Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

[aws-eks] 1.45.0 introduces regression in EKS Cluster creation: Caller does not have permission to perform `iam:listAttachedRolePolicies`

See original GitHub issue

Reproduction Steps

new eks.Cluster() in 1.45.0.

Works ok in 1.44.0

Error Log

EKSCluster/Resource/Resource/Default (EKSClusterE11008B6) Failed to create resource. Error: Caller does not have permission to perform `iam:listAttachedRolePolicies`
    at invokeUserFunction (/var/task/framework.js:85:19)
    at process._tickCallback (internal/process/next_tick.js:68:7)
Remote function error: InvalidParameterException: Caller does not have permission to perform `iam:listAttachedRolePolicies`
    at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-s
        new CustomResource (/home/doug/projects/trustsrv.io/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
        \_ new ClusterResource (/home/doug/projects/trustsrv.io/node_modules/@aws-cdk/aws-eks/lib/cluster-resource.ts:114:22)
        \_ new Cluster (/home/doug/projects/trustsrv.io/node_modules/@aws-cdk/aws-eks/lib/cluster.ts:406:18)

Environment

  • CLI Version : 1.45.0
  • Framework Version: 1.45.0
  • Node.js Version: 14.2.0
  • OS : debian
  • Language (Version): Typescript 3.7.3

Other

This is 🐛 Bug Report

Issue Analytics

  • State:closed
  • Created 3 years ago
  • Reactions:4
  • Comments:9 (6 by maintainers)

github_iconTop GitHub Comments

1reaction
pahudcommented, Jun 22, 2020

Looking into this.

1reaction
rameshmimitcommented, Jun 17, 2020

I have spent couple of hours already to debug this issue and realized, it could be related to CDK upgrade. Getting the similar error while creating EKS fargate cluster. Below is the error

fault-profile/Resource/Default (fargateclusterfargateprofiledefaultprofile00E7FED0) Resource creation Initiated 44/49 | 3:20:33 am | CREATE_FAILED | Custom::AWSCDK-EKS-FargateProfile | fargate-cluster/fargate-profile-default-profile/Resource/Default (fargateclusterfargateprofiledefaultprofile00E7FED0) Failed to create resource. Error: User: arn:aws:sts::123456789012:assumed-role/ServerlessEksStack-fargateclusterCreationRole55403-T30WTXW6EOV4/AWSCDK.EKSCluster.Create.4db13c7b-f75a-44d1-b1d2-2a7256327c1a is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789012:role/ServerlessEksStack-fargateprofileroleEC9BD101-F8LX3GQK3NK at invokeUserFunction (/var/task/framework.js:85:19) at process._tickCallback (internal/process/next_tick.js:68:7) Remote function error: AccessDeniedException: User: arn:aws:sts::123456789012:assumed-role/ServerlessEksStack-fargateclusterCreationRole55403-T30WTXW6EOV4/AWSCDK.EKSCluster.Create.4db13c7b-f75a-44d1-b1d2-2a7256327c1a is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789012:role/ServerlessEksStack-fargateprofileroleEC9BD101-F8LX3GQK3NK at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27) at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)

Same code use to work on 1.44

Read more comments on GitHub >

github_iconTop Results From Across the Web

Resolve the Kubernetes object access error in Amazon EKS
How do I resolve the "Your current user or role does not have access to Kubernetes objects on this EKS cluster" error in...
Read more >
How do I provide access to other IAM users and ... - YouTube
How do I provide access to other IAM users and roles after cluster creation in Amazon EKS ?
Read more >
terraform-aws-eks ) module
An IAM role for service accounts (IRSA) sub-module has been created to make deploying common addons/controllers easier.
Read more >
Provision an EKS Cluster (AWS) | Terraform
The tutorial assumes some basic familiarity with Kubernetes and kubectl but does not assume any pre-existing deployment. It also assumes that you are...
Read more >
circleci/aws-eks@2.2.0
Deletes an EKS cluster together with the associated VPC resources on AWS, using the eksctl tool. The cluster should have been created with...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

SNS notifications on stack events

Next page

SQS - Unknown Attribute FifoQueue when setting fifo to false in Queue Props