使用 AWS re:Post 即表示您同意 AWS re:Post 使用條款
AWS re:Postre:Post

Couldn't able to create EKS cluster due to the following error: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole

0

Hi, We are facing the below error while creating the eks cluster for the past 1 week:

Error: error creating EKS Cluster (devcluster): ClientException: You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole { RespMetadata: { StatusCode: 400, RequestID: "5b43938b-59cd-4ee0-b84f-23faf6a7eda7" }, Message_: "You are not allowed to pass the role arn:aws:iam::401231317770:role/eksclusterrole" }

with module.clustering.aws_eks_cluster.global-cluster, on ..\module\eks\eks.tf line 1, in resource "aws_eks_cluster" "global-cluster": 1: resource "aws_eks_cluster" "global-cluster" {

Thanks Sudarshan

主題
網路與內容交付容器安全性、身分識別與合規
標籤
Amazon VPCAmazon Elastic Kubernetes ServiceIAM 政策
語言
English
sudarshan
已提問 8 個月前檢視次數 798 次
1 個回答
1

Hi,

The user (or service like CloudFormation)( with which you're trying to pass this role to EKS is not allowed to do so. See https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_use_passrole.html

To configure many AWS services, you must pass an IAM role to the service. 
This allows the service to assume the role later and perform actions on your 
behalf. For most services, you only have to pass the role to the service once 
during setup, and not every time that the service assumes the role. For example, 
assume that you have an application running on an Amazon EC2 instance. That 
application requires temporary credentials for authentication, and permissions to 
authorize the application to perform actions in AWS. When you set up the application, 
you must pass a role to Amazon EC2 to use with the instance that provides those credentials. 
You define the permissions for the applications running on the instance by attaching an 
IAM policy to the role. The application assumes the role every time it needs to perform 
the actions that are allowed by the role.

So, you should give "iam:GetRole" and "iam:PassRole" to the principal (user, role, service, etc.) trying to launch your EKS cluster. Full details on page mentioned above.

Best,

Duder

profile pictureAWS
專家
Didier_Durand
已回答 8 個月前
  • sudarshan
    8 個月前

    Hi Thanks for your answer, I have tried adding the pass roles "iam:GetRole" and "iam:PassRole" in the eks cluster policy but now i am getting a different error " error updating IAM Role (eksclusterrole) assume role policy: MalformedPolicyDocument: Has prohibited field Resource │ status code: 400, request id: 23c7a51a-05e5-41d8-bc3e-cd2238752828 " , Do you need to do any modification on roles ?

    This is my tf codes :

    resource "aws_iam_role" "globalrole" { name = "eksclusterrole"

    assume_role_policy = <<POLICY { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Principal": { "Service": "eks.amazonaws.com" }, "Action": "sts:AssumeRole"

    },
{
   "Effect": "Allow",
    "Action": "iam:PassRole",
    "Resource": "arn:aws:iam::401231317770:role/eksclusterrole"

    } ] } POLICY }

    resource "aws_iam_role_policy_attachment" "globalatachment1" { policy_arn = "arn:aws:iam::401231317770:policy/eks-new-2023-cluster" role = aws_iam_role.globalrole.name }

    resource "aws_iam_role_policy_attachment" "globalatachment" { policy_arn = "arn:aws:iam::aws:policy/aws-service-role/AmazonEKSServiceRolePolicy" role = aws_iam_role.globalrole.name }

您尚未登入。 登入 去張貼答案。

一個好的回答可以清楚地回答問題並提供建設性的意見回饋,同時有助於提問者的專業成長。

回答問題指南

相關內容