7

I have followed the documentation for spinning up an EKS cluster that says to make a service role with certain policies.

https://docs.aws.amazon.com/eks/latest/userguide/eks-ug.pdf

To create your Amazon EKS service role
1. Open the IAM console at https://console.aws.amazon.com/iam/.
2. Choose Roles, then Create role.
3. Choose EKS from the list of services, then Allows Amazon EKS to manage your clusters on your behalf for your use case, then Next: Permissions.
4. Choose Next: Review.
5. For Role name, enter a unique name for your role, such as eksServiceRole, then choose Create role.

When I create a basic hello world app, it throws an AccessDenied error.

Error creating load balancer (will retry): failed to ensure load balancer for service default/nginx:
AccessDenied: User: arn:aws:sts::*************:assumed-role/eks-service-role/************* is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::*************:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing

The two Policies that were added (AmazonEKSClusterPolicy, AmazonEKSServicePolicy) do not have the iam:CreateServiceLinkedRole action allowed. Are we supposed to add this outside of the policies defined in the guide? Or is this something that should be included in the EKS policies?

RtmY
  • 7,115
  • 6
  • 51
  • 64
dannyisonstackoverflow
  • 81
  • 1
  • 6

2 Answers2

13

It seems that the EKS userguide assumes you have created load balancers in your AWS account prior to creating the EKS cluster, and thus have an existing AWSServiceRoleForElasticLoadBalancing service role in AWS IAM.

As described in https://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/elb-service-linked-roles.html#create-service-linked-role

You don't need to manually create the AWSServiceRoleForElasticLoadBalancing role. Elastic Load Balancing creates this role for you when you create a load balancer.

EKS is attempting to do this for you, resulting in the access denied exception using the default policies.

Other options to explicitly create the service-linked role prior to EKS cluster creation include:

AWS CLI

aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"

Terraform

resource "aws_iam_service_linked_role" "elasticloadbalancing" {
  aws_service_name = "elasticloadbalancing.amazonaws.com"
}

Or, manually create a load balancer from the UI Console.

Regardless of provisioning options, you should know things will work when you see the following role in AWS IAM

arn:aws:iam::<ACCOUNT_ID>:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing
MMC
  • 131
  • 2
4

I got it worked by adding this policy to the EKS Role:

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "iam:CreateServiceLinkedRole",
                "Resource": "arn:aws:iam::*:role/aws-service-role/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeAccountAttributes"
                ],
                "Resource": "*"
            }
        ]
    }
Andrej Maya
  • 81
  • 1
  • I added this as an inline policy and there weren't anymore errors. I wanted to know if this should be included in the EKS policies defined in the user guide. – dannyisonstackoverflow Jul 31 '18 at 13:31
  • I added this policy directly to the EKS role which is generated by the EKS terraform module (https://github.com/terraform-aws-modules/terraform-aws-eks) – Andrej Maya Aug 01 '18 at 14:07