Error:-
2025-08-12 01:16:19 [] will create IAM Open ID Connect provider for cluster “demo-eks” in “us-east-1”
Error: creating OIDC provider: operation error IAM: CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: f9d2e4ca-e1c7-40a0-83ae-c6e774a64e25, api error AccessDenied: User: arn:aws:iam::471112567703:user/kk_labs_user_165100 is not authorized to perform: iam:CreateOpenIDConnectProvider on resource: arn:aws:iam::471112567703:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/84A494F1F6557368ABE279A51BCF0F57 because no identity-based policy allows the iam:CreateOpenIDConnectProvider action
Also can’t attach policies with created users .
iamuser-test1 user created with a few errors. See error description below.
Error:-
Failed to add to user. User: arn:aws:iam::730335277320:user/kk_labs_user_520711 is not authorized to perform: iam:AttachUserPolicy on resource: user iamuser-test1 because no identity-based policy allows the iam:AttachUserPolicy action
Actually, the problem here is that eksctl won’t work in our playground, since it requires a number of permissions that we don’t support. So you’ll need to create an EKS cluster by some other means. Please take a look at our tutorial from the CKA repo, and follow the instructions there carefully; you won’t need to do anything special with IAM to make it work.
but i am able to create eks cluster in AWS labs using terraform you gave in another posts to me and thanks for that .
but here my query is i need IAM for further practice on my eks cluster which i create but it’s not working due to IAM constraints and stopped my practice .
I do understand the problem, but due to needs to secure the labs from abuse, we can’t accommodate much access to IAM. In particular, we absolutely don’t allow privilege escalation in the labs.
Probably not, sadly. What’s your exact use case? We’d need to ask the engineer that sets up and secures the playground; he’d need need to figure out if we can safely allow what you want to do.
there are many use cases rob like .
CSI driver integration with eks
aws secrets integration with eks
Ingress load balancer and integration of AWS LB with eks
Authenticaton/Authorization via IAM user/roles .
also many other like for CI/Cd , moniotring/logging and so on which need IAM service account , roles or IAM user for it .
Please talk with your engineer and help on this , otherwise my practice would be stuck and there’s no use of EKS with AWS other services .
I don’t want a fully fledged user for it . All i’m looking for a user which can provide my all relevant AWS services usage for EKS cluster which we used to follow in any organisation .
Which of those require special IAM access for? Gotta ask; we’d need to know what all needs to be turned on.
I know you want these things; it’s just that in general, if it’s readily possible to do with the tools AWS gives us to set up the playground, we’re already doing them. Often the things people want in addition can’t be provisioned without opening up a lot more than you think, or can’t be torn down readily or easily at the end of a 3 hour session. Or have pricing structures that don’t lend themselves to that. This limits what we can do, unfortunately.
i need iam for almost all services which i mentioned earlier… i don’t think cost would be the problem because it’s iam only… and services which i want to integrate with my aws eks clusters are already being provided in aws labs… as i said… the main constraint here is iam limitation… due to which I’m unable to integrate different aws services with my aws eks cluster… and its interrupting my practice.
Please try to help on this… or give me an alternate atleast…
I’ll pass this to the engineer, which is what I can do for you. Based on previous discussions on the topic, I suspect that iam:AttachUserPolicy is itself problematic; there actually may NOT be a good work-around.
A bit of patience… I’ve gotten a partial response, but I’ll fill you once they’ve had the opportunity to actually implement a piece of what was discussed. That will be around the middle of next week, I would expect.
] will create IAM Open ID Connect provider for cluster “demo-eks” in “us-east-1”