AccessDeniedException when calling the EKS Service with Administrator permission

Question

I'm trying to install EBS-CSI-Driver Add-on for EKS on AWS, but I have error with Denied status. Although my account have administratoraccess role. Why does this happen?

Via CLI:

An error occurred (AccessDeniedException) when calling the CreateAddon operation: User: arn:aws:iam::my-user-id:user/my-user is not authorized to perform: iam:PassRole on resource: arn:aws:iam::my-user-id:role/EKS_NodeGroup_Role with an explicit deny"

Via Console:

AccessDenied namespaces "kube-system" is forbidden: User "eks:addon-manager" cannot patch resource "namespaces" in API group "" in the namespace "kube-system""

I added AmazonEBSCSIDriverPolicy into EKS_NodeGroup_Role but still have same error.

Answer 1

The problem is possibly missing eks:addon-cluster-admin clusterrolebinding. It might be checked by:

$ kubectl get clusterrolebinding | grep addon eks:addon-cluster-admin ClusterRole/cluster-admin
eks:addon-manager ClusterRole/eks:addon-manager

If there is no addon-cluster-admin, it might be created by:

$ vi eks-addon-cluster-admin.yaml

kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
  name: eks:addon-cluster-admin
subjects:
- kind: User
  name: eks:addon-manager
  apiGroup: rbac.authorization.k8s.io
roleRef:
  kind: ClusterRole
  name: cluster-admin
  apiGroup: rbac.authorization.k8s.io

kubectl apply -f eks-addon-cluster-admin.yaml

Then, re-create the Amazon EBS CSI Driver, it should be in "Active" status.

Answer 2

Got the same issue. Not sure why.

However, the issue cloud solved by adding “patch” in clusterrole “eks:addonmanager”.