Error: getting availability zones when trying to create EKS cluster

Question

I'm trying to create an EKS cluster but I keep getting the following error. I think it's an issue of permissions, roles, etc but I have minimum experience with AWS stuff.

I found this thread but I have no idea how to implement all these things.

Any help is appreciated, thanks in advance.

$ eksctl create cluster
[ℹ]  eksctl version 0.13.0
[ℹ]  using region us-west-2
Error: getting availability zones: getting availability zones for us-west-2: UnauthorizedOperation: You are not authorized to perform this operation.
    status code: 403, request id: 724b0c02-fb51-43b2-98ab-746a3d2e45a0

Answer 1

The error says UnauthorizedOperation which means you don't have sufficient permission to create the cluster.

Please make sure you have configured your awscli correctly and you have sufficient permissions.

Required permissions are documented at https://github.com/weaveworks/eksctl/blob/master/userdocs/src/usage/minimum-iam-policies.md

Be sure to use the 12-digit Account Id from Account Settings when replacing the placeholders.

This is how you change the permissions of an aws user https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html

Answer 2

I am also a newbie to EKS. The problem of this matter is you have not permissions to do something. First, we should know what permissions we need, however, as a newbie we don't wanna know so much. So as Kushagra Saxena said, we set our IAM account as Admin for learning.

Use Existing Policy

1. Select Users

2. Add permissions

3. Select AdministratorAccess and then Next Next Next!

Or Use Custom Policy

If you wanna use custom policy, like this:

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": "*",
            "Resource": "*"
        }
    ]
}

You should create your own policy.You can do as following:

1. Select "Policies" and "Create Policy"

2. Replace by your Json and Next Next.

3.Select your user and add permissions as "Use Existing Policy" do。

Answer 3

I ran into this problem recently and was at a loss because I could successfully run
$ aws ec2 describe-availability-zones

The problem turned out to be a MFA requirement in IAM. Luckily an AWS support person assisted by pointing me to the AWS IAM Policy Simulator https://policysim.aws.amazon.com/home/index.jsp

By selecting my user, EC2, and describe-availability-zones, the simulator showed the reason for the failure.

Answer 4

I have not been able to find the perfect solution but for now you can provide your user with AdministratorAccess policy and it works in IAM.

Answer 5

First make sure you're running the official AWS CLI (installation instructions). If you're running an older CLI version, consider upgrading before you continue.

Then create a new IAM user following the eksctl documented minimum IAM permissions.

With your new IAM user created update AWS CLI to use that user's access and secret key via aws configure --profile default. The next time you run the command you should see output like:

[ℹ]  eksctl version 0.26.0
[ℹ]  using region us-west-1
[ℹ]  setting availability zones to [us-west-1a us-west-1c us-west-1c]
[ℹ]  subnets for us-west-1a - public:192.168.0.0/19 private:192.168.96.0/19
[ℹ]  subnets for us-west-1c - public:192.168.32.0/19 private:192.168.128.0/19
[ℹ]  subnets for us-west-1c - public:192.168.64.0/19 private:192.168.160.0/19