csi-driver | Kubernetes CSI plugin to automatically mount | Storage library

You're using the wrong version in your chart invocation.

The version you're selecting is the application version, ie the release version of the underlying application. You need to set the Chart version, see here which is defined here

the following works:

K8s is hard to get right sometimes. The examples on Github are shown for version 1.21 [1]. Because of that, if you leave only this:

When you use self sign a certificate, your Operating System or Browser wont trust this Cert, as it is self signed and considered insecure for the Internet.

You need to use a Cert from a valid Certification Authority or import your CA root cert that created the cert into your OS or Browser. But every user need to so this.

A better approach is Cert-Manager ff you are using AKS. Cert-Manager can issue certificates from LetsEncrypt. Here is a workflow from Microsoft for this.

Ok I misunderstood you at the beginning.

When you are creating GKE cluster you can specify which GCP Service Account will be used by this cluster, like below:

By Default it's Compute Engine default service account (71025XXXXXX-compute@developer.gserviceaccount.com) which is lack of a few Cloud Product permissions (like Cloud Storage, it has Read Only). It's even described in this message.

If you want to check which Service Account was set by default to VM, you could do this via

Compute Engine > VM Instances > Choose one of the VMs from this cluster > In details find API and identity management

So You have like 3 options to solve this issue:

1. During Cluster creation

In Node Pools > Security, you have Access scopes where you can add some additional permissions.

• Allow full access to all Cloud APIs to allow access for all listed Cloud APIs
• Set access for each API

In your case you could just use Set access for each API and change Storage to Full.

2. Set permissions with a Service Account You would need to create a new Service Account and provide proper permissions for Compute Engine and Storage. More details about how to create SA you can find in Creating and managing service accounts.

3. Use Workload Identity

Workload Identity on your Google Kubernetes Engine (GKE) clusters. Workload Identity allows workloads in your GKE clusters to impersonate Identity and Access Management (IAM) service accounts to access Google Cloud services.

For more details you should check Using Workload Identity.

Useful links

• Configuring Velero - Velero is software for backup and restore, however steps 2 and 3 are mentioned there. You would just need to adjust commands/permissions to your scenario.
• Authenticating to Google Cloud with service accounts

For managedNodeGroup you need to specify the AMI ID:

aws ssm get-parameter --name /aws/service/eks/optimized-ami/1.21/amazon-linux-2/recommended/image_id --region us-east-1 --query "Parameter.Value" --output text

Posted community wiki answer for better visibility. Feel free to expand it.

Based on @Miantian comment:

The reason was the efs driver image is using the different region from mine. I changed to the right one and it works.

You can find steps to setup the Amazon EFS CSI driver in the proper region in this documentation.

By default the StorageClass field provisioningMode is unset, please set it to provisioningMode: "efs-ap" to enable dynamic provision with access point.

After doing some tests, it seems that the process that I was following was correct. Most probably, I was using principalId instead of clientId in role assignment for the AKS managed identity.

Key points for someone else that is facing similar issues:

1. Check what the managed identity created automatically by AKS is. Check for the clientId; e.g.,

i was able to solve this issue by updating the entrypoint.sh to export the secrets to env variables. Something like this: