AWS ALB Load Balancer Controller - No eksctl-managed CloudFormation stacks found error

AWS recently announced the release of AWS ALB Load Balancer, which is the new version for AWS ALB Ingress controller.

Following the documentation, you can face the following error:

Error: no eksctl-managed CloudFormation stacks found for "<my-cluster>"

This will happen if your EKS cluster has been installed using a different tool but eksctl. Likely using Terrarform or even CloudFormation.

The error happens usually at step 4 of installation prerequisites, when trying to create a service account (aws-load-balancer-controller) linked to the newly created AWS IAM Policy (AWSLoadBalancerControllerIAMPolicy) with a Trust Policy allowing the cluster to build an ALB instance for available Ingress resources in your cluster.

Step 4:

eksctl create iamserviceaccount \
  --cluster=<my-cluster> \
  --namespace=kube-system \
  --name=aws-load-balancer-controller \
  --attach-policy-arn=arn:aws:iam::<aws-account-id>:policy/<AWSLoadBalancerControllerIAMPolicy> \
  --override-existing-serviceaccounts \
  --approve

Hopefully, there's a workaround to overcome the situation following these manual steps that equivalent to running the above command using AWS CLI. ( source )

  • Set your AWS account ID to an environment variable with the following command.
    AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query "Account" --output text)
    
  • Set your OIDC identity provider to an environment variable with the following command, replacing your cluster name. Important You must use at least version 1.18.163 or 2.0.59 of the AWS CLI to receive the proper output from this command
    OIDC_PROVIDER=$(aws eks describe-cluster --name <cluster-name> --query "cluster.identity.oidc.issuer" --output text | sed -e "s/^https:\/\///")
    
  • Copy the following code block to your computer and replace and with your own values.
    read -r -d '' TRUST_RELATIONSHIP <<EOF
    {
    "Version": "2012-10-17",
    "Statement": [
      {
        "Effect": "Allow",
        "Principal": {
          "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_PROVIDER}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            "${OIDC_PROVIDER}:sub": "system:serviceaccount:<namespace>:<service-account-name>"
          }
        }
      }
    ]
    }
    EOF
    echo "${TRUST_RELATIONSHIP}" > trust.json
    

In my case, <namespace>:<service-account-name> was replaced by kube-system:aws-load-balancer-controller as I plan to create a service account named aws-load-balancer-controller and deploy the AWS Load Balanacer Controller on kube-system namespace.

  • Run the modified code block from the previous step to create a file named trust.json.

  • Run the following command to attach your IAM policy to your role ( created in step 3 of prerequisites steps ), replacing your IAM role name and policy ARN.

aws iam attach-role-policy --role-name <IAM_ROLE_NAME> --policy-arn=<IAM_POLICY_ARN>

IAM_ROLE_NAME: the name of the role attached to your eks cluster
IAM_POLICY_ARN: the ARN returned by the policy creation ( [step 3](https://github.com/aws/eks-charts/tree/master/stable/aws-load-balancer-controller) )
  • Associate the IAM role with a Kubernetes service account (IAM_ROLE_NAME) through AWS IAM permission tab.

  • Install the ALB using helm chart

    helm install aws-load-balancer-controller eks/aws-load-balancer-controller \
    --namespace kube-system \
    --set clusterName=dev-das-ekscluster \
    --set serviceAccount.create=true \
    --set serviceAccount.name=aws-load-balancer-controller
    
  • Annotate the service account

    kubectl annotate serviceaccount -n <namespace> aws-load-balancer-controller eks.amazonaws.com/role-arn=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<IAM_ROLE_NAME>
    

There you go, Ingress resources will now trigger the creation of an ALB resource and providing an external ADDRESS to your cluster targeted backend service.

No Comments Yet