[EKS] [question]: Inconsistent ARN for EKS cluster resources?

[foriequal0]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about your request
I was attaching a policy to a role that manages a cluster. I've attached following policy as usual:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": "eks:*",
            "Resource": [
                "arn:aws:eks:<region>:<account>:cluster/<cluster-name>",
                "arn:aws:eks:<region>:<account>:cluster/<cluster-name>/*"
            ],
            "Effect": "Allow"
        }
    ]
}

But I got following error on the console when I switched to the role:

Error loading add-ons
User: arn:aws:sts::<region>:assumed-role/<role>/<iam user> is not authorized to perform: eks:ListAddons on resource: arn:aws:eks:<region>:<account>:/clusters/<cluster-name>/addons

I had to check it twice. A plural, '/' prefixed '/clusters', not a singular, non-prefixed 'cluster'. It is inconsistent with existing resource types.
(existing resource types: https://docs.aws.amazon.com/service-authorization/latest/reference/list_amazonelasticcontainerserviceforkubernetes.html also, new APIs are not listed on there)
I could add them to the list. but... why inconsistent plural?

Which service(s) is this request for?
This could be EKS.

Are you currently working around this issue?
I'm using following statements

{
    "Action": "eks:*",
    "Resource": [
        "arn:aws:eks:<region>:<account>:cluster/<cluster-name>",
        "arn:aws:eks:<region>:<account>:cluster/<cluster-name>/*"
    ],
    "Effect": "Allow"
},
{
    "Action": "eks:DescribeAddonVersions",
    "Resource": "arn:aws:eks:<region>:<account>:/addons/supported-versions",
    "Effect": "Allow"
},
{
    "Action": "iam:ListRoles",
    "Resource": "arn:aws:iam::551163691211:role/*",
    "Effect": "Allow"
},
{
    "Action": [
        "eks:ListAddons",
        "eks:DescribeAddon",
        "eks:DeleteAddon"
    ],
    "Resource": [
        "arn:aws:eks:<region>:<account>:/clusters/<cluster-name>/addons",
        "arn:aws:eks:<region>:<account>:/clusters/<cluster-name>/addons/*"
    ],
    "Effect": "Allow"
},
{
    "Action": "eks:CreateAddon",
    "Resource": "arn:aws:eks:<region>:<account>:/createaddon",
    "Effect": "Allow"
},
{
    "Action": "eks:UpdateAddon",
    "Resource": "arn:aws:eks:<region>:<account>:/updateaddon",
    "Effect": "Allow"
}

edit I found more inconsistencies.
I thought it is kind of understandable that eks:DescribeAddonVersions perform on arn:aws:eks:<region>:<account>:/addons/supported-versions since the API is not bound to a specific cluster, and also the endpoint is GET /addons/supported-versions. I thought this is the new pattern for ARN. RESTful URI = ARN. Okay. It makes sense for eks:ListAddons too. It performs on arn:aws:eks:<region>:<account>:/clusters/<cluster-name>/addons and its endpoint is GET /clusters/<cluster-name>/addons.

But my mental model broke when I met eks:CreateAddon. It performs on arn:aws:eks:<region>:<account>:/createaddon. Its endpoint is POST /clusters/<name>/addons. WHAT? I wonder what eks:DeleteAddon and eks:UpdateAddon performs on.
edit2 eks:UpdateAddon performs on on /updateaddon, and eks:DeleteAddon performs on /clusters/<name>/addons/<addon-name>

[jasonliang228]

Currently, the IAM ARN structure for eke add-on operations are inconsistent with the other EKS cluster resource. Customers need to use the following ARN structure for add-on operations:

CreateAddon:arn:aws:eks:<region>:<account>:/createaddon
DescribeAddon:arn:aws:eks:<region>:<account>:/clusters/<cluster-name>/addons/*
DeleteAddon:arn:aws:eks:<region>:<account>:/clusters/<cluster-name>/addons/*
ListAddons:arn:aws:eks:<region>:<account>:/clusters/<cluster-name>/addons
UpdateAddon:arn:aws:eks:<region>:<account>:/updateaddon
DescribeAddonVersions:arn:aws:eks:<region>:<account>:/addons/supported-versions

The fix will be rolled out in 2-3 weeks, after that, customers will be able to use the ARN structure that is same with the other EKS operations.

[ethankhall]

@jasonliang228 has this rolled out? I just ran into this issue.

[hyousif-pkglobal]

@jasonliang228, same issue. Has it been fixed yet? Thanks.

[mikestef9]

Apologies for the experience here. We are still working behind the scenes on making add-ons ARNs consistent with other EKS resources. Can't share a timeline in this forum, but it's a high priority item, and I will update this issue as soon as the fix is rolled out.

[MichaelHauss]

EKS add-ons ARNs are now consistent with ARNs for other EKS resources. You can view all resource types defined by EKS here.