[BUG] Enoy Proxy container fails to initialize while trying to create an app mesh using the dj-app

[arunvthangaraj]

Describe the bug
Ran into an issue while trying to create an app mesh using the dj-app at aws-app-mesh-examples/examples/apps/djapp/

With the current deployment files, when the envoy proxy sidecar container is automatically injected, it will not have the necessary permission "appmesh:StreamAggregatedResources". This is because the iamserviceaccount that is created as part of the tutorial is not included in the base app deployment definition.

Platform
EKS

To Reproduce
Steps to reproduce the behavior:

1. git clone https://github.com/aws/aws-app-mesh-examples
2. cd aws-app-mesh-examples/examples/apps/djapp/
3. kubectl apply -f 1_base_application/base_app.yaml
4. Deploy appmesh-controller using helm
5. kubectl apply -f 2_meshed_application/meshed_app.yaml
6. Envoy proxy sidecar container fails to initialize due to an iam permission issue.

Expected behavior
The Envoy proxy sidecar container should initialize successfully and there should not be any iam permission error.

Additional context
After adding the serviceAccountName (which has the correct role with policies attached) to all the deployment definition in 1_base_application/base_app.yaml the envoy proxy container initialized successfully without any issue.

[cgchinmay]

We do mention about the envoy policies in the installation instructions. Which service account to use for these envoy policy attachment is left to the customers as instructed here.

[arunvthangaraj]

Thanks for the information. I was following the instructions in "Getting started with App Mesh" section on eksworkshop.com. The instructions in the workshop does not mention to update the POD spec to use the correct service account. I will review the workshop instructions one more time before raising this issue in the right channel.