Eksworkshop.com labs (Cloudformation template) not working in the playground

raghusharma · August 5, 2025, 7:24am

Hi guys,

I am trying to launch the cloudformation template in the setup part of eksworkshop given at: In your AWS account | EKS Workshop

I am getting permission errors related to cloudfront and secret manager:

Resource handler returned message: “Access denied for operation ‘AWS::CloudFront::CachePolicy’.” (RequestToken: 76cd6f2c-xxxx-xxxx-xxxx-xxxxxxxxxx, HandlerErrorCode: AccessDenied)

Resource handler returned message: “User: arn:aws:iam::xxxxxxxxxxxx:user/kk_labs_user_xxxxxx is not authorized to perform: secretsmanager:GetRandomPassword because no identity-based policy allows the secretsmanager:GetRandomPassword action (Service: SecretsManager, Status Code: 400, Request ID: 8b601f68-b53b-4ae5-adc9-6f861e54b735) (SDK Attempt Count: 1)” (RequestToken: f2724321-0f17-5e08-5bdf-0142b35454a9, HandlerErrorCode: InvalidRequest)

URL of the cloudformation stack:
https://us-west-2.console.aws.amazon.com/cloudformation/home#/stacks/quickcreate?templateUrl=https://ws-assets-prod-iad-r-pdx-f3b3f9f1a7d6a3d0.s3.us-west-2.amazonaws.com/39146514-f6d5-41cb-86ef-359f9d2f7265/eks-workshop-vscode-cfn.yaml&stackName=eks-workshop-ide&param_RepositoryRef=stable

Santosh_KodeKloud · August 5, 2025, 9:00am

Hi @raghusharma

You can refer to our guide on creating an EKS cluster.

raghusharma · August 5, 2025, 9:26am

Yeah, I explored that.
This CF stack creates an environment that has many pre-built tool to make it easy to follow the labs.
Any Custom EKS cluster will not have the same environment, and I will spend more time debugging environment issues than the labs.

I understand that there are limitations on the sandbox, but the permissions required will not create anything that will incur any infra cost.

raghusharma · August 5, 2025, 9:27am

The CF stack I have mentioned is actually procuring an EC2 instance behind a CloudFront distribution with VSCode environment set up on the EC2.

Actual EKS cluster will be created later in the lab.

Alistair_KodeKloud · August 7, 2025, 3:50am

The IAM restrictions in playgrounds are not only for cost control and security, but also for ease of account cleanup when a playground ends. I have has many discussions with our AWS administrator on this topic and it is unlikely to be changed.
As a result, third party terraform and cloudformation is highly unlikely to work in playgrounds and why we have to provide curated builds that do work in playgrounds.