CODEWITHSUNDEEP
amazon-web-servicesamazon-eks
Haranath Boggarapu
Haranath Boggarapu

Reputation: 303

Failed to create service linked role: AWSServiceRoleForAmazonEKSNodegroup due to missing permissions for 'iam:CreateServiceLinkedRole

I created EKS cluster in AWS and i want to create Node group (worker nodes) for corresponding created cluster but getting error "Failed to create service linked role: AWSServiceRoleForAmazonEKSNodegroup due to missing permissions for 'iam:CreateServiceLinkedRole". Pls help.

I'm following the instructions present in AWS documentation (https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html)

Upvotes: 4

Views: 7140

Answers (1)

user1053510
user1053510

Reputation: 1677

You can refer to eksctl documentation page: https://eksctl.io/usage/minimum-iam-policies/

That page shows all policies that need to be assigned to a AWS user in order to manage a kubernetes cluster in AWS, but read my entire answer before continuing.

IMPORTANT

Create EksAllAccess and IamLimitedAccess remembering to replace <account_id> with your AWS account id.

Policies named AmazonEC2FullAccess and AWSCloudFormationFullAccess already exist in AWS. DO NOT USE the built-in policies. Create your own (you can use the same name).

The AmazonEC2FullAccess policy differs a little bit from the built-in version. Moreover, the version on the above-mentioned page is still missing one entry: "eks-nodegroup.amazonaws.com",.

The last part of the AmazonEC2FullAccess policy definition should go like this:

{
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "iam:AWSServiceName": [
                "autoscaling.amazonaws.com",
                "ec2scheduled.amazonaws.com",
                "elasticloadbalancing.amazonaws.com",
                "eks.amazonaws.com",
                "eks-fargate-pods.amazonaws.com",
                "eks-nodegroup.amazonaws.com",
                "spot.amazonaws.com",
                "spotfleet.amazonaws.com",
                "transitgateway.amazonaws.com"
            ]
        }
    }
}

You can refer to AWS documentation for more details: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks-nodegroups.html

Upvotes: 2

Related Questions