[EC2] SecurityGroup - cannot reference across accounts #2676
Description
Describe the bug
In a SecurityGroup resource's ingress rules, I am unable to reference a SecurityGroup from a different account.
Steps to reproduce
ingressRules:
- fromPort: 443
ipProtocol: tcp
toPort: 443
userIDGroupPairs:
- description: ALB/NLB security group access
groupRef:
from:
name: sg-in-different-account
namespace: different-account
userID: "222222222222"
vpcRef:
from:
name: different-vpc
namespace: different-account
With the above configuration, when I describe the security group I get:
- lastTransitionTime: "2025-11-06T16:41:18Z"
message: Unable to determine if desired resource state matches latest observed
state
reason: 'operation error EC2: AuthorizeSecurityGroupIngress, https response
error StatusCode: 400, RequestID: d8b5bf75-2c0f-4f1d-8b06-807204b650b8, api
error InvalidGroup.NotFound: The security group ''sg-xxxxxxxxxxxxxxxxx'' does
not exist'
status: Unknown
type: ACK.ResourceSynced
Then I tried referencing the account id and group id together
ingressRules:
- fromPort: 443
ipProtocol: tcp
toPort: 443
userIDGroupPairs:
- description: ALB/NLB security group access
groupID: 222222222222/sg-xxxxxxxxxxxxxxxxx
userID: "222222222222"
vpcRef:
from:
name: different-vpc
namespace: different-account
And received the following
- lastTransitionTime: "2025-11-06T16:56:57Z"
message: Unable to determine if desired resource state matches latest observed
state
reason: 'operation error EC2: AuthorizeSecurityGroupIngress, https response
error StatusCode: 400, RequestID: 5048abd2-ad21-4b18-8d88-2699cd58572a, api
error InvalidGroupId.Malformed: Invalid id: "222222222222/sg-xxxxxxxxxxxxxxxxx"
(expecting "sg-...")'
status: Unknown
type: ACK.ResourceSynced
Expected outcome
I expected for either one or both of the above configurations to work for referencing security groups across accounts.
Environment
- Kubernetes version - v1.34.1
- Using EKS (yes/no), if so version? - v1.34.1-eks-d96d92f
- AWS service targeted (S3, RDS, etc.) - EC2