How do I troubleshoot "Unable to fetch credentials" errors when I try to activate EKS Pod Identity on my clusters?

Resolution

Note: If you receive errors when you run AWS Command Line Interface (AWS CLI) commands, then see Troubleshooting errors for the AWS CLI. Also, make sure that you're using the most recent AWS CLI version.

When you try to activate EKS Pod Identity on your Amazon EKS clusters, you might receive one of the following errors:

• "Error when retrieving credentials from container-role: Error retrieving metadata: Received error when attempting to retrieve container metadata: Read timeout on endpoint URL: http://169.254.170.23/v1/credentials"
• "Unable to fetch credentials: error getting credentials to cache: unable to fetch credentials from EKS Auth: operation error EKS Auth"

To troubleshoot these errors, take the following actions:

• To retrieve the logs from the eks-pod-identity-agent pod, run the following command:

  kubectl logs -f eks-pod-identity-agent -n kube-system

• If you have a private cluster, then make sure that you allow the eks-auth endpoint in AWS PrivateLink.

• To verify your role settings, open the application pod's shell, and then run the following get-caller-identity AWS CLI command:

  aws sts get-caller-identity

• Confirm that a firewall isn't blocking the eks-auth endpoint.

• If you use proxy configurations, then run the following command to confirm that you configured the EKS Pod Identity Agent https_proxy:

  kubectl set env ds/eks-pod-identity-agent https_proxy="PROXY-URL" -n kube-system