Hello, in the AWS lab enviroment i have tried creating some EKS resources with terraform, and most of it works fine, even the IRSA system works with various resources. However, when i try using pod identety with terrafrom im able to install the addon but the role association is giving me 403 error. I suspect this is limited due to the lab constraints and how the AWS LAB was designed ?
Error: creating EKS Pod Identity Association
│
│ with aws_eks_pod_identity_association.alb_controller,
│ on pod-identity-roles.tf line 66, in resource "aws_eks_pod_identity_association" "alb_controller":
│ 66: resource "aws_eks_pod_identity_association" "alb_controller" {
│
│ operation error EKS: CreatePodIdentityAssociation, https response error StatusCode: 403, RequestID: 4753bec5-f12c-4ecf-93a9-7e4568ac9654, api error
│ AccessDeniedException: User: arn:aws:iam::637423283722:user/kk_labs_user_938814 is not authorized to perform: eks:CreatePodIdentityAssociation on resource:
│ arn:aws:eks:us-east-1:637423283722:cluster/demo-eks because no identity-based policy allows the eks:CreatePodIdentityAssociation action
╵
╷
│ Error: creating EKS Pod Identity Association
│
│ with aws_eks_pod_identity_association.backup_job,
│ on pod-identity-roles.tf line 110, in resource "aws_eks_pod_identity_association" "backup_job":
│ 110: resource "aws_eks_pod_identity_association" "backup_job" {
│
│ operation error EKS: CreatePodIdentityAssociation, https response error StatusCode: 403, RequestID: 6011f24b-a801-4388-aba9-1d6a959c87c1, api error
│ AccessDeniedException: User: arn:aws:iam::637423283722:user/kk_labs_user_938814 is not authorized to perform: eks:CreatePodIdentityAssociation on resource:
│ arn:aws:eks:us-east-1:637423283722:cluster/demo-eks because no identity-based policy allows the eks:CreatePodIdentityAssociation action
I don’t think the playground supports pod identity permissions because there are some limitations with Cloud IAM. You can check the documentation below for more details: