Service Account Annotation Configuration for aws-ebs-csi-driver v1.40.0-eksbuild.1

Question

My EKS cluster is using the EKS managed add on for the AWS EBS CSI Driver and is currently at v1.38.1-eksbuild.2. I am managing this addon (and my entire cluster) using terraform. The cluster_addons aws-ebs-csi-driver configuration block in the terraform-aws-modules/eks/aws module look like this:

aws-ebs-csi-driver = {
          most_recent = true
          configuration_values = jsonencode({
            controller = {
              serviceAccount = {
                annotations = {
                  "eks.amazonaws.com/role-arn" = aws_iam_role.aws_ebs_csi_driver.arn
                }
              }
            }
          })
        }

Today, I went to apply some change to my cluster and it picked up the most_recent value of the driver (v.1.40.0-eksbuild.1) and attempted to apply it. It failed with the following error:

Error: updating EKS Add-On (******-eks-cluster:aws-ebs-csi-driver): operation error EKS: UpdateAddon, https response error StatusCode: 400,
            RequestID: f67786bc-d0d6-406d-a3be-366a5bf80d0c, InvalidParameterException: ConfigurationValue provided in request is not supported: Json schema validation failed with error:
            [$.controller.serviceAccount.annotations: is not defined in the schema and the schema does not allow additional properties]

When using the command to describe the available properties for these two versions of the addons, I see that the config for the $.properties.controller.serviceAccount went from this in v1.38.1-eksbuild.2:

{
          "additionalProperties": false,
          "properties": {
            "annotations": {
              "default": null,
              "description": "Additional annotations added to the ebs-csi-controller-sa service account",
              "type": [
                "object",
                "null"
              ]
            }
          }
    }

to this in v1.40.0-eksbuild.1:

{
          "additionalProperties": false,
          "properties": {
            "automountServiceAccountToken": {
              "default": "true",
              "description": "Enable if EKS IAM for SA is used",
              "type": "boolean"
            }
          },
          "type": "object"
        }

I am still new to working with EKS and all of these configurations, so it's very likely I'm missing something here. But, how am I supposed to be able to perform this update? It seems likely that things *might* continue to work as the service role already exists and the annotations have already been applied.

The guidance on this is a bit lacking. When I look at the [schema definition for this config object in the kubernetes-sigs/aws-ebs-csi-driver repo](https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/558202d6f7f854bb07ad2793dec173b437c77530/charts/aws-ebs-csi-driver/values.schema.json#L333-L355) at the v1.40.0 release I see additional fields (including the one that I wish to continue using defined there. But, I haven't been able to determine how to look at the source for the EKS vended addon nor have I been able to find any upgrade guidance for making the switch to 1.40.0 that discusses this.

Any help/advice/etc. would be greatly appreciated!

Thanks,
Jake

re:Post Agent · Answer

Thank you for providing such a detailed description of your issue, Jake. It appears that the configuration schema for the AWS EBS CSI Driver add-on has changed significantly between versions v1.38.1-eksbuild.2 and v1.40.0-eksbuild.1, which is causing the update to fail.

The error message suggests that the new version no longer supports the 'annotations' field under the 'serviceAccount' configuration. Instead, it now has an 'automountServiceAccountToken' property.

To resolve this issue and successfully update to v1.40.0-eksbuild.1, you'll need to modify your Terraform configuration. Here's a suggested approach:

1. Remove the 'annotations' field from your configuration.
2. Add the 'automountServiceAccountToken' field and set it to true.

Your updated Terraform configuration might look like this:

```hcl
aws-ebs-csi-driver = {
  most_recent = true
  configuration_values = jsonencode({
    controller = {
      serviceAccount = {
        automountServiceAccountToken = true
      }
    }
  })
}
```

This change aligns with the new configuration schema you described for v1.40.0-eksbuild.1.

However, it's important to note that removing the 'annotations' field means you're no longer explicitly setting the IAM role ARN in the service account annotations. This could potentially affect how the EBS CSI Driver interacts with AWS services.

To ensure that the EBS CSI Driver still has the necessary permissions:

1. Verify that you have an IAM Role for Service Account (IRSA) set up for the EBS CSI Driver.
2. Make sure you have an OpenID Connect (OIDC) endpoint associated with your cluster.
3. Confirm that the service account 'ebs-csi-controller-sa' in the 'kube-system' namespace is properly configured with the correct IAM role.

If these are not already in place, you may need to set them up separately from the add-on configuration.

After making these changes, try applying your Terraform configuration again. If you continue to experience issues, you may want to consider temporarily pinning to the previous version (v1.38.1-eksbuild.2) in your Terraform configuration while you further investigate the changes introduced in v1.40.0-eksbuild.1.

Lastly, for the most up-to-date and accurate information on configuring EKS add-ons, always refer to the official AWS documentation and consider reaching out to AWS support if you need further clarification on these changes.  
**Sources**  
[Community | Dynamic Database Storage with the Amazon EBS CSI Driver for Amazon EKS](https://community.aws/content/2hNFFY9lERJdPbaqsDn6nQ2q5Jy/navigating-amazon-eks-eks-dynamic-db-storage-ebs-csi)  
[Community | Dynamic Database Storage with the Amazon EBS CSI Driver for Amazon EKS](https://community.aws/tutorials/eks-dynamic-db-storage-ebs-csi)  
[Community | Dynamic Database Storage with the Amazon EBS CSI Driver for Amazon EKS](https://community.aws/tutorials/navigating-amazon-eks/eks-dynamic-db-storage-ebs-csi)

rePost-User-6100805 · Answer

Hey Jake,

I ran across the same issue and here is what I found that worked for me:
```
cluster_addons = {
    most_recent = true
    aws-ebs-csi-driver = {
      service_account_role_arn = aws_iam_role.aws_ebs_csi_driver.arn
    }
}
```
Found the service_account_role_arn when looking at: https://registry.terraform.io/providers/hashicorp/aws/latest/docs/resources/eks_addon#service_account_role_arn-1

I'm also not sure how you're generating your role but you may want to look into the [iam-role-for-service-accounts-eks](https://registry.terraform.io/modules/terraform-aws-modules/iam/aws/latest/submodules/iam-role-for-service-accounts-eks) module to do that. (It's pretty awesome and can even create the roles for cert-manager / external-secrets / etc)

```
module "ebs_csi_irsa_role" {
  source    = "terraform-aws-modules/iam/aws//modules/iam-role-for-service-accounts-eks"

role_name                     = "ebs-csi-role"

attach_ebs_csi_policy = true

oidc_providers = {
    main = {
      provider_arn               = module.eks.oidc_provider_arn
      namespace_service_accounts = ["kube-system:ebs-csi-controller-sa"]
    }
  }
}
```

Service Account Annotation Configuration for aws-ebs-csi-driver v1.40.0-eksbuild.1

Add your answer

Relevant content