By using AWS re:Post, you agree to the AWS re:Post Terms of Use
AWS re:Postre:Post

Couldn't able to create EKS cluster due to the following error: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole

0

Hi, We are facing the below error while creating the eks cluster for the past 1 week:

Error: error creating EKS Cluster (devcluster): ClientException: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole { RespMetadata: { StatusCode: 400, RequestID: "5b43938b-59cd-4ee0-b84f-23faf6a7eda7" }, Message_: "You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole" }

with module.clustering.aws_eks_cluster.global-cluster, on ..\module\eks\eks.tf line 1, in resource "aws_eks_cluster" "global-cluster": 1: resource "aws_eks_cluster" "global-cluster" {

Thanks Sudarshan

Topics
Networking & Content DeliveryContainersSecurity, Identity, & Compliance
Tags
Amazon VPCAmazon Elastic Kubernetes ServiceIAM Policies
Language
English
sudarshan
asked 8 months ago769 views
1 Answer
1

Hi,

The user (or service like CloudFormation)( with which you're trying to pass this role to EKS is not allowed to do so. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

To configure many AWS services, you must pass an IAM role to the service. 
This allows the service to assume the role later and perform actions on your 
behalf. For most services, you only have to pass the role to the service once 
during setup, and not every time that the service assumes the role. For example, 
assume that you have an application running on an Amazon EC2 instance. That 
application requires temporary credentials for authentication, and permissions to 
authorize the application to perform actions in AWS. When you set up the application, 
you must pass a role to Amazon EC2 to use with the instance that provides those credentials. 
You define the permissions for the applications running on the instance by attaching an 
IAM policy to the role. The application assumes the role every time it needs to perform 
the actions that are allowed by the role.

So, you should give "iam:GetRole" and "iam:PassRole" to the principal (user, role, service, etc.) trying to launch your EKS cluster. Full details on page mentioned above.

Best,

Duder

profile pictureAWS
EXPERT
Didier_Durand
answered 8 months ago
  • sudarshan
    8 months ago

    Hi Thanks for your answer, I have tried adding the pass roles "iam:GetRole" and "iam:PassRole" in the eks cluster policy but now i am getting a different error " error updating IAM Role (eksclusterrole) assume role policy: MalformedPolicyDocument: Has prohibited field Resource │ status code: 400, request id: 23c7a51a-05e5-41d8-bc3e-cd2238752828 " , Do you need to do any modification on roles ?

    This is my tf codes :

    resource "aws_iam_role" "globalrole" { name = "eksclusterrole"

    assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole"

    },
{
   "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "arn:aws:iam::401231317770:role/eksclusterrole"

    } ] } POLICY }

    resource "aws_iam_role_policy_attachment" "globalatachment1" { policy_arn = "arn:aws:iam::401231317770:policy/eks-new-2023-cluster" role = aws_iam_role.globalrole.name }

    resource "aws_iam_role_policy_attachment" "globalatachment" { policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSServiceRolePolicy" role = aws_iam_role.globalrole.name }

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions

Relevant content