WebIdentityErr during ALB deployment on EKS cluster

Question

I have deployed AWS ALB controller on my EKS cluster rel 1.30 by processing as mentioned in this documention https://docs.aws.amazon.com/eks/latest/userguide/lbc-helm.html.
But when I want to create ingress with internet facing annotation, ALB is not created and I have this message in my ingress ressource on EKS
"Failed build model due to WebIdentityErr: failed to retrieve credentials caused by: RequestError: send request failed caused by: Post "https://sts.eu-west-1.amazonaws.com/": dial tcp: lookup sts.eu-west-1.amazonaws.com: i/o timeout"
I have check also all the steps from this post https://repost.aws/knowledge-center/eks-load-balancer-webidentityerr and everything seems to be ok.
Rgds.

Yaniv Rozenboim · Accepted Answer

The Ingress Controller needs to assume a role in order to obtain the permissions required to create the ALB.

For it to be able to assume the role it needs network connectivity to the STS service which seems missing according to the error you shared.

Your EKS worker nodes are probably deployed to a private subnet without outside connectivity.

You have 2 options to solve it:
1. Create a NAT gateway in a public subnet and add route in your private subnet to reach 0.0.0.0/0 via the NAT gateway.
2. Add VPC endpoint to STS service (see [here](https://docs.aws.amazon.com/IAM/latest/UserGuide/reference_interface_vpc_endpoints.html))

WebIdentityErr during ALB deployment on EKS cluster

Add your answer

Relevant content