19

I am trying to run this command at the command line:

aws eks create-cluster \
    --name ignitecluster \
    --role-arn "$role_arn" \
    --resources-vpc-config  \ 
    subnetIds="$subnet_id",securityGroupIds="$security_group"

I get:

An error occurred (AccessDeniedException) when calling the CreateCluster operation: User: arn:aws:iam::9136xxxx20371:user/ec2_resources is not authorized to perform: eks:CreateCluster on resource: arn:aws:eks:us-west-2:9136xxxx371:cluster/ignitecluster

I cannot for the life of me figure how to give this role permissions on eks:*, does anyone know?

Alexander Mills
  • 90,741
  • 139
  • 482
  • 817

4 Answers4

27

To do this you will need to be a user or role that is allowed to edit IAM roles in the account.

In the AWS console, open the IAM service, click Users, select the user. On the Permissions tab click the Add Inline Policy link.

The following policy adds all permissions to the user.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "eksadministrator",
            "Effect": "Allow",
            "Action": "eks:*",
            "Resource": "*"
        }
    ]
}

The 'eksadministrator' value for Sid can be changed to something more appropriate for you.

dlaidlaw
  • 1,643
  • 17
  • 16
  • This policy contains the following error: The following Statement Ids are invalid: eks-administrator, For more information about the IAM policy grammar, see AWS IAM Policies. I need to find another solution. – Edward Chiang Sep 11 '19 at 01:06
  • The Sid had an invalid character, I edited the response an removed that character, which was a dash. The old, invalid value was eks-administrator. You can also leave out the Sid, it is an optional identifier in the statement. – dlaidlaw Sep 13 '19 at 18:45
  • 1
    For me it also works by assigning the `AdminEKSPolicy` to the role. – Thomas Gotwig Mar 28 '20 at 12:39
  • 1
    @ThomasGotwigis that a custom policy? – alegria Apr 29 '21 at 23:23
  • Awesome, This code block fixed my issue. `"Action": "eks:*", "Resource": "*"` – Umamaheswararao Meka Apr 26 '23 at 16:28
2

Go to IAM user, then to your specific user. Add a permissions policy to that user:

  • Add inline policy.
  • Go to visual editor and select EKS service.
  • In action, select all EKS actions.
  • For resources select all.
  • For requested condition select none of them.

I will update this solution in future.

James Risner
  • 5,451
  • 11
  • 25
  • 47
jatin jangir
  • 21
  • 1
1

Firstly, you can check your policies in IAM->access management->policies. You can create a new policy or attach you account in one of exist policy. Search "EKS" and add "CreateCluster" in the list, then create a new policy, problem solved. enter image description here

ZHAO SHIYUN
  • 11
  • 1
  • thanks i follow your instruction then i also make use of the cmd $ aws eks list-clusters To view the list of clusters that i have already created on aws eks console – Alabi Temitope Oct 14 '21 at 18:58
1

This can also happen due to AWS Credentials misconfigured. Just cross-check your r .aws/crentials with your AWS iam credentials. If they are not the same, then go for aws configure and set the rest. PS: Above answers are corrrect.But this situation hit for me

ashique
  • 935
  • 2
  • 8
  • 26