Eks-core-services module run is failing with certificate not found error

Hi,

We are trying to bring up a EKS cluster in AWS using gruntwork modules. We have followed below procedure.

  1. Run eks-cluster live
  2. Installed kubergrunt and kubectl
  3. Run k8s-applications-namespace live
  4. Run eks-core-services live
https://github.com/gruntwork-io/infrastructure-live-multi-account-acme/tree/master/dev/us-east-1/dev/services

While running eks-core-services it failed with an error saying certificate is not found or there is no permission to access it. The error snippet is given below. Now we are in a state where we are not able to delete eks-core-services!

Can you please confirm whether the order we followed in creating EKS cluster is correct. Also appreciate if you can help us in getting rid of this error and bringing up the cluster.

Error: failed to execute "/usr/local/bin/kubergrunt": time="2020-02-13T11:42:54Z" level=info msg="--kubectl-server-endpoint provided. Checking for --kubectl-certificate-authority and --kubectl-token." name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Received instruction to generate temporary directory as helm home (--helm-home=__TMP__)." name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Generated temporary directory /tmp/696712633/.helm" name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Setting up local helm client to access Tiller server deployed in namespace kube-system." name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Checking if authorized to access specified Tiller server." name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Loading Kubernetes Client" name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Using direct auth methods to setup client." name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Loading Kubernetes Client" name=kubergrunt
time="2020-02-13T11:42:54Z" level=info msg="Using direct auth methods to setup client." name=kubergrunt
time="2020-02-13T11:42:54Z" level=error msg="You do not have permissions to access the client certs for Tiller deployed in namespace kube-system, or they do not exist." name=kubergrunt
ERROR: secrets "tiller-client-2e3a9c6ce8da519bb53fafcea0f28db4-certs" not found


  on main.tf line 56, in data "external" "configured_helm_home":
  56: data "external" "configured_helm_home" {

Hi,

Can you share:

  • What version of kubergrunt you are using
  • Which IAM role you are logged in as

By default the eks-core-services module sets up the access permissions to only allow access from the allow-full-access-from-other-accounts IAM role. My guess is that you are not using that role to deploy the infrastructure. It should work once you switch to that IAM role.

Yori