Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Managed policy is read incorrectly from config map #61

Open
kshamajain99 opened this issue Oct 27, 2020 · 1 comment
Open

Managed policy is read incorrectly from config map #61

kshamajain99 opened this issue Oct 27, 2020 · 1 comment
Labels
bug Something isn't working

Comments

@kshamajain99
Copy link
Collaborator

kshamajain99 commented Oct 27, 2020
edited
Loading

Is this a BUG REPORT or FEATURE REQUEST?:
Bug

What happened:
For my usecase, I don't want to provide any managed policy. Hence, I removed field iam.managed.policies from iam-manager config map. But, I am still getting following error.

2020-10-27T22:05:46.575Z ERROR awsapi.iam.CreateRole Error while attaching managed policy {"request_id": "f31f3be2-787c-4a2a-8eba-36e0d3fbef3d", "roleName": "k8s-chaos-ns", "policy": "arn:aws:iam::233444812205:policy/", "error": "InvalidInput: ARN arn:aws:iam::233444812205:policy/ is not valid.\n\tstatus code: 400, request id: 32448561-3ec2-4a78-bb5b-9000cb4ed514"}

Based on golang behaviour, even when managed policy field is empty string ("") in config map. When you do strings.split, it will return list of string having length 1 and first element as empty string "".

iam-manager/internal/config/properties.go

Line 176 in ce0b5f9

managedPolicies := strings.Split(cm[0].Data[propertyManagedPolicies], separator)

https://play.golang.org/p/qazwf1dYDPY
What you expected to happen:
IAM role should create successfully

How to reproduce it (as minimally and precisely as possible):
Remove managed policies field from config map.
@kshamajain99 kshamajain99 added the bug Something isn't working label Oct 27, 2020
@sumitnagal
Copy link

sumitnagal commented Oct 27, 2020
edited
Loading

@kshamajain99 , here are some error which I encounter setup on a cluster
➜ snagal git:(master) ✗ k get Iamrole
NAME STATE ROLENAME RETRYCOUNT LASTUPDATEDTIMESTAMP AGE
iamrole-pfi Error k8s-chaos-ns 1 2020-10-27T19:27:06Z 87m

After following the steps

  1. kubens iam-manager-system
  2. kubectl edit cm iam-manager-iamroles-v1alpha1-configmap
  3. Remove "iam.managed.policies: shared.snagal-eks-k8s-ppd"

Found this error k describe Iamrole iamrole-pfi

`Status:
Error Description: InvalidInput: ARN arn:aws:iam::233444812205:policy/ is not valid.
status code: 400, request id: 060bad11-fbed-4759-ba47-c04b00df9e12
Last Updated Timestamp: 2020-10-27T21:11:47Z
Retry Count: 11
Role Name: k8s-chaos-ns
State: Error
Events:
Type Reason Age From Message

Warning Error 4m47s iam-manager Unable to create/update iam role due to error InvalidInput: ARN arn:aws:iam::233444812205:policy/ is not valid.
status code: 400, request id: bd2f6f82-6312-41d1-965a-5b2723639150
Warning Error 4m46s iam-manager Unable to create/update iam role due to error InvalidInput: ARN arn:aws:iam::233444812205:policy/ is not valid.
status code: 400, request id: e9f9c6a0-c833-4a95-95b5-163abeac6396
Warning Error 4m44s iam-manager Unable to create/update iam role due to error InvalidInput: ARN arn:aws:iam::233444812205:policy/ is not valid.
status code: 400, request id: e63f5bdf-c10d-4038-9700-fa70b22373de`

@mnkg561 mnkg561 mentioned this issue Dec 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sumitnagal @kshamajain99