Keda Operator Access Denied for SQS [closed]

Question

Closed. This question is not about programming or software development. It is not currently accepting answers.

This question does not appear to be about a specific programming problem, a software algorithm, or software tools primarily used by programmers. If you believe the question would be on-topic on another Stack Exchange site, you can leave a comment to explain where the question may be able to be answered.

Closed 9 months ago.

Improve this question

I am using SQS scaler for Keda to scale a deployment. At present I am using operator based identityOwner for scaledObject. I have build an IAM role with following permissions and trust relationship :-

permission

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "KedaSQSReadPermission",
            "Effect": "Allow",
            "Action": "sqs:GetQueueAttributes",
            "Resource": "arn:aws:sqs:<region-name>:<account-id>:<test-queue>"
        },
        {
            "Sid": "KedaSQSListPermission",
            "Effect": "Allow",
            "Action": "sqs:ListQueues",
            "Resource": ["*"]
        }
    ]
}

trust relationship

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "",
            "Effect": "Allow",
            "Principal": {
                "Federated": "arn:aws:iam::<account-id>:oidc-provider/oidc.eks.<region-name>.amazonaws.com/id/<oidc-id>"
            },
            "Action": "sts:AssumeRoleWithWebIdentity",
            "Condition": {
                "StringEquals": {
                    "oidc.eks.<region-name>.amazonaws.com/id/<oidc-id>:sub": "system:serviceaccount:keda:keda-operator"
                }
            }
        }
    ]
}

This role is annotated in keda-operator service account in keda namespace as detailed below :-

{
  "apiVersion": "v1",
  "kind": "ServiceAccount",
  "metadata": {
    "annotations": {
      "eks.amazonaws.com/role-arn": "arn:aws:iam::<account-id>:role/<role-name>",
      "kubectl.kubernetes.io/last-applied-configuration": "{\"apiVersion\":\"v1\",\"kind\":\"ServiceAccount\",\"metadata\":{\"annotations\":{},\"labels\":{\"app.kubernetes.io/name\":\"keda-operator\",\"app.kubernetes.io/part-of\":\"keda-operator\",\"app.kubernetes.io/version\":\"2.7.0\"},\"name\":\"keda-operator\",\"namespace\":\"keda\"}}\n"
    },
    "creationTimestamp": "2022-07-14T13:49:40Z",
    "labels": {
      "app.kubernetes.io/name": "keda-operator",
      "app.kubernetes.io/part-of": "keda-operator",
      "app.kubernetes.io/version": "2.7.0"
    },
    "name": "keda-operator",
    "namespace": "keda",
    "resourceVersion": "174401872",
    "uid": "a5862afb-fcd1-49e3-8ebb-6c81f4fd5014"
  },
  "secrets": [
    {
      "name": "keda-operator-token-wzqsz"
    }
  ]
}

I have a deployment running in different namespace - test-keda. For scaling against queue length, I using following spec :-


apiVersion: keda.sh/v1alpha1
kind: ScaledObject
metadata:
    name: scaled-object-test
    namespace: test-keda
    labels:
        name: test-app # Required Name of the deployment we want to scale.
spec:
  scaleTargetRef:
    kind: Deployment
    name: test-app
  pollingInterval: 5
  cooldownPeriod: 10
  maxReplicaCount: 8
  minReplicaCount: 0
  triggers:
    - type: aws-sqs-queue
      metadata:
        queueURL: https://sqs.<region-name>.amazonaws.com/<account-id>/<queue-name>
        queueLength: "10"
        awsRegion: "<region-name>"
        identityOwner: operator

I have used official docs for SQS scaler for setting up above configurations. However, upon checking keda-opeator pod log, I find following error :-

error": "AccessDenied: Access to the resource https://sqs.<region-name>.amazonaws.com/ is denied.\n\tstatu │
│ s code: 403, request id: 87fd482d-89cf-54ef-af3e-13a25f4d9e23"

I tried using pod as identityOwner for my scaledobject, but seems to throw Access Denied, due to node-role trying to assume deployment IRSA role.

Am I missing something here ? Would appreciate any hint on where am I going wrong.

Thanks

Restarting the keda-operator and keda-metrics-server deployment in keda namespace solved the issue. — Vineet
– Vineet, Commented Sep 6, 2022 at 17:00

Vineet · Accepted Answer · 2022-12-30 09:23:19Z

2

Restarting keda deployments solved the issue. Run following commands :-

kubectl rollout restart deployment keda-metrics-apiserver -n keda
kubectl rollout restart deployment keda-operator -n keda

answered Dec 30, 2022 at 9:23

Vineet

7935 gold badges14 silver badges39 bronze badges

Sign up to request clarification or add additional context in comments.

Comments

Harry Lincoln · Accepted Answer · 2025-08-05 18:18:36Z

0

For anyone landing here in 2025, where Keda is currently sitting at v2.17.0, I needed to add this to my serviceAccount.yaml after encountering similar problems:

eks.amazonaws.com/sts-regional-endpoints: "true"

So entire serviceAccount looks something like this:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: <SA>
  namespace: my-namespace
  annotations:
    eks.amazonaws.com/role-arn: arn:aws:iam::<ACCOUNT_#>:role/<SA>
    eks.amazonaws.com/sts-regional-endpoints: "true"

answered Aug 5, 2025 at 18:18

Harry Lincoln

6662 gold badges10 silver badges31 bronze badges

1 Comment

Jan Wyszynski Sep 8, 2025 at 13:28

this is only needed in case your region does not support global STS, see keda.sh/docs/2.17/authentication-providers/aws/…. Also note that KEDA automatically falls back to AssumeRole when AssumeRoleWithWebIdentity does not work. I had AccessDenied errors like failed to retrieve credentials, operation error STS: AssumeRoleWithWebIdentity in the keda-operator logs but scaling was actually working.

Collectives™ on Stack Overflow

Keda Operator Access Denied for SQS [closed]

2 Answers 2

Comments

1 Comment

Hot Network Questions

Collectives™ on Stack Overflow

2 Answers 2

Comments

1 Comment

Related