By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Creating EKS cluster with OpenIDC error

0

I am creating an EKS cluster from scratch but every time I do I get the following error: 2023-03-28 15:08:05 [✖] creating OIDC provider: operation error IAM:

CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: bacf7543-bfe0-4b1c-982e-a81e61cef1c7, api error AccessDenied: User: arn:aws:sts::*:assumed-role/DEV-EC2-JenkinsMaster-Instance/i-09f8b9ad4eb5hhh09 is not authorized to perform: iam:TagOpenIDConnectProvider on resource: arn:aws:iam::*:oidc-provider/oidc.eks.us-east-1.amazonaws.com because no identity-based policy allows the iam:TagOpenIDConnectProvider action

After much effort and looking I found the following policy which I have in place.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "VisualEditor0",
            "Effect": "Allow",
            "Action": "ec2:DeleteInternetGateway",
            "Resource": "arn:aws:ec2:*:*:internet-gateway/*"
        },
        {
            "Sid": "VisualEditor1",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:ModifyListener",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DescribeInstances",
                "ec2:AttachInternetGateway",
                "ec2:DeleteRouteTable",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:CreateRoute",
                "ec2:CreateInternetGateway",
                "ec2:DescribeVolumes",
                "ec2:DeleteInternetGateway",
                "ec2:DescribeKeyPairs",
                "iam:GetRole",
                "elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer",
                "ec2:ImportKeyPair",
                "ec2:CreateTags",
                "elasticloadbalancing:CreateTargetGroup",
                "ecr:GetAuthorizationToken",
                "ec2:RunInstances",
                "ec2:DisassociateRouteTable",
                "ec2:CreateVolume",
                "ec2:RevokeSecurityGroupIngress",
                "elasticloadbalancing:AddTags",
                "ec2:DescribeImageAttribute",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "ec2:DeleteNatGateway",
                "autoscaling:DeleteAutoScalingGroup",
                "ec2:CreateSubnet",
                "ec2:DescribeSubnets",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "ecr:InitiateLayerUpload",
                "ec2:AttachVolume",
                "ec2:CreateNatGateway",
                "ec2:CreateVpc",
                "ecr:ListImages",
                "ec2:DescribeVpcAttribute",
                "ec2:ModifySubnetAttribute",
                "autoscaling:DescribeScalingActivities",
                "ec2:DescribeAvailabilityZones",
                "ssm:GetParametersByPath",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "ec2:ReleaseAddress",
                "ec2:DeleteLaunchTemplate",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:DeleteTargetGroup",
                "ec2:DescribeSecurityGroups",
                "autoscaling:CreateLaunchConfiguration",
                "ec2:CreateLaunchTemplate",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "ec2:DescribeVpcs",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DetachLoadBalancerFromSubnets",
                "ec2:DeleteSubnet",
                "elasticloadbalancing:RegisterTargets",
                "ec2:DescribeVolumesModifications",
                "ssm:GetParameter",
                "ec2:AssociateRouteTable",
                "elasticloadbalancing:DeleteLoadBalancer",
                "ec2:DescribeInternetGateways",
                "elasticloadbalancing:DescribeLoadBalancers",
                "ec2:DeleteVolume",
                "ssm:DeleteParameter",
                "ssm:DescribeParameters",
                "autoscaling:DescribeAutoScalingGroups",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "autoscaling:UpdateAutoScalingGroup",
                "ec2:DescribeAccountAttributes",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "ec2:DescribeRouteTables",
                "ecr:BatchCheckLayerAvailability",
                "ec2:DetachVolume",
                "ec2:ModifyVolume",
                "ec2:DescribeLaunchTemplates",
                "ecr:GetDownloadUrlForLayer",
                "ec2:CreateRouteTable",
                "cloudformation:*",
                "elasticloadbalancing:DeregisterTargets",
                "ec2:DetachInternetGateway",
                "ssm:GetParameters",
                "ssm:DeleteParameters",
                "ecr:PutImage",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "ssm:PutParameter",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "ecr:BatchGetImage",
                "ecr:DescribeImages",
                "ec2:DeleteVpc",
                "eks:*",
                "autoscaling:CreateAutoScalingGroup",
                "ec2:DescribeAddresses",
                "ec2:DeleteTags",
                "elasticloadbalancing:ConfigureHealthCheck",
                "autoscaling:DescribeLaunchConfigurations",
                "ec2:DescribeDhcpOptions",
                "ecr:UploadLayerPart",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:DescribeListeners",
                "ec2:DescribeNetworkInterfaces",
                "ec2:CreateSecurityGroup",
                "ecr:CompleteLayerUpload",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "kms:DescribeKey",
                "ecr:DescribeRepositories",
                "ec2:ModifyVpcAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:AuthorizeSecurityGroupEgress",
                "elasticloadbalancing:AttachLoadBalancerToSubnets",
                "ec2:DescribeTags",
                "ssm:GetParameterHistory",
                "ec2:DeleteRoute",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:DescribeNatGateways",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "ec2:AllocateAddress",
                "ec2:DescribeImages",
                "autoscaling:DeleteLaunchConfiguration",
                "ec2:DeleteSecurityGroup",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyTargetGroup"
            ],
            "Resource": "*"
        },
        {
            "Sid": "VisualEditor2",
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringEquals": {
                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
                }
            }
        },
        {
            "Sid": "VisualEditor3",
            "Effect": "Allow",
            "Action": [
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetRole",
                "iam:GetInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateRole",
                "iam:DeleteRole",
                "iam:AttachRolePolicy",
                "iam:PutRolePolicy",
                "iam:ListInstanceProfiles",
                "iam:AddRoleToInstanceProfile",
                "iam:CreateOpenIDConnectProvider",
                "iam:ListInstanceProfilesForRole",
                "iam:PassRole",
                "iam:CreateServiceLinkedRole",
                "iam:DetachRolePolicy",
                "iam:ListAttachedRolePolicies",
                "iam:DeleteRolePolicy",
                "iam:DeleteServiceLinkedRole",
                "iam:GetRolePolicy"
            ],
            "Resource": [
                "arn:aws:iam::*:instance-profile/eksctl-*",
                "arn:aws:iam::*:role/eksctl-*",
                "arn:aws:iam::*:role/aws-service-role/eks.amazonaws.com/*",
                "arn:aws:iam::*:role/aws-service-role/eks-nodegroup.amazonaws.com/*",
                "arn:aws:iam::*:oidc-provider/*"
            ]
        },
        {
            "Sid": "VisualEditor4",
            "Effect": "Allow",
            "Action": "iam:GetOpenIDConnectProvider",
            "Resource": "arn:aws:iam::*:oidc-provider/oidc.eks.eu-west-1.amazonaws.com/*"
        }
    ]
}

So what am I mising?

Topics
Security, Identity, & ComplianceContainers
Tags
AWS Identity and Access ManagementAmazon Elastic Kubernetes ServiceIAM Policies
Language
English
Systemgeek
asked a year ago1221 views
1 Answer
1
Accepted Answer

Hello Systemgeek,

Based on the error message posted, it looks like the operation is failing because your IAM role DEV-EC2-JenkinsMaster-Instance does not have permissions to perform iam:TagOpenIDConnectProvider operation.

In the policy statement provided, the iam:TagOpenIDConnectProvider operation is not allowed. To fix this, add the operation to your IAM policy and re-run the operation.

For more info on minimum IAM policies required to create an EKS cluster using eksctl CLI, please visit https://eksctl.io/usage/minimum-iam-policies/

I hope this helps!

profile pictureAWS
SUPPORT ENGINEER
Venkat Penmetsa
answered a year ago
  • Systemgeek
    a year ago

    Ok. I changed the policy I had for what was on the. eksctl.oi page and that got me most of the way through. now I am getting this error: 2023-03-28 18:28:40 [✖] failed to create service account kube-system/aws-node: checking whether namespace "kube-system" exists: Get "https://BA309393953C1FA2F73xxxxxxxxxxxxxx.gr7.us-east-1.eks.amazonaws.com/api/v1/namespaces/kube-system": dial tcp 172.16.146.74:443: i/o timeout.

  • Venkat Penmetsa SUPPORT ENGINEER
    a year ago

    Have you created an EKS cluster with private endpoint access? Based on the error, it looks like your eksctl CLI is unable to reach your Kubernetes API Server (https://BA309393953C1FA2F73xxxxxxxxxxxxxx.gr7.us-east-1.eks.amazonaws.com) which is showing a private IP address (172.16.146.74). Either change your API server access to "Public" or run the eksctl CLI commands on a server that is hosted inside your VPC.

  • Venkat Penmetsa SUPPORT ENGINEER
    a year ago

    As the original issue with IAM permissions has been resolved, please accept my answer and post your additional questions as a separate post for better visibility.

    Thank you!

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content