t authenticate and manage the load balancer.</p> <h1>The Fix</h1> <p>To fix, the service account needs proper annotations like:</p> <pre> "annotations": { "eks.amazonaws.com/role-arn": <role_arn> }, "labels": { "app.kubernetes.io/component": "controller", "app.kubernetes.io/name": <service_account> }, "name": <my_service_account>, "namespace": <my_namespace>, }</pre> <p>The role ARN should match a policy allowing the necessary permissions.</p> <p><a href="https://medium.com/@jamal.publish/troubleshooting-aws-load-balancer-with-eks-0051a8bdd84c"><strong>Learn More</strong></a></p>