Dexterx25
Reputation: 1
not authorized to perform: eks:CreateCluster
after cdk deploy:
cdkDeploy--dev--ClusterEKS/cdkDeploy--dev--ClusterEKS/Resource/Resource/Default (cdkDeploydevClusterEKS37F9DAF6)
Received response status [FAILED] from custom resource. Message returned:
User: arn:aws:sts::<account_id>:assumed-role/cdkDeploystack1-cdkDeploydevClusterEKSCreationRole-1FNO2560SPCWP/AWSCDK.EKSCluster.Create.dbee9f9e-a956-4340-bf11-381d24d7b789
is not authorized to perform: eks:CreateCluster on resource: arn:aws:eks:us-east-1:<account_id>:cluster/*
I've been learning about cdk infraestructure such a code. i want to implement a EKS cluster with my security group using autoScalling eks, nodeGroup, vpc, ECR with CD/CI codeBuild, and more tools... but i've been stacking several days in the same "not authorized error"... i created Role, with Policies statements with EKS:* but nothing, nothing works for some weird problem... i dont know what is wrong if i used the role with the right policies.
i had exported that bastionHostPolicies with eksadministrator PolicyStatement using "eks:" action for all resources "".
const statements = [
new iam.PolicyStatement({
effect: iam.Effect.ALLOW,
actions: ['ec2:*'],
resources: ['*'],
sid: 'EC2ALL',
}),
new PolicyStatement({
resources: [
'*'
],
actions: [
"eks:*"
],
effect: Effect.ALLOW,
sid: 'eksadministrator',
}),
new PolicyStatement({
resources: ['*'],
actions: [
'autoscaling:*'
],
effect: Effect.ALLOW,
sid: 'AutoScalingALL',
}),
new PolicyStatement({
effect: Effect.ALLOW,
actions: [
'ecr:GetAuthorizationToken',
'ecr:BatchCheckLayerAvailability',
'ecr:GetDownloadUrlForLayer',
'ecr:GetRepositoryPolicy',
'ecr:DescribeRepositories',
'ecr:ListImages',
'ecr:DescribeImages',
'ecr:BatchGetImage',
'ecr:ListTagsForResource',
'ecr:DescribeImageScanFindings',
'ecr:InitiateLayerUpload',
'ecr:UploadLayerPart',
'ecr:CompleteLayerUpload',
'ecr:PutImage',
'ecr:CreateRepository',
],
resources: ['*'],
sid: 'ECRALL',
}),
new PolicyStatement({
effect: Effect.ALLOW,
actions: [
"s3:CreateBucket",
"s3:ListAllMyBuckets",
"s3:GetBucketLocation"
],
resources: [
'*',
"arn:aws:s3:::*"
],
sid: 'S3All',
}),
new PolicyStatement({
resources: ['*'],
actions: ['ssm:*'],
sid: 'ssmALL'
}),
new PolicyStatement({
resources: ['*'],
actions: ['iam:*'],
sid: 'iamALL'
})
];
this.bastionHostPolicies = new iam.PolicyDocument({
statements,
})
import { Fn, StackProps } from 'aws-cdk-lib';
import {Construct} from 'constructs';
import { getString } from '../../utils';
import * as cdk from 'aws-cdk-lib';
import { Key } from 'aws-cdk-lib/aws-kms';
import * as eks from 'aws-cdk-lib/aws-eks';
import { propsCustomEKS } from '../interfaces';
import * as ec2 from 'aws-cdk-lib/aws-ec2';
import * as autoscaling from 'aws-cdk-lib/aws-autoscaling';
const helper = require('js-yaml');
import * as fs from 'fs'
import * as iam from 'aws-cdk-lib/aws-iam'
import { KubectlV27Layer } from '@aws-cdk/lambda-layer-kubectl-v27';
/** Class representing a vpc import from parameter stores
* with a predefine sysntax name
* */
class CustomEKS extends Construct {
public readonly cluster: eks.Cluster
public readonly awsauth: eks.AwsAuth
public readonly asg: autoscaling.AutoScalingGroup
public readonly clusterKmsKey: Key;
constructor(scope: Construct, id: string, projectProps: propsCustomEKS ) {
super(scope, id);
const {vpc, bastionHostPolicies, securityGroup} = projectProps;
this.clusterKmsKey = new Key(
this,
`ekskmskey`,
{
enableKeyRotation: true,
alias: cdk.Fn.join('', ['alias/', 'eks/', `ekskmskey`]),
});
const eksRole = new iam.Role(this, 'EksClusterMasterRole', {
assumedBy: new iam.AccountRootPrincipal(),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSServicePolicy"),
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSClusterPolicy"),
],
inlinePolicies: { bastionHostPolicies }
});
this.cluster = new eks.Cluster(this, `${getString(projectProps, 'project_name')}/${getString(projectProps, 'environment')}/ClusterEKS`, {
defaultCapacity: 0, // we want to manage capacity our selves
version: eks.KubernetesVersion.V1_27,
kubectlLayer: new KubectlV27Layer(this, 'kubectl'),
endpointAccess: eks.EndpointAccess.PRIVATE,
secretsEncryptionKey: this.clusterKmsKey,
mastersRole: eksRole,
securityGroup,
clusterName: `${getString(projectProps, 'project_name')}/${getString(projectProps, 'environment')}/ClusterEKS`,
placeClusterHandlerInVpc: true,
vpc: vpc.vpc,
vpcSubnets: [vpc.vpc.selectSubnets({
subnets: vpc.subn,
onePerAz: true,
})],
});
const nodegroupRole = new iam.Role(scope, 'NodegroupRole', {
assumedBy: new iam.ServicePrincipal("ec2.amazonaws.com"),
managedPolicies: [
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEKSWorkerNodePolicy"),
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEKS_CNI_Policy"),
iam.ManagedPolicy.fromAwsManagedPolicyName("AmazonEC2ContainerRegistryReadOnly"),
],
inlinePolicies: {bastionHostPolicies}
});
this.cluster.addNodegroupCapacity("managed-node", {
instanceTypes: [ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO)],
minSize: 1,
maxSize: 1,
nodeRole: nodegroupRole
});
console.log('pasó eks clouster creation');
this.asg = this.cluster.addAutoScalingGroupCapacity(
`${getString(projectProps, 'project_name')}/${getString(projectProps, 'environment')}/AutoScalingGroupEKS`,
{
keyName: 'keypemToConnect',
instanceType: ec2.InstanceType.of(ec2.InstanceClass.T2, ec2.InstanceSize.MICRO),
machineImageType: eks.MachineImageType.BOTTLEROCKET,
autoScalingGroupName: `${getString(projectProps, 'project_name')}/${getString(projectProps, 'environment')}/AutoScalingGroupEKS`,
allowAllOutbound: false,
healthCheck: autoscaling.HealthCheck.ec2(),
minCapacity: 2,
maxCapacity: 4,
vpcSubnets: vpc.vpc.selectSubnets({
subnets: vpc.subn,
onePerAz: true,
}),
})
console.log('autoScalling pass');
this.asg.connections.allowTo(this.cluster, ec2.Port.tcp(443), 'Allow between BastionHost and EKS ');
this.asg.userData.addCommands(
`VERSION=$(aws --region ${projectProps.region} eks describe-cluster --name ${this.cluster.clusterName} --query 'cluster.version' --output text)`,
'echo \'K8s version is $VERSION\'',
'curl -LO https://dl.k8s.io/release/v$VERSION.0/bin/linux/amd64/kubectl',
'install -o root -g root -m 0755 kubectl /bin/kubectl',
);
this.awsauth = new eks.AwsAuth(this, 'EKS_AWSAUTH', {
cluster: this.cluster,
});
this.cluster.awsAuth.addRoleMapping(eksRole, { groups: [ 'system:masters' ]});
this.cluster.awsAuth.addMastersRole(eksRole);
}
}
export { CustomEKS }
i want to create a eks cluster but i've been stack in the same error even using the role with the right policies...
also my main user aws account has that same policies eks: eks permissions policy
cloudwatch log error:
2023-08-27T20:21:56.254Z c23b4123-a8ec-4679-a48f-fd444d3f9aa6 ERROR Invoke Error {
"errorType": "AccessDeniedException",
"errorMessage": "User: arn:aws:sts::<account_id>:assumed-role/cdkDeploystack1-cdkDeploydevClusterEKSCreationRole-XST49HASZHMH/AWSCDK.EKSCluster.Create.21debcdd-8c24-44de-9f70-3eb132bd8288 is not authorized to perform: eks:CreateCluster on resource: arn:aws:eks:us-east-1:<account_id>:cluster/*",
"name": "AccessDeniedException",
"$fault": "client",
"$metadata": {
"httpStatusCode": 403,
"requestId": "049f0b1c-fb7e-416f-b3e1-f586f2f3a2b7",
"attempts": 1,
"totalRetryDelay": 0
},
"message": "User: arn:aws:sts::<account_id>:assumed-role/cdkDeploystack1-cdkDeploydevClusterEKSCreationRole-XST49HASZHMH/AWSCDK.EKSCluster.Create.21debcdd-8c24-44de-9f70-3eb132bd8288 is not authorized to perform: eks:CreateCluster on resource: arn:aws:eks:us-east-1:<account_id>:cluster/*",
"stack": [
"AccessDeniedException: User: arn:aws:sts::<account_id>:assumed-role/cdkDeploystack1-cdkDeploydevClusterEKSCreationRole-XST49HASZHMH/AWSCDK.EKSCluster.Create.21debcdd-8c24-44de-9f70-3eb132bd8288 is not authorized to perform: eks:CreateCluster on resource: arn:aws:eks:us-east-1:<account_id>:cluster/*",
" at throwDefaultError (/var/runtime/node_modules/@aws-sdk/smithy-client/dist-cjs/default-error-handler.js:8:22)",
" at deserializeAws_restJson1CreateClusterCommandError (/var/runtime/node_modules/@aws-sdk/client-eks/dist-cjs/protocols/Aws_restJson1.js:1035:51)",
" at process.processTicksAndRejections (node:internal/process/task_queues:95:5)",
" at async /var/runtime/node_modules/@aws-sdk/middleware-serde/dist-cjs/deserializerMiddleware.js:7:24",
" at async /var/runtime/node_modules/@aws-sdk/middleware-signing/dist-cjs/middleware.js:13:20",
" at async StandardRetryStrategy.retry (/var/runtime/node_modules/@aws-sdk/middleware-retry/dist-cjs/StandardRetryStrategy.js:51:46)",
" at async /var/runtime/node_modules/@aws-sdk/middleware-logger/dist-cjs/loggerMiddleware.js:6:22",
" at async ClusterResourceHandler.onCreate (/var/task/cluster.js:1:1028)"
]
}
Upvotes: 0
Views: 327
Answers (0)
Related Questions
- Could not find a declaration file for module 'module-name'. '/path/to/module-name.js' implicitly has an 'any' type
- How to use k8s ServiceAccount to assume correct AWS Role (IRSA)? Running a Spring Boot app on EKS
- AccessDeniedException: Resource is not in the state functionActiveV2 at Object.extractError
- Cannot create namespaces in AWS Elastic Kubernetes Service - Forbidden
- Unable to access EKS cluster using the role that created it
- Kubernetes Service Account and AWS IAM Role for Secrets
- How to modify the default capacity instance role for EKS using CDK?
- Error while creating EKS Cluster using eksctl