Creating EKS cluster with OpenIDC error
I am creating an EKS cluster from scratch but every time I do I get the following error: 2023-03-28 15:08:05 [✖] creating OIDC provider: operation error IAM:
CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: bacf7543-bfe0-4b1c-982e-a81e61cef1c7, api error AccessDenied: User: arn:aws:sts::*:assumed-role/DEV-EC2-JenkinsMaster-Instance/i-09f8b9ad4eb5hhh09 is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::*:oidc-provider/oidc.eks.us-east-1.amazonaws.com because no identity-based policy allows the iam:TagOpenIDConnectProvider action
After much effort and looking I found the following policy which I have in place.
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ModifyListener",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DescribeInstances",
"ec2:AttachInternetGateway",
"ec2:DeleteRouteTable",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:DescribeVolumes",
"ec2:DeleteInternetGateway",
"ec2:DescribeKeyPairs",
"iam:GetRole",
"elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
"ec2:ImportKeyPair",
"ec2:CreateTags",
"elasticloadbalancing:CreateTargetGroup",
"ecr:GetAuthorizationToken",
"ec2:RunInstances",
"ec2:DisassociateRouteTable",
"ec2:CreateVolume",
"ec2:RevokeSecurityGroupIngress",
"elasticloadbalancing:AddTags",
"ec2:DescribeImageAttribute",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"ec2:DeleteNatGateway",
"autoscaling:DeleteAutoScalingGroup",
"ec2:CreateSubnet",
"ec2:DescribeSubnets",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"ecr:InitiateLayerUpload",
"ec2:AttachVolume",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ecr:ListImages",
"ec2:DescribeVpcAttribute",
"ec2:ModifySubnetAttribute",
"autoscaling:DescribeScalingActivities",
"ec2:DescribeAvailabilityZones",
"ssm:GetParametersByPath",
"elasticloadbalancing:CreateLoadBalancerPolicy",
"ec2:ReleaseAddress",
"ec2:DeleteLaunchTemplate",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteTargetGroup",
"ec2:DescribeSecurityGroups",
"autoscaling:CreateLaunchConfiguration",
"ec2:CreateLaunchTemplate",
"elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
"ec2:DescribeVpcs",
"elasticloadbalancing:DescribeTargetGroups",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DetachLoadBalancerFromSubnets",
"ec2:DeleteSubnet",
"elasticloadbalancing:RegisterTargets",
"ec2:DescribeVolumesModifications",
"ssm:GetParameter",
"ec2:AssociateRouteTable",
"elasticloadbalancing:DeleteLoadBalancer",
"ec2:DescribeInternetGateways",
"elasticloadbalancing:DescribeLoadBalancers",
"ec2:DeleteVolume",
"ssm:DeleteParameter",
"ssm:DescribeParameters",
"autoscaling:DescribeAutoScalingGroups",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"autoscaling:UpdateAutoScalingGroup",
"ec2:DescribeAccountAttributes",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"ec2:DescribeRouteTables",
"ecr:BatchCheckLayerAvailability",
"ec2:DetachVolume",
"ec2:ModifyVolume",
"ec2:DescribeLaunchTemplates",
"ecr:GetDownloadUrlForLayer",
"ec2:CreateRouteTable",
"cloudformation:*",
"elasticloadbalancing:DeregisterTargets",
"ec2:DetachInternetGateway",
"ssm:GetParameters",
"ssm:DeleteParameters",
"ecr:PutImage",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"ssm:PutParameter",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"ecr:BatchGetImage",
"ecr:DescribeImages",
"ec2:DeleteVpc",
"eks:*",
"autoscaling:CreateAutoScalingGroup",
"ec2:DescribeAddresses",
"ec2:DeleteTags",
"elasticloadbalancing:ConfigureHealthCheck",
"autoscaling:DescribeLaunchConfigurations",
"ec2:DescribeDhcpOptions",
"ecr:UploadLayerPart",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"ec2:DescribeNetworkInterfaces",
"ec2:CreateSecurityGroup",
"ecr:CompleteLayerUpload",
"elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
"kms:DescribeKey",
"ecr:DescribeRepositories",
"ec2:ModifyVpcAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:AuthorizeSecurityGroupEgress",
"elasticloadbalancing:AttachLoadBalancerToSubnets",
"ec2:DescribeTags",
"ssm:GetParameterHistory",
"ec2:DeleteRoute",
"ec2:DescribeLaunchTemplateVersions",
"ec2:DescribeNatGateways",
"elasticloadbalancing:CreateLoadBalancerListeners",
"ec2:AllocateAddress",
"ec2:DescribeImages",
"autoscaling:DeleteLaunchConfiguration",
"ec2:DeleteSecurityGroup",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:ModifyTargetGroup"
],
"Resource": "*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:CreateServiceLinkedRole",
"Resource": "*",
"Condition": {
"StringEquals": {
"iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
}
}
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:CreateOpenIDConnectProvider",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:ListAttachedRolePolicies",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::*:instance-profile/eksctl-*",
"arn:aws:iam::*:role/eksctl-*",
"arn:aws:iam::*:role/aws-service-role/eks.amazonaws.com/*",
"arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
"arn:aws:iam::*:oidc-provider/*"
]
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "iam:GetOpenIDConnectProvider",
"Resource": "arn:aws:iam::*:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/*"
}
]
}
So what am I mising?
- 最新
- 投票最多
- 评论最多
Hello Systemgeek,
Based on the error message posted, it looks like the operation is failing because your IAM role DEV-EC2-JenkinsMaster-Instance
does not have permissions to perform iam:TagOpenIDConnectProvider
operation.
In the policy statement provided, the iam:TagOpenIDConnectProvider
operation is not allowed. To fix this, add the operation to your IAM policy and re-run the operation.
For more info on minimum IAM policies required to create an EKS cluster using eksctl CLI, please visit https://eksctl.io/usage/minimum-iam-policies/
I hope this helps!
相关内容
- AWS 官方已更新 1 年前
- AWS 官方已更新 3 年前
- AWS 官方已更新 4 个月前
- AWS 官方已更新 1 年前
Ok. I changed the policy I had for what was on the. eksctl.oi page and that got me most of the way through. now I am getting this error: 2023-03-28 18:28:40 [✖] failed to create service account kube-system/aws-node: checking whether namespace "kube-system" exists: Get "https://BA309393953C1FA2F73xxxxxxxxxxxxxx.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system": dial tcp 172.16.146.74:443: i/o timeout.
Have you created an EKS cluster with private endpoint access? Based on the error, it looks like your eksctl CLI is unable to reach your Kubernetes API Server (https://BA309393953C1FA2F73xxxxxxxxxxxxxx.gr7.us-east-1.eks.amazonaws.com) which is showing a private IP address (172.16.146.74). Either change your API server access to "Public" or run the eksctl CLI commands on a server that is hosted inside your VPC.
As the original issue with IAM permissions has been resolved, please accept my answer and post your additional questions as a separate post for better visibility.
Thank you!