Fixing Fluent Bit on EKS: IRSA, Helm, and the "NoCredentialProviders" Error
If you're deploying Fluent Bit to Amazon EKS with Terraform and Helm, you might hit this frustrating error:
[cloudwatch 0] NoCredentialProviders: no valid providers in chain
...
EC2MetadataError: failed to make EC2Metadata request
Even if everything looks correct — the service account is annotated with an IAM role, and the DaemonSet is running — Fluent Bit still can’t write logs to CloudWatch.
Let's walk through how to troubleshoot and fix this.
🔍 Step 1: Understand the Root Cause
Fluent Bit uses AWS credentials to ship logs to CloudWatch. These credentials usually come from:
- IRSA (IAM Roles for Service Accounts)
- EC2/EKS metadata (instance profile)
- Environment variables
When using the aws-for-fluent-bit Helm chart, if you don’t explicitly configure the service account, Helm will create a new one without any IAM role annotation.
You can confirm this with:
kubectl get pod -n amazon-cloudwatch -l app.kubernetes.io/instance=<your-release-name> -o jsonpath="{.items[*].spec.serviceAccountName}"
If it returns something like:
fluent-bit-aws-for-fluent-bit
Instead of your IRSA-linked service account name (e.g., fluent-bit), Fluent Bit is running without credentials.
✅ Step 2: Ensure a Proper IRSA Setup
Make sure the IRSA role exists and is attached to a manually created Kubernetes service account:
resource "kubernetes_service_account" "fluentbit" {
metadata {
name = "fluent-bit"
namespace = "amazon-cloudwatch"
annotations = {
"eks.amazonaws.com/role-arn" = aws_iam_role.fluentbit_irsa.arn
}
}
}
And the IAM role should have at least these permissions:
resource "aws_iam_policy" "fluentbit_logs" {
policy = jsonencode({
Version = "2012-10-17",
Statement = [
{
Effect = "Allow",
Action = [
"logs:PutLogEvents",
"logs:DescribeLogStreams",
"logs:DescribeLogGroups",
"logs:CreateLogStream",
"logs:CreateLogGroup"
],
Resource = "*"
}
]
})
}
Attach it to the IRSA role.
✅ Step 3: Update the Helm Release in Terraform
In your helm_release resource, add the following set blocks:
set {
name = "serviceAccount.name"
value = "fluent-bit"
}
set {
name = "serviceAccount.create"
value = "false"
}
That tells Helm to use your IRSA-linked SA and not to create its own.
Here’s a full example:
resource "helm_release" "fluentbit" {
name = "fluent-bit"
namespace = "amazon-cloudwatch"
repository = "https://aws.github.io/eks-charts"
chart = "aws-for-fluent-bit"
version = "0.1.35"
set {
name = "serviceAccount.name"
value = "fluent-bit"
}
set {
name = "serviceAccount.create"
value = "false"
}
set {
name = "cloudWatch.enabled"
value = "true"
}
set {
name = "cloudWatch.region"
value = data.aws_region.current.name
}
set {
name = "cloudWatch.logGroupName"
value = "/aws/eks/${var.cluster_name}/fluent-bit"
}
set {
name = "cloudWatch.autoCreateGroup"
value = "false"
}
}
🔄 Step 4: Apply and Restart
Apply the changes:
terraform apply
Then restart the Fluent Bit pod:
kubectl delete pod -n amazon-cloudwatch -l app.kubernetes.io/instance=fluent-bit
Check logs:
kubectl logs -n amazon-cloudwatch -l app.kubernetes.io/instance=fluent-bit
No more NoCredentialProviders 🎉
✅ Recap
✔️ Confirm you're using an IRSA-annotated service account
✔️ Tell Helm to use it with serviceAccount.name and create=false
✔️ Give the IAM role the correct CloudWatch permissions
✔️ Restart pods to pick up changes
Now Fluent Bit can log to CloudWatch securely using IAM — no access keys needed.
Ready to take this up a notch? Turn it into a Terraform module or plug it straight into your CI/CD and forget it ever broke in the first place. 😎
Top comments (0)