EKS 1.14 and external DNS seems is not trying to use the Service Account policy

[aretakisv]

I have installed the latest Helmchart, which installs the 0.5.16 version

Even though my Env Variables and the token are readable:

Environment:
AWS_DEFAULT_REGION: us-east-1
AWS_ROLE_ARN: arn:aws:iam::****:role/cm--dev-eks.kube-system.cs-external-dns
AWS_WEB_IDENTITY_TOKEN_FILE: /var/run/secrets/eks.amazonaws.com/serviceaccount/token

The error I get is: time="2019-09-12T17:18:32Z" level=error msg="AccessDenied: User: arn:aws:sts::250***:assumed-role/cm-dev-eks.worker-node-role/i-06ecf82ba**** is not authorized to perform: route53:ListHostedZones\n\tstatus code: 403, request id: 44d1b36c-2eda-4a*****

which it is an instance role!
If I block access on pod level to AWS endpoint the error is

cs-external-dns-f4d8556f7-96sn4 external-dns time="2019-09-12T20:51:21Z" level=info msg="Created Kubernetes client https://172.20.0.1:443"
cs-external-dns-f4d8556f7-96sn4 external-dns time="2019-09-12T20:51:53Z" level=error msg="NoCredentialProviders: no valid providers in chain. Deprecated.\n\tFor verbose messaging see aws.Config.CredentialsChainVerboseErrors"

also the arguments i start this pod is:

Args:
  --log-level=info
  --policy=sync
  --provider=aws
  --registry=txt
  --interval=1m
  --source=service
  --source=ingress
  --aws-batch-change-size=1000

Using: helm chart: 2.6.1
pod: docker.io/bitnami/external-dns:0.5.16-debian-9-r8

Thanks,
Vassilis

[marcincuber]

I am experiencing the same issue...

[serialx]

You should use the latest master of ExternalDNS. Amazon SDK is updated very recently, so there is no official release that supports EKS Service Account policy:
0ba0119

Slightly related topic: #1185

[njuettner]

New release has been released, feel free to reopen the issue if it still doesn't work with the latest release.

[marcincuber]

Verified and everything works as expected with EKS 1.14.