amazon eks - Where can I view service account created by `eksctl`?

Question

I create a EKS cluster in AWS and use this command to create a service account eksctl create iamserviceaccount --name alb-ingress-controller --cluster $componentName --attach-policy-arn $serviceRoleArn --approve --override-existing-serviceaccounts. The output of the command is:

[?]  using region ap-southeast-2
[?]  1 existing iamserviceaccount(s) (default/alb-ingress-controller) will be excluded
[?]  1 iamserviceaccount (default/alb-ingress-controller) was excluded (based on the include/exclude rules)
[!]  metadata of serviceaccounts that exist in Kubernetes will be updated, as --override-existing-serviceaccounts was set
[?]  no tasks

I am not sure whether it is created successfully or not.

I use this command eksctl get iamserviceaccount to verify the result but get an error response:

Error: getting iamserviceaccounts: no output "Role1" in stack "eksctl-monitor-addon-iamserviceaccount-default-alb-ingress-controller"

I also tried to run kubectl get serviceaccount but I got the error: Error from server (NotFound): serviceaccounts "alb-ingress-controller" not found.

Does this mean the service account failed to create? Where can I view the service account in AWS console? or where can I view the error?

question from:https://stackoverflow.com/questions/65642474/where-can-i-view-service-account-created-by-eksctl

Answer 1

As per the error, it means serviceaccount already exists.

For getting the service account use kubectl

kubectl get serviceaccount <SERVICE_ACCOUNT_NAME> -n kube-system -o yaml

The order is, create the IAM-role, and after that – RBAC Role and binding. Below is command in case you want to override the existing serviceaccount

eksctl --profile <PROFILE_NAME> 
       --region=ap-northeast-2 
       create iamserviceaccount 
       --name alb-ingress-controller 
       --namespace kube-system 
       --override-existing-serviceaccounts 
       --approve --cluster <CLUSTER_NAME> 
       --attach-policy-arn 
       arn:aws:iam::ACCOUNT_ID:policy/ALBIngressControllerIAMPolicy

I found this workshop Amazon EKS Workshop very helpful during my venture into EKS.

More information pertaining to ALB can be found here

EDIT

from this error

[?] 1 existing iamserviceaccount(s) (default/alb-ingress-controller) will be excluded

It seems like the service accounts is created inside the default namespace.

so the command to check the serviceaccount will be

kubectl get serviceaccount <SERVICE_ACCOUNT_NAME> -n default-o yaml