I install EKS fargate and addons with terraform. Enabled IRSA. Created 3 fargate profile: external-secrets, kube-system, amazon-cloudwatch. amazon-cloudwatch-observability pod started successfully on amazon-cloudwatch namespace. Checked the logs. There is no error or warning. Checked the aws-auth cm. I can see my fargate profiles there.
Attached CloudWatchAgentServerPolicy and AWSXrayWriteOnlyAccess roles to iam roles of external-secrets iam role and amazon-cloudwatch iam roles like written in here.
fargate_profile_pod_execution_role_arn and iam_role_arn are the same for a fargate profile.For example: arn:aws:iam::{account_id}:role/external-secrets-{date_prefix}) .
Install external-secrets with helm:
helm install external-secrets \ external-secrets/external-secrets \ -n external-secrets \ --create-namespace \ --set installCRDs=true \ --set webhook.port=9443
. Started pods without any warning or error.
I expected to see external-secrets logs but didnt. log group is not created automatically. Tail the logs of observability pod logs. There is no movement. No error no success. So here is my question. What the heck should i do else to make it work?
I tried this approach also and it worked btw. amazon-cloudwatch-observability and aws-observability is not related(There is no connection between them it seems)
You could deploy using a service account with something like the following in terraform if you're using oidc for your cluster
You can then pass the service account role arn to the add-on