Describe the bug
When creating a SecurityGroup, if an IAM role is used that doesn't have the ec2:RevokeSecurityGroupEgress permission the ec2-controller will successfully create the SecurityGroup, but report an ACK.Terminal condition with the below message.
This resource already exists but is not managed by ACK. To bring the resource under ACK management, you should explicitly adopt the resource by enabling the ResourceAdoption feature gate and populating the `services.k8s.aws/adoption-policy` and `services.k8s.aws/adoption-fields` annotations.
However, in the controller logs we'll see that the below error occurred. Although it is not reported in the SecurityGroup resource's Status conditions.
{"level":"error","ts":"2026-04-07T19:33:57.124-0700","msg":"Reconciler error","controller":"securitygroup","controllerGroup":"ec2.services.k8s.aws","controllerKind":"SecurityGroup","SecurityGroup":{"name":"ack-demo-sg","namespace":"default"},"namespace":"default","name":"ack-demo-sg","reconcileID":"ea4e4c3e-0662-477f-8344-9bbe21d5724b","error":"operation error EC2: RevokeSecurityGroupEgress, https response error StatusCode: 403, api error UnauthorizedOperation: You are not authorized to perform this operation. User: <test-role> is not authorized to perform: ec2:RevokeSecurityGroupEgress on resource: arn:aws:ec2:us-west-2:123456789012:security-group/sg-12345 with an explicit deny in an identity-based policy.
Steps to reproduce
- Start the ec2-controller using an IAM role that lacks
ec2:RevokeSecurityGroupEgress
- Create a new SecurityGroup
metadata:
name: ack-demo-sg
spec:
name: ack-demo-sg
description: "Sample security group managed by ACK"
vpcID: vpc-12345
tags:
- key: Name
value: ack-demo-sg
- key: Environment
value: development
- Describe the security group
apiVersion: ec2.services.k8s.aws/v1alpha1
kind: SecurityGroup
metadata:
annotations:
name: ack-demo-sg
namespace: default
spec:
description: Sample security group managed by ACK
name: ack-demo-sg
tags:
- key: Name
value: ack-demo-sg
- key: Environment
value: development
vpcID: vpc-12345
status:
ackResourceMetadata:
arn: arn:aws:ec2:us-west-2:12345:security-group/sg-12345
ownerAccountID: "12345"
region: us-west-2
conditions:
- lastTransitionTime: "2026-04-08T02:33:57Z"
message: Resource already exists
reason: This resource already exists but is not managed by ACK. To bring the resource
under ACK management, you should explicitly adopt the resource by enabling the
ResourceAdoption feature gate and populating the `services.k8s.aws/adoption-policy`
and `services.k8s.aws/adoption-fields` annotations.
status: "True"
type: ACK.Terminal
- lastTransitionTime: "2026-04-08T02:33:57Z"
message: Resource not synced
reason: resource is in terminal condition
status: "False"
type: ACK.ResourceSynced
- lastTransitionTime: "2026-04-08T02:33:57Z"
message: Resource already exists
reason: ACK.Terminal
status: "False"
type: Ready
id: sg-12345
rules:
- cidrIPv4: 0.0.0.0/0
fromPort: -1
ipProtocol: "-1"
isEgress: true
securityGroupRuleID: sgr-12345
toPort: -1
- Check AWS console to and see that SecurityGroup with matching ID was still created
Expected outcome
The ec2-controller correctly marks the SecurityGroup as managed by ACK and reports an ACK.Recoverable condition with the UnauthorizedOperation as the reason.
Environment
- Kubernetes version
- Using EKS (yes/no), if so version? yes, 1.34
- AWS service targeted (S3, RDS, etc.) EC2
Describe the bug
When creating a SecurityGroup, if an IAM role is used that doesn't have the ec2:RevokeSecurityGroupEgress permission the ec2-controller will successfully create the SecurityGroup, but report an ACK.Terminal condition with the below message.
However, in the controller logs we'll see that the below error occurred. Although it is not reported in the SecurityGroup resource's Status conditions.
Steps to reproduce
ec2:RevokeSecurityGroupEgressExpected outcome
The ec2-controller correctly marks the SecurityGroup as managed by ACK and reports an ACK.Recoverable condition with the
UnauthorizedOperationas the reason.Environment