EKS Auto Mode: Required EC2 Permissions Missing in AmazonEKSComputePolicy?

Question

Hi, I’m trying to launch an EKS Auto Mode cluster by following the official AWS documentation. According to the docs, attaching the following AWS-managed IAM policies should be sufficient:

```
"arn:aws:iam::aws:policy/AmazonEKSClusterPolicy",
"arn:aws:iam::aws:policy/AmazonEKSComputePolicy",
"arn:aws:iam::aws:policy/AmazonEKSNetworkingPolicy",
"arn:aws:iam::aws:policy/AmazonEKSLoadBalancingPolicy",
"arn:aws:iam::aws:policy/AmazonEKSBlockStoragePolicy"
```

However, when I attempt to launch the cluster, the EC2 nodes fail to start.

I do have an SCP (Service Control Policy) applied at the account level, but it restricts actions only to my custom tags, which are already defined in the NodeClass. However, the SCP doesn’t account for conditions like ${aws:PrincipalTag/eks:eks-cluster-name}, as shown in the policy snippet below.

```
{
  "Effect": "Allow",
  "Action": [
    "ec2:CreateFleet",
    "ec2:RunInstances",
    "ec2:CreateLaunchTemplate"
  ],
  "Resource": "*",
  "Condition": {
    "StringEquals": {
      "aws:RequestTag/eks:eks-cluster-name": "${aws:PrincipalTag/eks:eks-cluster-name}"
    },
    "StringLike": {
      "aws:RequestTag/eks:kubernetes-node-class-name": "*",
      "aws:RequestTag/eks:kubernetes-node-pool-name": "*"
    },
    "ForAllValues:StringLike": {
      "aws:TagKeys": [
        "eks:eks-cluster-name",
        "eks:kubernetes-node-class-name",
        "eks:kubernetes-node-pool-name",
        "kubernetes.io/cluster/*"
      ]
    }
  }
}
```

Even though AmazonEKSComputePolicy does include the necessary EC2 permissions (ec2:RunInstances, ec2:CreateFleet, ec2:CreateLaunchTemplate), it appears insufficient for EKS Auto Mode. The EC2 nodes only launched successfully after I added this additional custom policy:

```
{
  "Effect": "Allow",
  "Action": [
    "ec2:CreateLaunchTemplate",
    "ec2:CreateFleet",
    "ec2:RunInstances"
  ],
  "Resource": "*"
}
```

My Questions:
Is this a known issue with EKS Auto Mode? Are others facing similar problems?

Any help or clarification would be greatly appreciated. Thank you!

Todd Neal · Answer

By default, the managed policies related to EKS Auto Mode do not permit applying user defined tags to Auto Mode provisioned AWS resources. If you're using custom tags in the NodeClass, you'll need to update the policy to allow that (see https://docs.aws.amazon.com/eks/latest/userguide/auto-learn-iam.html#tag-prop for details).

Custom tags are sometimes used for billing and authentication purposes, and we want application of those tags to be explicitly allowed.

re:Post Agent · Answer

Thank you for sharing your experience with EKS Auto Mode. The issue you're encountering is not a known widespread problem with EKS Auto Mode, but it does highlight some important considerations when working with IAM policies and Service Control Policies (SCPs).

The AmazonEKSComputePolicy is designed to provide the necessary permissions for EKS to manage EC2 instances, including creating fleets, running instances, and creating launch templates. However, these permissions are subject to specific conditions, as you've noted in the policy snippet you provided.

The key difference between the AmazonEKSComputePolicy and the custom policy you added is the conditions applied to the EC2 actions. The managed policy restricts these actions based on specific tags and conditions, while your custom policy allows these actions without any conditions.

The reason your custom policy worked is that it bypassed the conditional checks that were potentially causing issues with your SCP. However, this approach is less secure as it grants broader permissions than necessary.

Instead of adding a broad custom policy, a better approach would be to:

1. Review your SCP to ensure it's not inadvertently blocking the necessary actions. SCPs can override permissions granted by IAM policies, so it's crucial to ensure they're not too restrictive.

2. Ensure that your EKS cluster and nodes are properly tagged with the expected tags (eks:eks-cluster-name, eks:kubernetes-node-class-name, eks:kubernetes-node-pool-name). These tags are used in the condition checks of the AmazonEKSComputePolicy.

3. If you're using custom tags as mentioned, make sure these are properly integrated with EKS Auto Mode and don't conflict with the required EKS tags.

4. Double-check that the IAM role you're using for the EKS cluster has the correct trust relationship policy, allowing the EKS service to assume the role.

If after verifying these points you're still experiencing issues, it would be advisable to contact AWS support for a more in-depth investigation of your specific setup. They can provide tailored guidance based on your account's configuration and any potential interactions between your SCP and the EKS policies.

Remember, while adding broader permissions might solve immediate issues, it's generally better to adhere to the principle of least privilege and use more specific, conditional permissions when possible.  
**Sources**  
[AmazonEKSComputePolicy - AWS Managed Policy](https://docs.aws.amazon.com/aws-managed-policy/latest/reference/AmazonEKSComputePolicy.html)  
[Amazon EKS Auto Mode cluster IAM role - Amazon EKS](https://docs.aws.amazon.com/eks/latest/userguide/auto-cluster-iam-role.html)

EKS Auto Mode: Required EC2 Permissions Missing in AmazonEKSComputePolicy?

답변 추가

관련 콘텐츠