Failed to create fargate profile

Question

When attempting to create a fargate profile with amazon eks (using command eksctl create cluster --name myclustername --version 1.14 --fargate), I get the

[✔]  all EKS cluster resources for "myclustername" have been created
[✔]  saved kubeconfig as "/home/connor/.kube/config"
[ℹ]  creating Fargate profile "fp-default" on EKS cluster "myclustername"
Error: failed to create Fargate profile "fp-default" on EKS cluster "myclustername": failed     to create Fargate profile "fp-default": AccessDeniedException: Account 339969016160 is not authorized to use this service
status code: 403, request id: 1db7cf38-002e-48b8-8fa6-8a7b7eab324d

Any ideas on what permissions I need to add to get around this? I prefer to do all administration through cli, wherever possible

score 23 · Answer 1 · answered Jan 13 '20 at 00:24

23

Error is hideous in that it suggests it is a permissions issue, while really the problem is that fargate with EKS (kubernetes) is only supported in four regions as of January 12th 2020:

Region Name             Region
US East (Ohio)          us-east-2
US East (N. Virginia)   us-east-1
Asia Pacific (Tokyo)    ap-northeast-1
EU (Ireland)            eu-west-1

See: https://docs.aws.amazon.com/eks/latest/userguide/fargate.html

Although not apparent in your note, I suspect you are trying to use a region not on the above list.

Note that fargate is available on more regions as long as it is not used in conjunction with EKS.

answered Jan 13 '20 at 00:24

roel

339
1
2

I had the same problem, but am using us-east-2 – Lauren Leder Jan 14 '20 at 19:52
Thank you! I was using eu-west-2 as the region, and got this error. Changing it over to eu-west-1 fixed it. Yep, awful error message. – nkhil May 23 '20 at 14:23

score 0 · Answer 2 · answered Mar 15 '20 at 04:25

The best way to debug this is probably to look for the responsible error in the Cloudformation event log for the cluster. It should tell you the cause of the problem, and whether it is that the region is overloaded or id it is a permissions/IAM related problem.

You can also add --verbose 5 to the eksctl command to see better output in the console.

If it is permissions related and not a region capacity error, make sure the AWS user/profile that you are using has at least the following permissions:

# Cloud Formation
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "eksCtlCloudFormation",
            "Effect": "Allow",
            "Action": "cloudformation:*",
            "Resource": "*"
        }
    ]
}


# EKS
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "eks:*"
            ],
            "Resource": "*"
        }
    ]
}

#Autoscaling
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:DeleteLaunchConfiguration"
            ],
            "Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:CreateAutoScalingGroup"
            ],
            "Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations"
            ],
            "Resource": "*"
        }
    ]
}

#IAM
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:DetachRolePolicy",
                "iam:DeleteRolePolicy",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::<AWS Acct Id>:instance-profile/eksctl-*",
                "arn:aws:iam::<AWS Acct Id>:role/eksctl-*"
            ]
        }
    ]
}

#Networking
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "EksInternetGateway",
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": "arn:aws:ec2:*:*:internet-gateway/*"
        },
        {
            "Sid": "EksNetworking",
            "Effect": "Allow",
            "Action": [
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSubnet",
                "ec2:DeleteTags",
                "ec2:CreateNatGateway",
                "ec2:CreateVpc",
                "ec2:AttachInternetGateway",
                "ec2:DescribeVpcAttribute",
                "ec2:DeleteRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DescribeInternetGateways",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateSecurityGroup",
                "ec2:ModifyVpcAttribute",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeRouteTables",
                "ec2:ReleaseAddress",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:DescribeTags",
                "ec2:CreateTags",
                "ec2:DeleteRoute",
                "ec2:CreateRouteTable",
                "ec2:DetachInternetGateway",
                "ec2:DescribeNatGateways",
                "ec2:DisassociateRouteTable",
                "ec2:AllocateAddress",
                "ec2:DescribeSecurityGroups",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteNatGateway",
                "ec2:DeleteVpc",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets"
            ],
            "Resource": "*"
        }
    ]
}

Failed to create fargate profile

2 Answers2

Linked