Skip to content

Missing permission errors from e2e logs #5535

New issue
New issue
Closed
#5537
Closed
Missing permission errors from e2e logs#5535
#5537
Assignees
richardcase
Labels
kind/bugCategorizes issue or PR as related to a bug.lifecycle/activeIndicates that an issue or PR is actively being worked on by a contributor.needs-prioritytriage/acceptedIndicates an issue or PR is ready to be actively worked on.
@richardcase

Description

@richardcase
richardcase
opened on Jun 9, 2025

/kind bug

What steps did you take and what happened:

When running the e2e we are seeing some missing permission errors:

E0608 21:48:48.715440       1 loadbalancer.go:114] "failed to create LB" err=<
	failed to create load balancer: &{ mvwfsk0sxntfxgtp1hhrjooli05s-k8s  internet-facing [us-west-2a us-west-2b us-west-2c] [subnet-00736e9c14f82e6dd subnet-0e2f7f1135cfca106 subnet-02f54e118693930c9] [sg-08e0813c904a2fef7] [] <nil> {0s false} map[Name:mvwfsk0sxntfxgtp1hhrjooli05s-k8s sigs.k8s.io/cluster-api-provider-aws/cluster/functional-test-ignition-21e7t2:owned sigs.k8s.io/cluster-api-provider-aws/role:apiserver] [{TCP 6443 {apiserver-target-qj7bq 6443 TCP vpc-0a946a2feb883025f 0xc002041440}}] map[load_balancing.cross_zone.enabled:0xc002b15b70] }: AccessDenied: User: arn:aws:iam::819381709038:user/bootstrapper.cluster-api-provider-aws.sigs.k8s.io is not authorized to perform: ec2:GetSecurityGroupsForVpc
		status code: 403, request id: 39e0cdf5-79c8-40d3-b4f6-4848dada09d8
 > controller="awscluster" controllerGroup="infrastructure.cluster.x-k8s.io" controllerKind="AWSCluster" AWSCluster="functional-test-ignition-ooliyy/functional-test-ignition-21e7t2"

And

I0608 21:55:26.983149       1 recorder.go:104] "Failed to deregister control plane instance \"i-07bae984e4d867695\" from load balancer: AccessDenied: User: arn:aws:sts::819381709038:assumed-role/CAPAMultiTenancyNested/capamultitenancynested-session is not authorized to perform: elasticloadbalancing:DeregisterTargets on resource: arn:aws:elasticloadbalancing:us-west-2:819381709038:targetgroup/apiserver-target-ctw6j/fe29addd61165f1c because no identity-based policy allows the elasticloadbalancing:DeregisterTargets action\n\tstatus code: 403, request id: f68ff98e-edcd-485f-b53c-80ab8073f894" logger="events" type="Warning" object={"kind":"AWSMachine","namespace":"functional-multitenancy-nested-vghs5g","name":"functional-multitenancy-nested-xl4i9e-control-plane-82km8","uid":"ac7dd005-bd14-4c4c-8690-6b1b5fa0c4bb","apiVersion":"infrastructure.cluster.x-k8s.io/v1beta2","resourceVersion":"4929"} reason="FailedDetachControlPlaneELB"

What did you expect to happen:

I would expect these errors not to be in the logs.

Anything else you would like to add:
[Miscellaneous information that will assist in solving the issue.]

Environment:

  • Cluster-api-provider-aws version:
  • Kubernetes version: (use kubectl version):
  • OS (e.g. from /etc/os-release):

Metadata

Metadata

Assignees

Labels

kind/bugCategorizes issue or PR as related to a bug.lifecycle/activeIndicates that an issue or PR is actively being worked on by a contributor.needs-prioritytriage/acceptedIndicates an issue or PR is ready to be actively worked on.

Type

No type

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions