AuthFailure when trying to assign Elatic IP to a Network Load Balancer

Question

Hello,

When I create Network Load Balancer from AWS Console GUI, it works flawlessly, no error - so my user has all the permission necessary. I use the same user in AWS GUI as I am using in aws-cli,

when i am trying to associate Elastic IP to a Network Load Balancer, it always fails:

$ aws ec2 associate-address --allocation-id eipalloc-003c09aa08f3205c2 --network-interface-id eni-09c5051a9dac70e61 --region eu-central-1
An error occurred (AuthFailure) when calling the AssociateAddress operation: You do not have permission to access the specified resource.

I have no problem to assign this Elastic IP to an EC2 instance:

$ aws ec2 associate-address --allocation-id eipalloc-003c09aa08f3205c2 --network-interface-id eni-06428cfe23042ea43 --region eu-central-1
{
    "AssociationId": "eipassoc-0618f04962b199963"
}

So how to solve this? Many thanks.

Leo K · Accepted Answer

The reason you can't associate an elastic IP with an existing NLB's ENI is because you can only specify the IP address attributes when you create the NLB or when you're telling the NLB to attach to a new subnet with a new ENI.

After each ENI of the NLB is created, it's owned by the AWS account where the Elastic Load Balancing team runs the load balancing infrastructure, and your account won't have the permission to modify their ENIs directly. You have to make modifications through the APIs of the Elastic Load Balancing v2 service, which only allow specifying the EIPs in the situations I mentioned.

The procedure for associating EIPs with your NLB is explained in more detail in this support article: https://repost.aws/knowledge-center/elb-attach-elastic-ip-to-public-nlb

In short, you'll need to recreate your NLB and specify the elastic IPs at creation time.

AuthFailure when trying to assign Elatic IP to a Network Load Balancer

Add your answer

Relevant content