Can't attach statically provisioned EBS volume to EKS node
I've configured my EKS setup to support EBS by following the docs here. I've verified that this works by successfully deploying dynamically provisioned EBS volumes. I'm now trying to use static provisioning and I'm failing.
My volume is ready to attach in the AWS console:
I've verified that the PV and PVC for the new statically provisioned volume are ok (firehose-mainnet-test-volume points to the vol-0a493db74622155d0 from the screenshot above)
❯❯❯ k get pv
k get pvc
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
firehose-mainnet-reader-test-volume 1000Gi RWO Retain Bound default/firehose-mainnet-reader-test-volume-claim io2 103m
mercury-ipfs-ipfs-efs-pv 20Gi RWX Retain Bound default/mercury-ipfs-ipfs-efs-pvc efs-sc 362d
pvc-e823a3b9-94be-449e-8248-ef1a023d8cc9 2000Gi RWO Delete Bound default/firehose-mainnet-reader-ebs-pvc gp2-ebs-sc 40d
9:27AM /Users/paymahn/code/goldsky/firehose/go-ethereum tags/geth-v1.10.25-fh2 ✱ ◼
❯❯❯ k get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
firehose-mainnet-reader-ebs-pvc Bound pvc-e823a3b9-94be-449e-8248-ef1a023d8cc9 2000Gi RWO gp2-ebs-sc 40d
firehose-mainnet-reader-test-volume-claim Bound firehose-mainnet-reader-test-volume 1000Gi RWO io2 81m
mercury-ipfs-ipfs-efs-pvc Bound mercury-ipfs-ipfs-efs-pv 20Gi RWX efs-sc 362d
This volume fails to mount when describing my pod:
Normal SuccessfulAttachVolume 2m44s attachdetach-controller AttachVolume.Attach succeeded for volume "pvc-e823a3b9-94be-449e-8248-ef1a023d8cc9"
Warning FailedMount 45s kubelet Unable to attach or mount volumes: unmounted volumes=[firehose-mainnet-reader-test-volume-claim], unattached volumes=[kube-api-access-smcss jwt firehose-mainnet-reader-ebs-pvc firehose-mainnet-reader-test-volume-claim]: timed out waiting for the condition
Warning FailedAttachVolume 20s attachdetach-controller AttachVolume.Attach failed for volume "firehose-mainnet-reader-test-volume" : Attach timeout for volume vol-0a493db74622155d0
When I look at the logs for the ebs-csi-controller I see the following output:
ebs-csi-controller-7485b8586d-jwng9 csi-attacher I1212 12:43:38.294065 1 csi_handler.go:248] Attaching "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e"
ebs-csi-controller-7485b8586d-jwng9 ebs-plugin E1212 12:43:38.651776 1 driver.go:120] GRPC error: rpc error: code = Internal desc = Could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: 86wH2-qNGBPhlKSt0fyV9CfjiZCvdgoQmTX7EmWlB9Dwmj8VjAWo7VaLEobbh4lNuLM0bmCnWOPgntBaRP2jwqap6koIsjikjt4Takcv49FZZ0SmO4GLhqpzBx88k1YAUE3n0DJp_ip6gW-oVvb2FD16tOfU5iJn6dyCUUzGlguhPn20WbzZuYitvpfXlK4m2RSiQDZPDHOesmsDWREN5d-p086kAQAUdLauoNaTd-qDWf497Yh5pwR4WXYM3hWi8SxSSs7y6sQ8idTjj8GHUjJOrsZC_hRCMO-NhOMy-agBwT4gYziOzaZ-AVxlhv7YW27Yd-azNrumAuA4JykN8YtE76h1RFJ16SuIFBrhx4mEsMR-pjuLLnuTbk6hdkXqeoPE9xoIx6pL12HwiblTDOQo8nM2utNK_p0ZYefb1IlJuIjm8CrgbmxyXu5wZWcsZKOnufdTh6G2Hj46kT0OHDI7-NJbyu4d8NkQ5LvQvX_wHVc2JAonNsRj5VuQZZr6G5C1FJrNiu44-LnhWB92LMR9ho7maHegKKrQ-DLy9UHuVS9fq5xNdyEgYAaNFGn8MkJxsSplFUQm25HByt39hCbeuwoYkUHtpite9ufqoMvTElYJBDFkasVec2RxhnYcPuyQ7pPj26IcUquW5wKD
ebs-csi-controller-7485b8586d-jwng9 csi-attacher I1212 12:43:38.660565 1 csi_handler.go:255] Failed to save attach error to "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e": VolumeAttachment.storage.k8s.io "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e" is invalid: status.attachError.message: Too long: must have at most 262144 bytes
ebs-csi-controller-7485b8586d-jwng9 ebs-plugin status code: 403, request id: c1eeb49c-955f-4969-9fcd-1a83933de338
ebs-csi-controller-7485b8586d-jwng9 csi-attacher I1212 12:43:38.660604 1 csi_handler.go:231] Error processing "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e": failed to attach: rpc error: code = Internal desc = Could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: 86wH2-qNGBPhlKSt0fyV9CfjiZCvdgoQmTX7EmWlB9Dwmj8VjAWo7VaLEobbh4lNuLM0bmCnWOPgntBaRP2jwqap6koIsjikjt4Takcv49FZZ0SmO4GLhqpzBx88k1YAUE3n0DJp_ip6gW-oVvb2FD16tOfU5iJn6dyCUUzGlguhPn20WbzZuYitvpfXlK4m2RSiQDZPDHOesmsDWREN5d-p086kAQAUdLauoNaTd-qDWf497Yh5pwR4WXYM3hWi8SxSSs7y6sQ8idTjj8GHUjJOrsZC_hRCMO-NhOMy-agBwT4gYziOzaZ-AVxlhv7YW27Yd-azNrumAuA4JykN8YtE76h1RFJ16SuIFBrhx4mEsMR-pjuLLnuTbk6hdkXqeoPE9xoIx6pL12HwiblTDOQo8nM2utNK_p0ZYefb1IlJuIjm8CrgbmxyXu5wZWcsZKOnufdTh6G2Hj46kT0OHDI7-NJbyu4d8NkQ5LvQvX_wHVc2JAonNsRj5VuQZZr6G5C1FJrNiu44-LnhWB92LMR9ho7maHegKKrQ-DLy9UHuVS9fq5xNdyEgYAaNFGn8MkJxsSplFUQm25HByt39hCbeuwoYkUHtpite9ufqoMvTElYJBDFkasVec2RxhnYcPuyQ7pPj26IcUquW5wKD
ebs-csi-controller-7485b8586d-jwng9 csi-attacher status code: 403, request id: c1eeb49c-955f-4969-9fcd-1a83933de338
How can I attach a statically generated ebs volume to my node? I've verified that the node and volume are both in the same region, us-west-2c. Is there anything else I need to check to ensure that the volume can be mounted to the node?
Solution
Turns out the service account for my ebs csi controller didn't have an assumeRole annotation. Adding that fixed the issue.
kubectl annotate serviceaccount ebs-csi-controller-sa \
-n kube-system \
eks.amazonaws.com/role-arn=arn:aws:iam::111122223333:role/AmazonEKS_EBS_CSI_DriverRole
- AWS Lambda No module named 'regex._regex'
- Unable to resolve " not a valid key=value pair (missing equal-sign) in Authorization header" when POSTing to api gateway
- How to reset EC2 ubuntu instance?
- How to zip files properly on mac for unzipping via python from s3?
- Issues generating CloudFront signed URLs; always Access Denied
- AWS EventBridge Pipeline - Self Managed Kafka filter not working
- aws lambda function triggering multiple times for a single event
- Trying to create AWS spot datafeed, getting error: InaccessibleStorageLocation
- Can't see my EC2 instances on the management console?
- React web app Auth UserPool not configured
- How to retrieve usage on Amazon S3 based on tag?
- AWS Amplify: How to delete the environment, when resources are already partially deleted?
- Interactive shell in Docker image with Amazon ECS with `aws ecs run-task` followed by `aws ecs execute-command`
- Terraform v0.11.1 : Error downloading modules: Error loading modules: open .terraform/modules/3f10921295c292995128e9e36eb: no such file or directory
- Ansible - include vars file from remote host
- How to change AWS Lamp apache root directory?
- AWS Codeartifact and Poetry auth problems with private packages
- S3 Intelligent - Tiering with snowflake managed iceberg tables
- InvalidClientTokenId error aws when trying to get caller identity
- AWS Route 53: cost of having a subdomain on another DNS provider than AWS
- Unable to connect from MySQL Workbench to AWS RDS instance
- Querying timestamp data in Athena when the timestamp format in the underlying JSON files has changed
- Difference between AWS::IAM::Policy and AWS::IAM::ManagedPolicy
- During an aborted deployment, some instances may have deployed the new application version
- API Gateway V2 private integration to application load balancer always returns 503
- AWS ELB -> Backend Server over HTTPS with Self-Signed Certificate
- ELB to backend server using HTTPS with self-signed certificate
- How to pass different principals when deploying a bucket policy using terraform
- Clarification for AWS auto-scaling of instances
- Instances scaling (by ASG) but no new tasks being created