By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

UnauthorizedOperation Error with Cluster Autoscaler in EC2 using VPC Endpoint

0

Hello AWS Support, I am encountering an authorization issue while trying to use the Cluster Autoscaler in my EC2 environment using a VPC endpoint (I’ve taken out the account id for security purposes and just labeled it <account-id>). The specific error message I received is as follows:

F0505 04:27:23.493504 1 aws_cloud_provider.go:455] Failed to create AWS Manager: unable to retrieve instance requirements from mixed instance policy, err: UnauthorizedOperation: You are not authorized to perform this operation. User: arn:aws:sts::<account-id>:assumed-role/cluster-autoscaler/1714883243188836556 is not authorized to perform: ec2:DescribeLaunchTemplateVersions because no VPC endpoint policy allows the ec2:DescribeLaunchTemplateVersions action.

Here are the details of the environment and configuration:

  • Role ARN: arn:aws:sts::<account-id>:assumed-role/cluster-autoscaler/1714883243188836556
  • Current VPC Endpoint Policy:json


{ "Statement": [ { "Action": "*", "Effect": "Allow", "Principal": "*", "Resource": "arn:aws:*:*:<account-id>:*" } ], "Version": "2012-10-17" } 


This policy is intended to allow all actions on all resources within the <account-id> account.

Could you please help me understand why this error is occurring even though the policies should allow the action? Also, could you advise on what changes need to be made either to the IAM role or the VPC endpoint policy to resolve this issue?

Thank you for your assistance.

Topics
Networking & Content DeliverySecurity, Identity, & ComplianceComputeManagement & Governance
Tags
Amazon VPCAWS Identity and Access ManagementAmazon EC2AWS Account ManagementIAM Policies
Language
English
Sam
asked 10 months ago427 views
1 Answer
1

Unfortunately, re:Post is not manned by AWS support. It is a community forum where all answers are provided by registered members of the community like yourself. That said, some of the members are AWS employees and we try to help as best as possible.

With that said, I think you are using AutoScaler with EKS. Please see this link for the needed IAM policy: https://github.com/kubernetes/autoscaler/blob/master/cluster-autoscaler/cloudprovider/aws/README.md

{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:DescribeAutoScalingGroups",
        "autoscaling:DescribeAutoScalingInstances",
        "autoscaling:DescribeLaunchConfigurations",
        "autoscaling:DescribeScalingActivities",
        "autoscaling:DescribeTags",
        "ec2:DescribeImages",
        "ec2:DescribeInstanceTypes",
        "ec2:DescribeLaunchTemplateVersions",
        "ec2:GetInstanceTypesFromInstanceRequirements",
        "eks:DescribeNodegroup"
      ],
      "Resource": ["*"]
    },
    {
      "Effect": "Allow",
      "Action": [
        "autoscaling:SetDesiredCapacity",
        "autoscaling:TerminateInstanceInAutoScalingGroup"
      ],
      "Resource": ["*"]
    }
  ]
}

Hope this helps!

profile pictureAWS
EXPERT
iBehr
answered 10 months ago
profile picture
EXPERT
Osvaldo Marte
reviewed 10 months ago

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content