Can't attach statically provisioned EBS volume to EKS node
I've configured my EKS setup to support EBS by following the docs here. I've verified that this works by successfully deploying dynamically provisioned EBS volumes. I'm now trying to use static provisioning and I'm failing.
My volume is ready to attach in the AWS console:
I've verified that the PV and PVC for the new statically provisioned volume are ok (firehose-mainnet-test-volume points to the vol-0a493db74622155d0 from the screenshot above)
❯❯❯ k get pv
k get pvc
NAME CAPACITY ACCESS MODES RECLAIM POLICY STATUS CLAIM STORAGECLASS REASON AGE
firehose-mainnet-reader-test-volume 1000Gi RWO Retain Bound default/firehose-mainnet-reader-test-volume-claim io2 103m
mercury-ipfs-ipfs-efs-pv 20Gi RWX Retain Bound default/mercury-ipfs-ipfs-efs-pvc efs-sc 362d
pvc-e823a3b9-94be-449e-8248-ef1a023d8cc9 2000Gi RWO Delete Bound default/firehose-mainnet-reader-ebs-pvc gp2-ebs-sc 40d
9:27AM /Users/paymahn/code/goldsky/firehose/go-ethereum tags/geth-v1.10.25-fh2 ✱ ◼
❯❯❯ k get pvc
NAME STATUS VOLUME CAPACITY ACCESS MODES STORAGECLASS AGE
firehose-mainnet-reader-ebs-pvc Bound pvc-e823a3b9-94be-449e-8248-ef1a023d8cc9 2000Gi RWO gp2-ebs-sc 40d
firehose-mainnet-reader-test-volume-claim Bound firehose-mainnet-reader-test-volume 1000Gi RWO io2 81m
mercury-ipfs-ipfs-efs-pvc Bound mercury-ipfs-ipfs-efs-pv 20Gi RWX efs-sc 362d
This volume fails to mount when describing my pod:
Normal SuccessfulAttachVolume 2m44s attachdetach-controller AttachVolume.Attach succeeded for volume "pvc-e823a3b9-94be-449e-8248-ef1a023d8cc9"
Warning FailedMount 45s kubelet Unable to attach or mount volumes: unmounted volumes=[firehose-mainnet-reader-test-volume-claim], unattached volumes=[kube-api-access-smcss jwt firehose-mainnet-reader-ebs-pvc firehose-mainnet-reader-test-volume-claim]: timed out waiting for the condition
Warning FailedAttachVolume 20s attachdetach-controller AttachVolume.Attach failed for volume "firehose-mainnet-reader-test-volume" : Attach timeout for volume vol-0a493db74622155d0
When I look at the logs for the ebs-csi-controller I see the following output:
ebs-csi-controller-7485b8586d-jwng9 csi-attacher I1212 12:43:38.294065 1 csi_handler.go:248] Attaching "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e"
ebs-csi-controller-7485b8586d-jwng9 ebs-plugin E1212 12:43:38.651776 1 driver.go:120] GRPC error: rpc error: code = Internal desc = Could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: 86wH2-qNGBPhlKSt0fyV9CfjiZCvdgoQmTX7EmWlB9Dwmj8VjAWo7VaLEobbh4lNuLM0bmCnWOPgntBaRP2jwqap6koIsjikjt4Takcv49FZZ0SmO4GLhqpzBx88k1YAUE3n0DJp_ip6gW-oVvb2FD16tOfU5iJn6dyCUUzGlguhPn20WbzZuYitvpfXlK4m2RSiQDZPDHOesmsDWREN5d-p086kAQAUdLauoNaTd-qDWf497Yh5pwR4WXYM3hWi8SxSSs7y6sQ8idTjj8GHUjJOrsZC_hRCMO-NhOMy-agBwT4gYziOzaZ-AVxlhv7YW27Yd-azNrumAuA4JykN8YtE76h1RFJ16SuIFBrhx4mEsMR-pjuLLnuTbk6hdkXqeoPE9xoIx6pL12HwiblTDOQo8nM2utNK_p0ZYefb1IlJuIjm8CrgbmxyXu5wZWcsZKOnufdTh6G2Hj46kT0OHDI7-NJbyu4d8NkQ5LvQvX_wHVc2JAonNsRj5VuQZZr6G5C1FJrNiu44-LnhWB92LMR9ho7maHegKKrQ-DLy9UHuVS9fq5xNdyEgYAaNFGn8MkJxsSplFUQm25HByt39hCbeuwoYkUHtpite9ufqoMvTElYJBDFkasVec2RxhnYcPuyQ7pPj26IcUquW5wKD
ebs-csi-controller-7485b8586d-jwng9 csi-attacher I1212 12:43:38.660565 1 csi_handler.go:255] Failed to save attach error to "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e": VolumeAttachment.storage.k8s.io "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e" is invalid: status.attachError.message: Too long: must have at most 262144 bytes
ebs-csi-controller-7485b8586d-jwng9 ebs-plugin status code: 403, request id: c1eeb49c-955f-4969-9fcd-1a83933de338
ebs-csi-controller-7485b8586d-jwng9 csi-attacher I1212 12:43:38.660604 1 csi_handler.go:231] Error processing "csi-f61a123c75ba67f92a9482f96ca3fa133d9f4f6af9bc924c545f08a05da4a85e": failed to attach: rpc error: code = Internal desc = Could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": could not attach volume "vol-0a493db74622155d0" to node "i-0f994790a01e365d2": UnauthorizedOperation: You are not authorized to perform this operation. Encoded authorization failure message: 86wH2-qNGBPhlKSt0fyV9CfjiZCvdgoQmTX7EmWlB9Dwmj8VjAWo7VaLEobbh4lNuLM0bmCnWOPgntBaRP2jwqap6koIsjikjt4Takcv49FZZ0SmO4GLhqpzBx88k1YAUE3n0DJp_ip6gW-oVvb2FD16tOfU5iJn6dyCUUzGlguhPn20WbzZuYitvpfXlK4m2RSiQDZPDHOesmsDWREN5d-p086kAQAUdLauoNaTd-qDWf497Yh5pwR4WXYM3hWi8SxSSs7y6sQ8idTjj8GHUjJOrsZC_hRCMO-NhOMy-agBwT4gYziOzaZ-AVxlhv7YW27Yd-azNrumAuA4JykN8YtE76h1RFJ16SuIFBrhx4mEsMR-pjuLLnuTbk6hdkXqeoPE9xoIx6pL12HwiblTDOQo8nM2utNK_p0ZYefb1IlJuIjm8CrgbmxyXu5wZWcsZKOnufdTh6G2Hj46kT0OHDI7-NJbyu4d8NkQ5LvQvX_wHVc2JAonNsRj5VuQZZr6G5C1FJrNiu44-LnhWB92LMR9ho7maHegKKrQ-DLy9UHuVS9fq5xNdyEgYAaNFGn8MkJxsSplFUQm25HByt39hCbeuwoYkUHtpite9ufqoMvTElYJBDFkasVec2RxhnYcPuyQ7pPj26IcUquW5wKD
ebs-csi-controller-7485b8586d-jwng9 csi-attacher status code: 403, request id: c1eeb49c-955f-4969-9fcd-1a83933de338
How can I attach a statically generated ebs volume to my node? I've verified that the node and volume are both in the same region, us-west-2c. Is there anything else I need to check to ensure that the volume can be mounted to the node?
Solution
Turns out the service account for my ebs csi controller didn't have an assumeRole annotation. Adding that fixed the issue.
kubectl annotate serviceaccount ebs-csi-controller-sa \
-n kube-system \
eks.amazonaws.com/role-arn=arn:aws:iam::111122223333:role/AmazonEKS_EBS_CSI_DriverRole
- AWS CLI Create Default VPC
- Email address is not verified (AWS SES)
- RDS Proxy: PENDING_PROXY_CAPACITY and "DBProxy Target unavailable due to an internal error"
- mTLS on AWS ALBs across multiple regions
- How to debug a aws lambda function?
- AWS SAM retrieve secret value from Secret Manager with dynamic referencing
- Cloudfront redirect when signed cookies not present
- Is there a wildcard character in AWS EventBridge rules?
- Laravel file upload s3 Multipart
- Increase EC2 disk storage without losing any data
- AWS Lambda triggers SES in VPC
- Setting HTTP Headers with Lambda@Edge
- How to find an Amazon EC2 AMI if I only have the id?
- AWS Lambda - Can't set memory larger than 3008 MB
- Which one is the cheapest to use AWS RDS or my own database?
- AWS Glue Please verify role's TrustPolicy
- How to create event bus events with source 'aws.'?
- Terraform and AWS: No Configuration Files Found Error
- How to transfer the packets through NAT gateway instead of public IP?
- Is Aws well architected framework supports API's?
- Can't delete AWS internet Gateway
- Unable to Trigger Lambda function in AWS using Python code from my local setup
- How to login with AWS CLI using credentials profiles
- How to retrieve multiple endpoints using data "aws_vpc_endpoint" resource?
- When pushing to ECS, Docker image errors out with module not found error
- Is there a way to drop file extensions when using AWS CLI with --recursive?
- On-demand self-hosted AWS EC2 runner for GitHub Actions
- How to manage dev and prod environments in a SAM project with CloudFormation Stacks, API Gateway, Lambda, and other AWS services?
- EC2 Instance error telling me multiple IAM Roles are attached when I try to change it...?
- (NoSuchVersion) when calling the GetObject operation: The specified version does not exist