Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

AWS EKS "is not authorized to perform: iam:CreateServiceLinkedRole"

I have followed the documentation for spinning up an EKS cluster that says to make a service role with certain policies.

https://docs.aws.amazon.com/eks/latest/userguide/eks-ug.pdf

To create your Amazon EKS service role
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Roles, then Create role.
3. Choose EKS from the list of services, then Allows Amazon EKS to manage your clusters on your behalf for your use case, then Next: Permissions.
4. Choose Next: Review.
5. For Role name, enter a unique name for your role, such as eksServiceRole, then choose Create role.

When I create a basic hello world app, it throws an AccessDenied error.

Error creating load balancer (will retry): failed to ensure load balancer for service default/nginx:
AccessDenied: User: arn:aws:sts::*************:assumed-role/eks-service-role/************* is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::*************:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing

The two Policies that were added (AmazonEKSClusterPolicy, AmazonEKSServicePolicy) do not have the iam:CreateServiceLinkedRole action allowed. Are we supposed to add this outside of the policies defined in the guide? Or is this something that should be included in the EKS policies?

like image 415
dannyisonstackoverflow Avatar asked Jul 30 '18 15:07

dannyisonstackoverflow


2 Answers

It seems that the EKS userguide assumes you have created load balancers in your AWS account prior to creating the EKS cluster, and thus have an existing AWSServiceRoleForElasticLoadBalancing service role in AWS IAM.

As described in https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-service-linked-roles.html#create-service-linked-role

You don't need to manually create the AWSServiceRoleForElasticLoadBalancing role. Elastic Load Balancing creates this role for you when you create a load balancer.

EKS is attempting to do this for you, resulting in the access denied exception using the default policies.

Other options to explicitly create the service-linked role prior to EKS cluster creation include:

AWS CLI

aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"

Terraform

resource "aws_iam_service_linked_role" "elasticloadbalancing" {
  aws_service_name = "elasticloadbalancing.amazonaws.com"
}

Or, manually create a load balancer from the UI Console.

Regardless of provisioning options, you should know things will work when you see the following role in AWS IAM

arn:aws:iam::<ACCOUNT_ID>:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
like image 124
MMC Avatar answered Oct 23 '22 21:10

MMC


I got it worked by adding this policy to the EKS Role:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "iam:CreateServiceLinkedRole",
                "Resource": "arn:aws:iam::*:role/aws-service-role/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeAccountAttributes"
                ],
                "Resource": "*"
            }
        ]
    }
like image 35
Andrej Maya Avatar answered Oct 23 '22 21:10

Andrej Maya