Unrecognized action eks:AccessKubernetesApi

Question

Hello!  
When trying to access our EKS cluster I get "Unauthorized: Verify you have access to the Kubernetes cluster" assuming a role having all rights (Allow-**-**). Our developers using a "DeveloperRole" get an error message saying eks:AccessKubernetesApi is needed. However, when trying to add this, it lists as an unrecognized action. This behavior relates to both our Sandbox and Staging member-accounts. However, in our Production account everything is fine.  
Is this related to our last week upgrade from cluster version 1.16 to 1.18? However, our Production account is also on 1.18 and works fine...  
Anyone have any ideas of what is going on?  
Best regards  
Vidar Evenrud Seeberg

Answer

Same error here with 3 clusters (2**1.15 + 1**1.18).   
I'm not sure this is related your migration.  
  
We can access to clusters through kubectl without any errors.

Answer

I've tried, it does not solve the issue.  
  
BTW: If the user is using  
  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Effect": "Allow",  
            "Action": "*",  
            "Resource": "*"  
        }  
    ]  
}  
  
...I would assume it should work any way.

Answer

Hello,  
  
Sorry for the inconvenience this has caused. We are updating our docs with more detailed info (https://github.com/awsdocs/amazon-eks-user-guide/blob/master/doc_source/troubleshooting_iam.md#cant-see-workloads-or-nodes-and-see-error-loading-namespaces-in-the-aws-management-console)  
  
TL;DR: Couple of days back, we launched new AWS console for EKS (https://aws.amazon.com/blogs/containers/introducing-the-new-amazon-eks-console/). As part of this launch, users can view their kubernetes objects in aws console for example, console now shows pods, deployments and other resources available in their EKS cluster.  
  
New EKS console requires following two permissions to be available to view kubernetes objects  
  
1) New IAM permission - eks:AccessKubernetesApi   
    Currently this permission can be updated by modifying the json policy in the console as explained here https://docs.aws.amazon.com/eks/latest/userguide/security_iam_id-based-policy-examples.html#security_iam_id-based-policy-examples-console. While we are actively pushing this new Permission to be available in IAM console, you can use API to update IAM permission until then you will notice "Unrecognized action" in the console.  
  
2) Access to Kubernetes Cluster   
   User using console should have their IAM entity in the kubernetes aws-auth configmap. If the mapping is in the configmap, make sure that the user or group is bound to a Kubernetes role or clusterrole has the necessary permissions to view the Kubernetes resources. If the IAM user or role isn't in the configmap or the Kubernetes role or clusterrole doesn't have permissions to view the Kubernetes resources, the console error may include "Unauthorized: Verify you have access to the Kubernetes cluster". For more information about adding IAM users or roles to the aws-auth configmap, please see https://docs.aws.amazon.com/eks/latest/userguide/add-user-role.html.  
  
Existing content is moved under configuration tab and should be visible without any modification to the IAM entity. Also, this feature doesn't affect your cluster health or removes any of our existing permissions. Once again sorry for the inconvenience. Please do try it out and give us your feedback.   
  
Thank you.

Answer

Hello globus68,  
  
I sent a private message as well requesting for some information. If possible, can you paste the exact error message you're seeing and then we can verify whether its due to AWS Service AuthN/AuthZ issue or Kubernetes AuthN/AuthZ issue.  
  
Thank you.

Answer

Same issue here. So far no solution. But it applies to also not updated clusters.  
  
Help? :-(

Answer

@dbattula: I already tried that, but got the "Unrecognized action" message.  
@gnwdtx: I also tried that, but still does not work

Answer

Are you running your clusters in different regions? Which ones?  
  
We are getting the same with three 1.17 clusters in us-west-2 installed with eksctl and with non-managed nodegroups.  It seems to me that this may be caused due to new features being rolled out per Re:Invent.

Answer

eu-west-1 also !

Answer

Problem solved thanks to srisaranbalajiataws!  
  
I had to add the administrator role to the aws-auth configMap. The developer role was already in there.  
  
globus68

Answer

Hello!  
  
I am actually globus68... Somehow the login messed up my user...  
  
We are having our clusters in eu-west-1 for all environments, so it is strange it works in Production, but not in Sandbox and Staging. Yes, it may very well be some re:invent news...  
  
Best regards  
globus68

Answer

This helps!   
  
{  
    "Version": "2012-10-17",  
    "Statement": \[  
        {  
            "Action": \[  
                "eks:AccessKubernetesApi"  
            ],  
            "Effect": "Allow",  
            "Resource": "*"  
        }  
    ]  
}

Answer

Thank you SriSaranBalajiVR@AWS!  
  
Adding eks:AccessKubernetesApi to a policy for the developer role fixed it. However, using the Administrator role (having Allow-**-**) we still are denied access.  
  
Best regards  
globus68

Unrecognized action eks:AccessKubernetesApi

Relevant content