EKS AWS Load Balancer Controller - ingress created but the ALB is not


I installed AWS Load Balancer Controller through Helm. The ingress is created but the ALB is not and I am getting an error.

I followed the guide below. -> https://docs.aws.amazon.com/ko_kr/eks/latest/userguide/aws-load-balancer-controller.html

  • Deployment / Service - logs ERROR {"level":"error","ts":1674024616.2905765,"logger":"controller.ingress","msg":"Reconciler error","name":...,"namespace":...,"error":"UnauthorizedOperation: You are not authorized to perform this operation.\n\tstatus code: 403}
  • ingress ERROR Warning FailedBuildModel 19s ingress Failed build model due to UnauthorizedOperation: You are not authorized to perform this operation. status code: 403
4 Answers

At the first glance, this seems like permission error. Have You checked Your IAM policies and IAM roles if they are set up correctly?

Is Your cluster in US-East or US-West region or other region (step 1.a. and 1.b. of provided link)?

Is the service account created correctly (step 2. of the provided link)?

Can You provide the exact helm command that You've run - without sensitive information?

answered a year ago
profile picture
reviewed 2 months ago
  • [Region] ap-northeast-2 1.a => curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json 1.b => aws iam create-policy
    --policy-name AWSLoadBalancerControllerIAMPolicy
    --policy-document file://iam_policy.json

    [Policy] AWSLoadBalancerControllerIAMPolicy => https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.4.4/docs/install/iam_policy.json Node Groupd Role, Kluster Role => EC2 Full, IAM Full, CloudFormation Full, ElasticLoadBalancing Full, EKS Full ..

    [Service Account] Name: aws-load-balancer-controller Namespace: XXXXXX Labels: app.kubernetes.io/managed-by=eksctl Annotations: eks.amazonaws.com/role-arn: arn:aws:iam::XXXXXX:role/eksctl-XXXXXX-addon-iamserviceacc-Role1-XXXXXX Image pull secrets: <none> Mountable secrets: <none> Tokens: <none> Events: <none>

    [Helm] $helm install aws-load-balancer-controller eks/aws-load-balancer-controller
    -n XXXXXX
    --set clusterName=XXXXXX
    --set serviceAccount.create=false
    --set serviceAccount.name=aws-load-balancer-controller
    --set image.repository=602401143452.dkr.ecr.ap-northeast-2.amazonaws.com/amazon/aws-load-balancer-controller

    Thank You


Everything You provided seems correct.

If the role created - eksctl-XXXXXX-addon-iamserviceacc-Role1-XXXXXX - has AWSLoadBalancerControllerIAMPolicy attached,, You can check this by running:

aws iam list-attached-role-policies --role-name eksctl-XXXXXX-addon-iamserviceacc-Role1-XXXXXX

If it is attached and I believe it is, try steps mentioned in comment above by Ahmad Ul Islam.

answered a year ago
  • yes it is already attached... { "AttachedPolicies": [ { "PolicyName": "AWSLoadBalancerControllerIAMPolicy", "PolicyArn": "arn:aws:iam::XXXXXX:policy/AWSLoadBalancerControllerIAMPolicy" } ] }

    ㅠㅠ... it's difficult .. Thank you for replying!


The error message "UnauthorizedOperation: You are not authorized to perform this operation. status code: 403" typically indicates that the AWS Load Balancer Controller does not have the necessary permissions to create or modify resources in your AWS account.

Here are a few things you can check to troubleshoot the issue:

Verify that the AWS credentials you are using to authenticate the Load Balancer Controller have the necessary permissions to create and modify resources in your AWS account.

Ensure that the IAM role associated with the Load Balancer Controller has the necessary permissions to create and modify resources in your AWS account.

Make sure that the Load Balancer Controller has the necessary permissions to access the resources specified in the Ingress resource.

If you are using an IAM Role for Service Accounts (IRSA) for authentication, check if the role is correctly associated with the LoadBalancer controller

Verify that you are running the Load Balancer Controller in the same AWS account and region as the resources it is trying to access.

Check the AWS Load Balancer Controller log for more information about the error.

If you are still having issues after going through these steps, you might want to refer to the AWS Load Balancer Controller documentation or AWS Support for further assistance.

profile picture
answered a year ago

I Solved!!!!!!

https://docs.aws.amazon.com/ko_kr/eks/latest/userguide/aws-load-balancer-controller.html => v2.4.4

I changed v2.2.0 (curl -o iam_policy.json https://raw.githubusercontent.com/kubernetes-sigs/aws-load-balancer-controller/v2.2.0/docs/install/iam_policy.json)

It works!!!!!!

But I can't understand why the official website version is not available...

answered a year ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions