Reputation: 13395
Failed to validate if SLR: AWSServiceRoleForAmazonEKSNodegroup already exists
I was following the guide https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html
I have created IAM user with permissions like PassRole, CreteNodeGroup etc; created node roles, cluster roles and was able to access it using
kubectl get svc
Then I followed the guide further and wanted to create a node group. I selected all the options I need and pressed Create.
However I got the error
Failed to validate if SLR: AWSServiceRoleForAmazonEKSNodegroup already exists due to missing permissions for 'iam:GetRole'
In my IAM related permission group I have permissions like this
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"iam:CreateRole",
"iam:AttachRolePolicy"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::000000000000:role/eksKubBegEKSClusterRole"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": "iam:ListAttachedRolePolicies",
"Resource": "arn:aws:iam::000000000000:role/*"
},
{
"Sid": "VisualEditor3",
"Effect": "Allow",
"Action": "iam:PassRole",
"Resource": "arn:aws:iam::000000000000:role/eksKubBegEKSNodeRole"
},
{
"Sid": "VisualEditor4",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::000000000000:role/eksKubBegEKSNodeRole"
},
{
"Sid": "VisualEditor5",
"Effect": "Allow",
"Action": "iam:GetRole",
"Resource": "arn:aws:iam::000000000000:role/eksKubBegEKSClusterRole"
}
]
}
I also have a group of EKS related permissions
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "eks:ListUpdates",
"Resource": "arn:aws:eks:*:000000000000:cluster/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"eks:DeleteCluster",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"sts:AssumeRole",
"sts:GetFederationToken",
"eks:DeleteNodegroup",
"eks:DescribeCluster",
"eks:CreateNodegroup"
],
"Resource": [
"arn:aws:eks:*:000000000000:nodegroup/*/*/*",
"arn:aws:eks:*:000000000000:cluster/*",
"arn:aws:iam::000000000000:role/*"
]
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"sts:GetSessionToken",
"sts:GetAccessKeyInfo",
"eks:ListClusters",
"sts:GetCallerIdentity",
"sts:GetServiceBearerToken",
"eks:CreateCluster"
],
"Resource": "*"
}
]
}
But what exactly am I missing?
Upvotes: 4
Views: 1596
Answers (1)
Reputation: 51
I just went through the same thing after attempting to refactor my terraform code. EKS backplane provisioned fine. Got this same error as the nodegroup provisioning began. Turns out it had nothing to do with my code. The service-linked role (AWSServiceRoleForAmazonEKSNodegroup) did not exist. Go to IAM in the console, Create Role, select EKS, select EKS-Nodegroup as your use case and follow the remaining prompts to create the role.
After I did that my code ran fine.
Upvotes: 5
Related Questions
- AWS IAM role does not exist or is not attachable
- AWS creation failed: Service already exists. (Service: AWSServiceDiscovery; Status Code: 400; Error Code: ServiceAlreadyExists; Request ID)
- AWS EMR terminated with validation error - security group error
- AWS EKS nodes creation failure
- AWS EC2 unable to access EKS
- AWS Load Balancer Failed to Deploy
- Failed to create service linked role: AWSServiceRoleForAmazonEKSNodegroup due to missing permissions for 'iam:CreateServiceLinkedRole
- AWS EKS "is not authorized to perform: iam:CreateServiceLinkedRole"
- Amazon SES configuration set does not exist
- AWS IAM: Unable to create additional Access Key