K
Q

AWS EKS - Create cluster minimum IAM permissions (AccessDenied)

4/10/2020

Does anyone know what should be the minimum IAM permissions that would allow a user creating an EKS cluster?

I'm assuming a role to just create a cluster with Terraform and that role has got the following statements in its policy defined (nothing more than that):

        {
            "Sid": "AllowEKSCreate",
            "Effect": "Allow",
            "Action": [
                "eks:List*",
                "eks:Describe*",
                "eks:CreateCluster",
                "ec2:Describe*"
            ],
            "Resource": "*"
        },
        {
            "Sid": "AllowEKSAll",
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": "arn:aws:eks:eu-west-1:XXXXXXXXXX:cluster/my-cluster"
        }

In CloudTrail I'am only seeing:

AWS access key: XXXXXXXX
AWS region: eu-west-1
Error code: AccessDenied
Event ID: XXXXXXXX
Event name: CreateCluster
Event source: eks.amazonaws.com

Successful events:

  • sts:GetCallerIdentity
  • ec2:DescribeAccountAttributes

No other event is present in CloudTrail that would be unsuccessful.

-- SEB
amazon-web-services
eks
kubernetes

Similar Questions

Verify if path value is unique in helm template
Alternative for .Release.Time in Helm v3
"nslookup: read: Connection refused" from inside of a pod in Kubernetes (K8S) cluster (DNS problem)
I get error message "runtime error: index out of range [0] with length 0" when I try to start minikube

1 Answer

4/10/2020

Found it!

The missing permission was iam:PassRole on the Cluster IAM Role resource.

For some reason CloudTrail does not reveal that information :(

P.S. I think I made my question very clear so am wondering why someone would give me -1.

-- SEB
Source: StackOverflow