search

terraform-aws-modules / terraform-aws-eks

Terraform module to create Amazon Elastic Kubernetes (EKS) resources 🇺🇦
https://registry.terraform.io/modules/terraform-aws-modules/eks/aws
Apache License 2.0
4.45k stars 4.06k forks source link

Cannot use kubectl (forbidden) #2988

Closed jacekgajek closed 7 months ago

jacekgajek commented 7 months ago

Description

I used to manually create all EKS resources and recently I tried ot use the "eks" module. Since then, I cannot use kubectl CLI.

For example

kubectl get pods -A

Returns

Error from server (Forbidden): pods is forbidden: User "arn:aws:sts::123456:assumed-role/terraform/botocore-session-123456" cannot list resource "pods" in API group "" at the cluster scope

Previously, when I created EKS directly with terraform code I didn't have this problem. Same with AWS console, I also got an error "pods is forbidden".

I run terraform with the following creds:

  aws_user_profile = "my-profile"
  aws_role = "arn:aws:iam::123:role/terraform"

and have my credentials stored in .aws/terraform

Expected behavior

When role terraform is assumed, pods can be accessed

Actual behavior

Forbidden error

Code

module parameters:


module "eks" {
  source = "terraform-aws-modules/eks/aws"
  version = "20.8.4"

  cluster_name                    = var.eks_name
  cluster_version                 = var.eks_version
  cluster_endpoint_private_access = true
  cluster_endpoint_public_access  = true
  cluster_additional_security_group_ids = [aws_security_group.eks.id]

  vpc_id     = var.vpc_id
  subnet_ids = var.subnet_ids

  eks_managed_node_group_defaults = {
    ami_type               = "AL2_x86_64"
    disk_size              = 50
    instance_types         = ["t3.medium", "t3.large"]
    vpc_security_group_ids = [aws_security_group.eks.id]
  }

  eks_managed_node_groups = {
    green = {
      min_size     = 1
      max_size     = 10
      desired_size = 3

      instance_types = ["t3.medium"]
      capacity_type  = "SPOT"
      taints = {
      }
    }
  }
}
bryantbiggs commented 7 months ago

you need to provide the IAM entities the ability to access the cluster using cluster access entries

jacekgajek commented 7 months ago 
 enable_cluster_creator_admin_permissions = true

fixed this.

github-actions[bot] commented 5 months ago

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.