Description
Description
Hi,
currently AWS EBS CSI IRSA policy prevents EBS CSI to edit tags if VAC with tag specifications are applied to a pvc. This is the preventing policy:
statement {
actions = ["ec2:CreateTags"]
resources = [
"arn:${local.partition}:ec2:*:*:volume/*",
"arn:${local.partition}:ec2:*:*:snapshot/*",
]
condition {
test = "StringEquals"
variable = "ec2:CreateAction"
values = [
"CreateVolume",
"CreateSnapshot",
]
}
}
So the condition only permits creating tags on CreateAction while DeleteTags does not implement any condition.
If your request is for a new feature, please use the Feature request template.
- ✋ I have searched the open/closed issues and my issue is not listed.
Versions
- Module version [Required]:
5.54.0 - Terraform version:
1.11.4 - Provider version(s):
v5.83.0
Reproduction Code [Required]
kubectl apply -f manifests/pod-with-volume.yaml
kubectl apply -f manifests/volumeattributesclass.yaml
Steps to reproduce the behavior:
- Create a VAC for which a tag is specified which will be created on the EBS volume
- Set the volume attribute class on a PVC
- EBS CSI volume fails with error:
"Error from AWS API" err="api error UnauthorizedOperation: You are not authorized to perform this operation. User: ebs-csi-role is not authorized to perform: ec2:CreateTags on resource: <volume_arn> because no identity-based policy allows the ec2:CreateTags action.
failed to create tags" err="operation error EC2: CreateTags, https response error StatusCode: 403
Expected behavior
When the condition:
condition {
test = "StringEquals"
variable = "ec2:CreateAction"
values = [
"CreateVolume",
"CreateSnapshot",
]
}
Is removed from the policy, EBS CSI controller is able to create a tag specified in VAC on an EBS volume.
Actual behavior
EBS CSI fails to create tag due to AWS policy which permits creating tags only on a ec2:CreateAction