New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fail to create new cluster with service role error #2182
Comments
Hit this error today. I added the following to my IAM Policy to successfully create the required role: {
"Sid": "VisualEditor6",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:CreateServiceLinkedRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:DeleteServiceLinkedRole",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::*:role/eksctl-*",
"arn:aws:iam::*:instance-profile/eksctl-*"
]
} |
I have these permissions in place but still got the error. |
Same thing over here, same permissions and still have the error. |
I also tried with these suggested IAM permissions from another thread, same results as yours. |
I just tried right now temporally setting the AWS Managed policy "AdministratorAccess" to the eksctl IAM user and everything worked as expected, so, maybe we can say this is permissions configuration issue 🤷♂️ point is... which ones are we missing... |
The following policy allows me to deploy an EKS cluster using ec2 spot instances using eksctl version 0.19.0 IAM Polcy
|
Thank youuuuu!!! hehehe, this set of permissions worked for me. I'm also using Spot instances and public/private endpoint with IP whitelisting. Did you got them with trial and error or from some doc/place? |
You are very welcome. 95% of the work was done by these fine folks #204. When you delete your cluster please double check the AWS Console and make sure the Cloudformation stacks which we created by eksctl are dropped cleanly. I have been caught out in the past and been left with a bill I didn't expect! Cloudwatch billing events are essential as costs can run away with themselves. Debugging these permissions was a case of watching Cloudformation Events , seeing the failures, understanding what was going on, updating my IAM Policy and going around the loop again. I really wish eksctl.io would publish an IAM Policy on their site and this would have been a whole lot easier. |
Man that's a lot of work! (trial and error with EKS), which doesn't bootstrap as fast as a kops cluster. Thanks for that 😉 I've been checking and I always got the Cloudformation stack correctly deleted, thanks for the reminder! |
Hi, thanks for reporting this! It seems this is needed quite a bit. I will work on documenting the policies in the coming days (tracked via #204). |
I've tried all of the IAM policies discussed here and in #204 and still get this error |
Hi @ryanvade is it the exact same error what you are getting? Can you give us more details like logs and a redacted version of the config file you used? |
eksctl Version: 0.24.0
ends up with Role with arn: arn:aws:iam::xxxxxxxx:role/eksctl-test-cluster-ServiceRole-xxxxxxxx, could not be assumed because it does not exist or the trusted entity is not correct given the different policies mentioned in this and other threads. |
Hi @ryanvade I can't reproduce this error with my accounts. Can you please run the same command with |
In case anyone else encounters this, I got the same error as @ryanvade with eksctl 0.27.0 and noticed the following error in CloudTrail logs:
It worked after adding the below permission to the "IamLimitedAccess" policy listed in the docs after substituting our account number for "xxx":
Redacted config file, in case it's helpful for reproducing:
|
my EKS role was missing in
{
"Effect": "Allow",
"Principal": {
"Service": "eks.amazonaws.com"
},
"Action": "sts:AssumeRole"
} |
It seems error response is bad. Releted to The following KMS key's policy solved it for me.
|
What happened?
Fail to create new cluster.
Error messge is
Role with arn: arn:aws:iam::xxxxxxxxxxxxx:role/eksctl-prd-cluster-ServiceRole-xxxxxxxxx, could not be assumed because it does not exist or the trusted entity is not correct (Service: AmazonEKS; Status Code: 400; Error Code: InvalidParameterException; Request ID: fc9b7780-6fb4-4620-8943-b523bxxxxxxx)
What you expected to happen?
To create cluster successfully.
How to reproduce it?
exec
eksctl create cluster -f cluster.yaml
cluster.yaml is below.
Anything else we need to know?
--verbose 5
), the ServiceRole is created successfully, but Create ControlPlane by using the ServiceRole fail.Versions
Logs
The text was updated successfully, but these errors were encountered: