Waiting for an update.
The playgrounds lock down IAM fairly tightly. The key principle is that you cannot get more access than what the kk user we create for the lab has. We do allow users with names that start with the string “iamuser-” if you really do need to create a specific user for some task. But again – they can have the same or less access than the base user, and not more.
So creating user, starting with “iamuser” can have at least permissions equals kk_lab user, right?
and no more than that, yes.
how about below error i’m getting using below command :-
Command :-
'eksctl utils associate-iam-oidc-provider
–region us-east-1
–cluster demo-eks
–approve
Error:-
2025-08-12 01:16:19 [
] will create IAM Open ID Connect provider for cluster “demo-eks” in “us-east-1”
Error: creating OIDC provider: operation error IAM: CreateOpenIDConnectProvider, https response error StatusCode: 403, RequestID: f9d2e4ca-e1c7-40a0-83ae-c6e774a64e25, api error AccessDenied: User: arn:aws:iam::471112567703:user/kk_labs_user_165100 is not authorized to perform: iam:CreateOpenIDConnectProvider on resource: arn:aws:iam::471112567703:oidc-provider/oidc.eks.us-east-1.amazonaws.com/id/84A494F1F6557368ABE279A51BCF0F57 because no identity-based policy allows the iam:CreateOpenIDConnectProvider action
Also can’t attach policies with created users .
iamuser-test1 user created with a few errors. See error description below.
Error:-
- Failed to add to user. User: arn:aws:iam::730335277320:user/kk_labs_user_520711 is not authorized to perform: iam:AttachUserPolicy on resource: user iamuser-test1 because no identity-based policy allows the iam:AttachUserPolicy action
Any way to resolve these queries ?
Hi team ,
Still waiting for an update on this .
Actually, the problem here is that eksctl won’t work in our playground, since it requires a number of permissions that we don’t support. So you’ll need to create an EKS cluster by some other means. Please take a look at our tutorial from the CKA repo, and follow the instructions there carefully; you won’t need to do anything special with IAM to make it work.
but i am able to create eks cluster in AWS labs using terraform you gave in another posts to me and thanks for that .
but here my query is i need IAM for further practice on my eks cluster which i create but it’s not working due to IAM constraints and stopped my practice .
Hope you understand the problem now .
I do understand the problem, but due to needs to secure the labs from abuse, we can’t accommodate much access to IAM. In particular, we absolutely don’t allow privilege escalation in the labs.
So is there not any way to use IRSA/IAM Service account for my eks cluster ?
Probably not, sadly. What’s your exact use case? We’d need to ask the engineer that sets up and secures the playground; he’d need need to figure out if we can safely allow what you want to do.
there are many use cases rob like .
CSI driver integration with eks
aws secrets integration with eks
Ingress load balancer and integration of AWS LB with eks
Authenticaton/Authorization via IAM user/roles .
also many other like for CI/Cd , moniotring/logging and so on which need IAM service account , roles or IAM user for it .
Please talk with your engineer and help on this , otherwise my practice would be stuck and there’s no use of EKS with AWS other services .
I don’t want a fully fledged user for it . All i’m looking for a user which can provide my all relevant AWS services usage for EKS cluster which we used to follow in any organisation .
1 Like
Which of those require special IAM access for? Gotta ask; we’d need to know what all needs to be turned on.
I know you want these things; it’s just that in general, if it’s readily possible to do with the tools AWS gives us to set up the playground, we’re already doing them. Often the things people want in addition can’t be provisioned without opening up a lot more than you think, or can’t be torn down readily or easily at the end of a 3 hour session. Or have pricing structures that don’t lend themselves to that. This limits what we can do, unfortunately.
i need iam for almost all services which i mentioned earlier… i don’t think cost would be the problem because it’s iam only… and services which i want to integrate with my aws eks clusters are already being provided in aws labs… as i said… the main constraint here is iam limitation… due to which I’m unable to integrate different aws services with my aws eks cluster… and its interrupting my practice.
Please try to help on this… or give me an alternate atleast…
I’ll pass this to the engineer, which is what I can do for you. Based on previous discussions on the topic, I suspect that iam:AttachUserPolicy is itself problematic; there actually may NOT be a good work-around.
then what would be the ideal solution for it so that i can resume my work on it ?
Hi Rob/team ,
Did you get any update from engineer ?
He assigned it to one of his engineers and I’ve documented what you wrote in our internal system. Up to them now.
So no update till now ?
Hi Rob/team ,
Still waiting for an update .