AWS re:Postを使用することにより、以下に同意したことになります AWS re:Post 利用規約
AWS re:Postre:Post

Couldn't able to create EKS cluster due to the following error: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole

0

Hi, We are facing the below error while creating the eks cluster for the past 1 week:

Error: error creating EKS Cluster (devcluster): ClientException: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole { RespMetadata: { StatusCode: 400, RequestID: "5b43938b-59cd-4ee0-b84f-23faf6a7eda7" }, Message_: "You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole" }

with module.clustering.aws_eks_cluster.global-cluster, on ..\module\eks\eks.tf line 1, in resource "aws_eks_cluster" "global-cluster": 1: resource "aws_eks_cluster" "global-cluster" {

Thanks Sudarshan

トピック
ネットワークとコンテンツ配信コンテナセキュリティ、アイデンティティ、コンプライアンス
タグ
Amazon VPCAmazon Elastic Kubernetes ServiceIAM ポリシー
言語
English
sudarshan
質問済み 8ヶ月前802ビュー
1回答
1

Hi,

The user (or service like CloudFormation)( with which you're trying to pass this role to EKS is not allowed to do so. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

To configure many AWS services, you must pass an IAM role to the service. 
This allows the service to assume the role later and perform actions on your 
behalf. For most services, you only have to pass the role to the service once 
during setup, and not every time that the service assumes the role. For example, 
assume that you have an application running on an Amazon EC2 instance. That 
application requires temporary credentials for authentication, and permissions to 
authorize the application to perform actions in AWS. When you set up the application, 
you must pass a role to Amazon EC2 to use with the instance that provides those credentials. 
You define the permissions for the applications running on the instance by attaching an 
IAM policy to the role. The application assumes the role every time it needs to perform 
the actions that are allowed by the role.

So, you should give "iam:GetRole" and "iam:PassRole" to the principal (user, role, service, etc.) trying to launch your EKS cluster. Full details on page mentioned above.

Best,

Duder

profile pictureAWS
エキスパート
Didier_Durand
回答済み 8ヶ月前
  • sudarshan
    8ヶ月前

    Hi Thanks for your answer, I have tried adding the pass roles "iam:GetRole" and "iam:PassRole" in the eks cluster policy but now i am getting a different error " error updating IAM Role (eksclusterrole) assume role policy: MalformedPolicyDocument: Has prohibited field Resource │ status code: 400, request id: 23c7a51a-05e5-41d8-bc3e-cd2238752828 " , Do you need to do any modification on roles ?

    This is my tf codes :

    resource "aws_iam_role" "globalrole" { name = "eksclusterrole"

    assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole"

    },
{
   "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "arn:aws:iam::401231317770:role/eksclusterrole"

    } ] } POLICY }

    resource "aws_iam_role_policy_attachment" "globalatachment1" { policy_arn = "arn:aws:iam::401231317770:policy/eks-new-2023-cluster" role = aws_iam_role.globalrole.name }

    resource "aws_iam_role_policy_attachment" "globalatachment" { policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSServiceRolePolicy" role = aws_iam_role.globalrole.name }

ログインしていません。 ログイン 回答を投稿する。

優れた回答とは、質問に明確に答え、建設的なフィードバックを提供し、質問者の専門分野におけるスキルの向上を促すものです。

質問に答えるためのガイドライン

関連するコンテンツ