AWS re:Post을(를) 사용하면 다음에 동의하게 됩니다. AWS re:Post 이용 약관
AWS re:Postre:Post

Couldn't able to create EKS cluster due to the following error: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole

0

Hi, We are facing the below error while creating the eks cluster for the past 1 week:

Error: error creating EKS Cluster (devcluster): ClientException: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole { RespMetadata: { StatusCode: 400, RequestID: "5b43938b-59cd-4ee0-b84f-23faf6a7eda7" }, Message_: "You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole" }

with module.clustering.aws_eks_cluster.global-cluster, on ..\module\eks\eks.tf line 1, in resource "aws_eks_cluster" "global-cluster": 1: resource "aws_eks_cluster" "global-cluster" {

Thanks Sudarshan

주제
네트워킹 및 콘텐츠 전송컨테이너보안, 신원 및 규정 준수
태그
아마존 VPC아마존 Elastic Kubernetes 서비스IAM 정책
언어
English
sudarshan
질문됨 8달 전802회 조회
1개 답변
1

Hi,

The user (or service like CloudFormation)( with which you're trying to pass this role to EKS is not allowed to do so. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

To configure many AWS services, you must pass an IAM role to the service. 
This allows the service to assume the role later and perform actions on your 
behalf. For most services, you only have to pass the role to the service once 
during setup, and not every time that the service assumes the role. For example, 
assume that you have an application running on an Amazon EC2 instance. That 
application requires temporary credentials for authentication, and permissions to 
authorize the application to perform actions in AWS. When you set up the application, 
you must pass a role to Amazon EC2 to use with the instance that provides those credentials. 
You define the permissions for the applications running on the instance by attaching an 
IAM policy to the role. The application assumes the role every time it needs to perform 
the actions that are allowed by the role.

So, you should give "iam:GetRole" and "iam:PassRole" to the principal (user, role, service, etc.) trying to launch your EKS cluster. Full details on page mentioned above.

Best,

Duder

profile pictureAWS
전문가
Didier_Durand
답변함 8달 전
  • sudarshan
    8달 전

    Hi Thanks for your answer, I have tried adding the pass roles "iam:GetRole" and "iam:PassRole" in the eks cluster policy but now i am getting a different error " error updating IAM Role (eksclusterrole) assume role policy: MalformedPolicyDocument: Has prohibited field Resource │ status code: 400, request id: 23c7a51a-05e5-41d8-bc3e-cd2238752828 " , Do you need to do any modification on roles ?

    This is my tf codes :

    resource "aws_iam_role" "globalrole" { name = "eksclusterrole"

    assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole"

    },
{
   "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "arn:aws:iam::401231317770:role/eksclusterrole"

    } ] } POLICY }

    resource "aws_iam_role_policy_attachment" "globalatachment1" { policy_arn = "arn:aws:iam::401231317770:policy/eks-new-2023-cluster" role = aws_iam_role.globalrole.name }

    resource "aws_iam_role_policy_attachment" "globalatachment" { policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSServiceRolePolicy" role = aws_iam_role.globalrole.name }

로그인하지 않았습니다. 로그인해야 답변을 게시할 수 있습니다.

좋은 답변은 질문에 명확하게 답하고 건설적인 피드백을 제공하며 질문자의 전문적인 성장을 장려합니다.

질문 답변하기에 대한 가이드라인

관련 콘텐츠