Scenario

When an application is launched on AWS EKS with ALB using gopaddle, the access endpoint for the application does not show a valid URL.

Under the application view page, the endpoint show 'AWS Application Load Balancer'.

Application, Service, its replicas and containers are in a running state. However, under the application Activities page, an IngressWarning is observed. Expanding on the warning, shows the error message "Failed build model due to WebIdentityErr: failed to retrieve credentials caused by: AccessDenied: Not authorized to perform sts:AssumeRoleWithWebIdentity status code: 403"

Reason

The ALB ARN used while creating the EKS cluster does not match the cluster details. Check the cluster view page and check the section Kube Master. Note down the Cluster ID and the region details.

Under the ALB Cloud Formation Template section. Under the AmazonEKSLoadBalancerControllerRole in the Principal section for the ARN. Verify if the cluster ID and the region details match.

This could be because of uploading a wrong ALB Cloud Formation Template through gopaddle UI at the time of installing ALB controller in the newly created EKS cluster.

Resolution

Currently gopaddle does not support updating the ARN. The cluster needs to be deleted and re-created. Once the new cluster is created, download the ALB template and make sure the right ALB template is uploaded while installing the ALB controller.

Did this answer your question?