AWS EKS Node Group Access Denied through CLI

Cloud AWS
#1

I am running the following EKS command and try to create a EKS cluster through the AWS Cloudshell:

eksctl create cluster -f demo_cluster.yaml

Here’s the demo_cluster.yaml file:

apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
name: my-eks-cluster
region: us-west-2
version: “1.23”

nodeGroups:

  • name: ng-1-workers
    labels: { role: workers }
    instanceType: t3.small
    desiredCapacity: 2
    volumeSize: 20
    iam:
    withAddonPolicies:
    ebs: true

addons:

  • name: aws-ebs-csi-driver
    version: v1.13.0-eksbuild.1 # optional

=============================

However, I am getting the following error:
"operation error IAM: GetOpenIDConnectProvider, https response error StatusCode: 403, RequestID: 4407a8bd-c775-4dc7-bebf-d789158de2d4, api error AccessDenied: User: arn:aws:iam::200875716582:user/odl_user_1009723 is not authorized to perform: iam:GetOpenIDConnectProvider on resource: arn:aws:iam::200875716582:oidc-provider/oidc.eks.us-west-2.amazonaws.com/id/07C48F311ED88C4008A08980A4C3957C with an explicit deny in an identity-based policy
"

Attached please find the screen capture. Can you give me some clue?

Screenshot 2023-07-04 202536
Screenshot 2023-07-04 2025361871×812 285 KB

Thanks!

#2

HI @Learning-Stack

We’re aware about this issue, the labs team work on it to fix it. Whatever you can use the following workaround

"You should be able to launch EKS with “Self-managed nodes”. As of now “Managed Node-group” and “Fargate Profile” will not work with EKS.

Also, you need to keep in mind below restrictions as well.

  1. choose one of these instance types: *.nano, *micro, *.small, *.medium of t1,t2 and t3 instance class.

  2. choose disk type as “gp2” only.

  3. Maximum disk size per node allowed is 30GB.

In order to deploy EKS; it needs to meet all above criteria."

Thank

#3

Hi @mmkmou,

Thank you for your advice. So is the below command valid to run in KodeKloud?

eksctl create cluster --name my-eks-cluster --version 1.23 --region us-east-2 --nodegroup-name ng-1-workers --node-type t2.micro --node-volume-type gp2 --nodes 2

#4

Hi @mmkmou,

when i was trying to learn EKS on playground AWS . i encountered the following error.

User: arn:aws:iam::508800999830:user/odl_user_1120917 is not authorized to perform: eks:CreateNodegroup on resource: arn:aws:eks:us-east-1:508800999830:cluster/eks_cluster_demo with an explicit deny

when i search this error i found this communication. I tried to follow your recommendation . So that I created separately 2 ec2 node.

However, i could not add them into EKS cluster!

image
image1447×467 106 KB

How can i success it?

Thank you
Regards
Elif

#5

You cannot create managed node groups on the AWS playground. If you want to deploy EKS, it must be done using unmanaged node groups.

You may either do it manually using the console: [Playground Series] How to create an EKS cluster in KodeKloud Playground?
or with terraform: https://github.com/kodekloudhub/certified-kubernetes-administrator-course/blob/master/managed-clusters/eks/README.md

1 Like