Skip to content

SecurityGroup not managed by ACK after creation if IAM role is missing ec2:RevokeSecurityGroupEgress #2849

Description

@knottnt

Describe the bug
When creating a SecurityGroup, if an IAM role is used that doesn't have the ec2:RevokeSecurityGroupEgress permission the ec2-controller will successfully create the SecurityGroup, but report an ACK.Terminal condition with the below message.

This resource already exists but is not managed by ACK. To bring the resource under ACK management, you should explicitly adopt the resource by enabling the ResourceAdoption feature gate and populating the `services.k8s.aws/adoption-policy` and `services.k8s.aws/adoption-fields` annotations.

However, in the controller logs we'll see that the below error occurred. Although it is not reported in the SecurityGroup resource's Status conditions.

{"level":"error","ts":"2026-04-07T19:33:57.124-0700","msg":"Reconciler error","controller":"securitygroup","controllerGroup":"ec2.services.k8s.aws","controllerKind":"SecurityGroup","SecurityGroup":{"name":"ack-demo-sg","namespace":"default"},"namespace":"default","name":"ack-demo-sg","reconcileID":"ea4e4c3e-0662-477f-8344-9bbe21d5724b","error":"operation error EC2: RevokeSecurityGroupEgress, https response error StatusCode: 403, api error UnauthorizedOperation: You are not authorized to perform this operation. User: <test-role> is not authorized to perform: ec2:RevokeSecurityGroupEgress on resource: arn:aws:ec2:us-west-2:123456789012:security-group/sg-12345 with an explicit deny in an identity-based policy.

Steps to reproduce

  1. Start the ec2-controller using an IAM role that lacks ec2:RevokeSecurityGroupEgress
  2. Create a new SecurityGroup
metadata:
  name: ack-demo-sg
spec:
  name: ack-demo-sg
  description: "Sample security group managed by ACK"
  vpcID: vpc-12345
  tags:
    - key: Name
      value: ack-demo-sg
    - key: Environment
      value: development
  1. Describe the security group
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
  annotations:
  name: ack-demo-sg
  namespace: default
spec:
  description: Sample security group managed by ACK
  name: ack-demo-sg
  tags:
  - key: Name
    value: ack-demo-sg
  - key: Environment
    value: development
  vpcID: vpc-12345
status:
  ackResourceMetadata:
    arn: arn:aws:ec2:us-west-2:12345:security-group/sg-12345
    ownerAccountID: "12345"
    region: us-west-2
  conditions:
  - lastTransitionTime: "2026-04-08T02:33:57Z"
    message: Resource already exists
    reason: This resource already exists but is not managed by ACK. To bring the resource
      under ACK management, you should explicitly adopt the resource by enabling the
      ResourceAdoption feature gate and populating the `services.k8s.aws/adoption-policy`
      and `services.k8s.aws/adoption-fields` annotations.
    status: "True"
    type: ACK.Terminal
  - lastTransitionTime: "2026-04-08T02:33:57Z"
    message: Resource not synced
    reason: resource is in terminal condition
    status: "False"
    type: ACK.ResourceSynced
  - lastTransitionTime: "2026-04-08T02:33:57Z"
    message: Resource already exists
    reason: ACK.Terminal
    status: "False"
    type: Ready
  id: sg-12345
  rules:
  - cidrIPv4: 0.0.0.0/0
    fromPort: -1
    ipProtocol: "-1"
    isEgress: true
    securityGroupRuleID: sgr-12345
    toPort: -1
  1. Check AWS console to and see that SecurityGroup with matching ID was still created

Expected outcome
The ec2-controller correctly marks the SecurityGroup as managed by ACK and reports an ACK.Recoverable condition with the UnauthorizedOperation as the reason.

Environment

  • Kubernetes version
  • Using EKS (yes/no), if so version? yes, 1.34
  • AWS service targeted (S3, RDS, etc.) EC2

Metadata

Metadata

Assignees

No one assigned

    Labels

    kind/bugCategorizes issue or PR as related to a bug.service/ec2Indicates issues or PRs that are related to ec2-controller.

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions