Troubleshooting AWS Load Balancer with EKS

<p>When setting up an AWS load balancer for an EKS cluster, you may run into issues with the ingress controller pods. The key is setting up proper identity and permissions.</p> <h1>The Issue</h1> <p>When I first set up the load balancer, the ingress controller logs showed errors like:</p> <pre> &quot;Unexpected status code &#39;400&#39; while performing a GET on Application Gateway.&quot;</pre> <p>The internal error pointed to an identity issue:</p> <pre> &quot;Identity not found&quot; &quot;error&quot;:&quot;WebIdentityErr: failed to retrieve credentials\ncaused by: ValidationError: Request ARN is invalid\n\tstatus code: 400, request id: 7bc4d21e-49e7-48d9-aaaa-5b123456c1234&quot;</pre> <h1>Root Cause</h1> <p>The ingress controllers need rights to call the AWS APIs to manage the load balancer. This is done through a service account in the controller&rsquo;s namespace.</p> <p>If the service account is not configured properly, the controllers can&rsquo;t authenticate and manage the load balancer.</p> <h1>The Fix</h1> <p>To fix, the service account needs proper annotations like:</p> <pre> &quot;annotations&quot;: { &quot;eks.amazonaws.com/role-arn&quot;: &lt;role_arn&gt; }, &quot;labels&quot;: { &quot;app.kubernetes.io/component&quot;: &quot;controller&quot;, &quot;app.kubernetes.io/name&quot;: &lt;service_account&gt; }, &quot;name&quot;: &lt;my_service_account&gt;, &quot;namespace&quot;: &lt;my_namespace&gt;, }</pre> <p>The role ARN should match a policy allowing the necessary permissions.</p> <p><a href="https://medium.com/@jamal.publish/troubleshooting-aws-load-balancer-with-eks-0051a8bdd84c"><strong>Learn More</strong></a></p>