Aws-cdk: [aws-eks] 1.45.0 introduces regression in EKS Cluster creation: Caller does not have permission to perform `iam:listAttachedRolePolicies`

Created on 16 Jun 2020  路  9Comments  路  Source: aws/aws-cdk

Reproduction Steps

new eks.Cluster() in 1.45.0.

Works ok in 1.44.0

Error Log

EKSCluster/Resource/Resource/Default (EKSClusterE11008B6) Failed to create resource. Error: Caller does not have permission to perform `iam:listAttachedRolePolicies`
    at invokeUserFunction (/var/task/framework.js:85:19)
    at process._tickCallback (internal/process/next_tick.js:68:7)
Remote function error: InvalidParameterException: Caller does not have permission to perform `iam:listAttachedRolePolicies`
    at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)
    at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)
    at Request.callListeners (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:106:20)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/sequential_executor.js:78:10)
    at Request.emit (/var/runtime/node_modules/aws-sdk/lib/request.js:683:14)
    at Request.transition (/var/runtime/node_modules/aws-sdk/lib/request.js:22:10)
    at AcceptorStateMachine.runTo (/var/runtime/node_modules/aws-sdk/lib/state_machine.js:14:12)
    at /var/runtime/node_modules/aws-s
        new CustomResource (/home/doug/projects/trustsrv.io/node_modules/@aws-cdk/core/lib/custom-resource.ts:115:21)
        \_ new ClusterResource (/home/doug/projects/trustsrv.io/node_modules/@aws-cdk/aws-eks/lib/cluster-resource.ts:114:22)
        \_ new Cluster (/home/doug/projects/trustsrv.io/node_modules/@aws-cdk/aws-eks/lib/cluster.ts:406:18)

Environment

  • CLI Version : 1.45.0
  • Framework Version: 1.45.0
  • Node.js Version: 14.2.0
  • OS : debian
  • Language (Version): Typescript 3.7.3

Other

This is :bug: Bug Report

@aws-cdaws-eks bug p1
Source
picture winjer
👍4

All 9 comments

I have spent couple of hours already to debug this issue and realized, it could be related to CDK upgrade. Getting the similar error while creating EKS fargate cluster. Below is the error

fault-profile/Resource/Default (fargateclusterfargateprofiledefaultprofile00E7FED0) Resource creation Initiated 44/49 | 3:20:33 am | CREATE_FAILED | Custom::AWSCDK-EKS-FargateProfile | fargate-cluster/fargate-profile-default-profile/Resource/Default (fargateclusterfargateprofiledefaultprofile00E7FED0) Failed to create resource. Error: User: arn:aws:sts::123456789012:assumed-role/ServerlessEksStack-fargateclusterCreationRole55403-T30WTXW6EOV4/AWSCDK.EKSCluster.Create.4db13c7b-f75a-44d1-b1d2-2a7256327c1a is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789012:role/ServerlessEksStack-fargateprofileroleEC9BD101-F8LX3GQK3NK at invokeUserFunction (/var/task/framework.js:85:19) at process._tickCallback (internal/process/next_tick.js:68:7) Remote function error: AccessDeniedException: User: arn:aws:sts::123456789012:assumed-role/ServerlessEksStack-fargateclusterCreationRole55403-T30WTXW6EOV4/AWSCDK.EKSCluster.Create.4db13c7b-f75a-44d1-b1d2-2a7256327c1a is not authorized to perform: iam:PassRole on resource: arn:aws:iam::123456789012:role/ServerlessEksStack-fargateprofileroleEC9BD101-F8LX3GQK3NK at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27) at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json.js:55:8)

Same code use to work on 1.44

rameshmimit picture rameshmimit on 17 Jun 2020
👍1

Encountered the same problem that @rameshmimit 

Failed to create resource. Error: 
User: arn:aws:sts::XXXXXXXXXXX:assumed-role/TinyPanda-MyEKSClusterNes-MyFargateClusterCreation-1LQDNGMQ71LLK/AWSCDK.EKSCluster.Create.23d963e4-fe80-4743-98b6-a4362805011e
is not authorized to perform:
iam:PassRole
 on resource: arn:aws:iam::XXXXXXXXXXX:role/TinyPanda-MyEKSClusterNes-EKSFargatePodExecutionRo-GXIXGDEUUCM5
 at invokeUserFunction (/var/task/framework.js:85:19)
 at process._tickCallback (internal/process/next_tick.js:68:7)
Remote function error: 
    AccessDeniedException: 
    User: 
        arn:aws:sts::XXXXXXXXXXX:assumed-role/TinyPanda-MyEKSClusterNes-MyFargateClusterCreation-1LQDNGMQ71LLK/AWSCDK.EKSCluster.Create.23d963e4-fe80-4743-98b6-a4362805011e
    is not authorized to perform:
    iam:PassRole on resource:
    arn:aws:iam::XXXXXXXXXXX:role/TinyPanda-MyEKSClusterNes-EKSFargatePodExecutionRo-GXIXGDEUUCM5
        at Object.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/json.js:51:27)
        at Request.extractError (/var/runtime/node_modules/aws-sdk/lib/protocol/rest_json

Tested in 1.46.0 and seem fixed for me

sogos picture sogos on 20 Jun 2020

Confirming this is an issue caused by new permissions needed by EKS. Work in progress.

eladb picture eladb on 22 Jun 2020

@pahud can you please take a look at this. I suspect it's related to https://github.com/aws/aws-cdk/pull/7637 - did we have to explicitly enable the service linked role here?

eladb picture eladb on 22 Jun 2020

Looking into this.

pahud picture pahud on 22 Jun 2020
👍1

Hi,

We should have already fixed this issue in 1.46.0. See https://github.com/aws/aws-cdk/pull/8548

pahud picture pahud on 22 Jun 2020

Resolving. Please chime in if this persists >= 1.46.0

eladb picture eladb on 22 Jun 2020

This is still an issue with the latest version 1.48.0. Reopening.

eladb picture eladb on 1 Jul 2020

Today I've also gotten the same error but on the ec2:DescribeVpcs permission. This was not the case on Friday because I rolled out an EKS cluster with a CDK build done from the master branch. Adding the DescribeVpcs permission solved the problem, same as the PR in #8859

Seems like AWS is changing stuff on their end that requires more permissions?

jargelo picture jargelo on 6 Jul 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

cybergoof picture cybergoof  路  3Comments
pepastach picture pepastach  路  3Comments
kawamoto picture kawamoto  路  3Comments
ababra picture ababra  路  3Comments
mirazmamun picture mirazmamun  路  3Comments