Not able to create EKS cluster on EKS playground

mohammadjaanu1993 · October 29, 2025, 2:16pm

I am not able to create the eks cluster on EKS playground. Getting the following error,
User: arn:aws:iam::424837873756:user/kk_labs_user_565201 is not authorized to perform: iam:PassRole on resource: arn:aws:iam::424837873756:role/fj because no identity-based policy allows the iam:PassRole action

I have followed the same git page to configure it. PLz help.

github.com

kodekloudhub/certified-kubernetes-administrator-course/blob/master/managed-clusters/eks/console/docs/04-networking.md

# Networking

1. Select VPC - there should only be one choice, the Default VPC.

1. Select values for the Subnets fields. There needs to be at least two subnets selected, and we don't need more than 3. Ensure that `us-east-1e` is *not* one of the selected subnets. If there are less than 2 subnets available, you will either need to go to VPC console and add some (beyond scope of this guide), or restart the playground until you get 2 or more subnets.

    ![](../images/04-subnets.png)

1. Scroll to end and press `Next`.
1. At the following page (Observability), press `Next` again as there is nothing to do here.
1. At the following page (Select add-ons), press `Next` again as there is nothing to do here either.
1. At the following page (Configure selected add-ons settings), press `Next` again as there is nothing to do here either.

Prev: [Configure Cluster](./03-configure-cluster.md)<br/>
Next: [Create Cluster](./05-create-cluster.md)

Santosh_KodeKloud · October 29, 2025, 2:40pm

Hi @mohammadjaanu1993

This guide is tested and working.

Did you ensure that there are two subnets available for the selected Default VPC, and none of them are from us-east-1e?
Please do follow the instructions in the guide and do not change/update any values.

raymond.baoly · October 30, 2025, 5:06am

Also, please ensure that you have created and are using the correct role name as defined in the documentation.

mohammadjaanu1993 · October 30, 2025, 2:34pm

I am getting different error while joining the nodes,

Oct 30 11:31:19 ip-172-31-64-79 kubelet: I1030 11:31:19.291620 2414 kubelet_node_status.go:668] “Recording event message for node” node=“ip-172-31-64-79.ec2.internal” event=“NodeHasSufficientPID”
Oct 30 11:31:19 ip-172-31-64-79 kubelet: I1030 11:31:19.291646 2414 kubelet_node_status.go:70] “Attempting to register node” node=“ip-172-31-64-79.ec2.internal”
Oct 30 11:31:19 ip-172-31-64-79 kubelet: E1030 11:31:19.332470 2414 controller.go:144] failed to ensure lease exists, will retry in 7s, error: Unauthorized
Oct 30 11:31:19 ip-172-31-64-79 kubelet: E1030 11:31:19.332833 2414 kubelet_node_status.go:92] “Unable to register node with API server” err=“Unauthorized” node=“ip-172-31-64-79.ec2.internal”
Oct 30 11:31:19 ip-172-31-64-79 kubelet: I1030 11:31:19.557140 2414 csi_plugin.go:1021] Failed to contact API server when waiting for CSINode publishing: Unauthorized
Oct 30 11:31:20 ip-172-31-64-79 kubelet: I1030 11:31:20.557875 2414 csi_plugin.go:1021] Failed to contact API server when waiting for CSINode publishing: Unauthorized
Oct 30 11:31:20 ip-172-31-64-79 kubelet: W1030 11:31:20.719346 2414 reflector.go:324] vendor/k8s.io/client-go/informers/factory.go:134: failed to list *v1.CSIDriver: Unauthorized
Oct 30 11:31:20 ip-172-31-64-79 kubelet: E1030 11:31:20.719375 2414 reflector.go:138] vendor/k8s.io/client-go/informers/factory.go:134: Failed to watch *v1.CSIDriver: failed to list *v1.CSIDriver: Unauthorized
I am wasting my time to build the environment only. I request KODEKLOUD Team add single Cloudformation template to launch the cluster.

raymond.baoly · October 31, 2025, 6:22am

Hi @mohammadjaanu1993

Please share more detailed steps of what you’ve done so we can help you check it.

In case you’d like to use IaC to quickly provision the EKS cluster in the playground, we have a detailed guide using Terraform. It includes all the manual steps as code, so you just need to follow the instructions and run a few commands to provision the cluster properly.

You can find the document here:

github.com

kodekloudhub/amazon-elastic-kubernetes-service-course/blob/main/docs/playground.md

# Amazon EKS Cluster

In this guide, we will deploy an EKS cluster in the KodeKloud AWS Playground using Terraform. This cluster utilises an *unmanaged* node group, i.e. one we have to deploy and join manually as the playground does not support the creation of managed node groups.

If you want to do this manually from the AWS console, you can follow [this guide](https://github.com/kodekloudhub/certified-kubernetes-administrator-course/blob/master/managed-clusters/eks/console/README.md).

This terraform code will create an EKS cluster called `demo-eks` and will have the same properties as the manually deployed version linked above.

## Start an AWS Playground

[Click here](https://kodekloud.com/playgrounds/playground-aws) to start a playground, and click `START LAB` to request a new AWS Cloud Playground instance. After a few seconds, you will receive your credential to access AWS Cloud console.

Note that you must have KodeKloud Pro subscription to run an AWS playground. If you have [your own AWS account](https://aws.amazon.com/free/), this should still work, however *you* will bear the cost for any resources created until you delete them. Be aware that not all resources are free in a "free" account!
That includes EKS control planes (approx. 10 cents/hour).

This demo can be run from either your own laptop or from the AWS CloudShell
* From your laptop
    * You must have working versions of [git](https://github.com/git-guides/install-git), [terraform](https://developer.hashicorp.com/terraform/install), [kubectl](https://kubernetes.io/docs/tasks/tools/#kubectl), [jq](https://jqlang.github.io/jq/) (Mac/Linux only) and the [AWS CLI](https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html#getting-started-install-instructions) installed on your laptop. This is not a tutorial on how to install these things.
    * You will need to go to the IAM console in AWS, then create and download access keys for the playground user, then export these as `AWS_ACCESS_KEY_ID` and `AWS_SECRET_ACCESS_KEY` in your terminal's environment.
    * If your laptop is Windows, you must run the commands from a PowerShell prompt.

This file has been truncated. show original

anne_alice · November 1, 2025, 1:01pm

Hey! I’ve run into the same issue before on the KodeKloud EKS playground. It’s not your setup that’s wrong, it’s just that the IAM permissions in the playground environment are restricted. The error iam:PassRole is not authorized means your temporary IAM user doesn’t have the rights to pass the role needed for the EKS cluster creation.

Basically, the playground doesn’t let you attach or use certain IAM roles for EKS because of AWS account limitations. You can follow all the steps from the GitHub repo perfectly, but that specific step fails because the role assignment requires higher permissions.

If you just want to practice creating an EKS cluster, I’d recommend either using your own AWS Free Tier account or the KodeKloud labs specifically made for EKS (they have preconfigured IAM permissions). On the KodeKloud playground, though, you won’t be able to bypass that permission issue - it’s locked down.