Skip to content

EBS CSI IRSA policy preventing creating tags on an EBS volume in case of using VAC #562

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
matej-topolovec opened this issue Apr 11, 2025 · 1 comment
Open
1 task done

EBS CSI IRSA policy preventing creating tags on an EBS volume in case of using VAC #562

matej-topolovec opened this issue Apr 11, 2025 · 1 comment
Labels
needs update

Comments

@matej-topolovec
Copy link

Description

Hi,

currently AWS EBS CSI IRSA policy prevents EBS CSI to edit tags if VAC with tag specifications are applied to a pvc. This is the preventing policy:

  statement {
    actions = ["ec2:CreateTags"]

    resources = [
      "arn:${local.partition}:ec2:*:*:volume/*",
      "arn:${local.partition}:ec2:*:*:snapshot/*",
    ]

    condition {
      test     = "StringEquals"
      variable = "ec2:CreateAction"
      values = [
        "CreateVolume",
        "CreateSnapshot",
      ]
    }
  }

So the condition only permits creating tags on CreateAction while DeleteTags does not implement any condition.

If your request is for a new feature, please use the Feature request template.

  • ✋ I have searched the open/closed issues and my issue is not listed.

Versions

  • Module version [Required]:
    5.54.0
  • Terraform version:
    1.11.4
  • Provider version(s):
    v5.83.0

Reproduction Code [Required]

kubectl apply -f manifests/pod-with-volume.yaml
kubectl apply -f manifests/volumeattributesclass.yaml

Steps to reproduce the behavior:

  1. Create a VAC for which a tag is specified which will be created on the EBS volume
  2. Set the volume attribute class on a PVC
  3. EBS CSI volume fails with error:

"Error from AWS API" err="api error UnauthorizedOperation: You are not authorized to perform this operation. User: ebs-csi-role is not authorized to perform: ec2:CreateTags on resource: <volume_arn> because no identity-based policy allows the ec2:CreateTags action.

failed to create tags" err="operation error EC2: CreateTags, https response error StatusCode: 403

Expected behavior

When the condition:

    condition {
      test     = "StringEquals"
      variable = "ec2:CreateAction"
      values = [
        "CreateVolume",
        "CreateSnapshot",
      ]
    }

Is removed from the policy, EBS CSI controller is able to create a tag specified in VAC on an EBS volume.

Actual behavior

EBS CSI fails to create tag due to AWS policy which permits creating tags only on a ec2:CreateAction
@matej-topolovec matej-topolovec changed the title EBS CSI IRSA policy preventing creating tags on an EBS volume if case of using VAC EBS CSI IRSA policy preventing creating tags on an EBS volume in case of using VAC Apr 11, 2025
@bryantbiggs
Copy link
Member

and what is the recommended policy for using VolumeAttributesClass?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs update
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@bryantbiggs @matej-topolovec