Recently created EKS cluster, letting eksctl create the necessary resources. The cluster is using Istio 1.4.3 so I am expecting the classic load balancer to be utilized. I am trying to troubleshoot what is happening with incoming http requests to the classic load balancer (used via istio-ingressgateway Service type:LoadBalancer instance), I followed the instructions at https://docs.aws.amazon.com/elasticloadbalancing/latest/application/load-balancer-access-logs.html.
and via the EC2 Console's "Load Balancer" -> instance -> Description's attribution section, I enabled the use of a new S3 bucket for the ELB log. So the creation of policies was done by this enabling, the test log showed up in the expected path within the bucket. I'm seeing the expected ELB log files showing up in the S3 bucket in the documented folder structure. The userid has the associated role policy arn:aws:iam::aws:policy/aws-service-role/AWSElasticLoadBalancingServiceRolePolicy, the IAM permissions tab shows the EC2 service as being linked to this policy. so I'm assuming (dangerous, right?) that the ELB instances are authorized to (access level: List, write) write messages to the S3 log files. But
My question is: subsequent http requests directed at the ELB's public IP address don't show in the log, what shows up is:
<Error>
<Code>AccessDenied</Code>
<Message>Access Denied</Message>
<RequestId>9492B44E9C24B9E1</RequestId>
<HostId>
FIlVp2wpilOs1tUq4WPYb9SPjjysP2mrwODVT3IrYg9tFj0YzXpiMbiXJjvPmaXe+revD6YnMp0=
</HostId>
</Error>
I am wondering what this indicates? Other than obviously some sort of issue.... Ie. root case, needed correction. MTIA for any insights, suggestions. I'm sure I'm leaving out of this post some info that might be useful, trying to keep my posts shorter (pun: balancing act...)
Edited by: SteveHespelt on Apr 29, 2020 7:27 AM