'Error: getting availability zones when trying to create EKS cluster
I'm trying to create an EKS cluster but I keep getting the following error. I think it's an issue of permissions, roles, etc but I have minimum experience with AWS stuff.
I found this thread but I have no idea how to implement all these things.
Any help is appreciated, thanks in advance.
$ eksctl create cluster
[ℹ] eksctl version 0.13.0
[ℹ] using region us-west-2
Error: getting availability zones: getting availability zones for us-west-2: UnauthorizedOperation: You are not authorized to perform this operation.
status code: 403, request id: 724b0c02-fb51-43b2-98ab-746a3d2e45a0
amazon-web-servicesSolution 1:[1]
The error says UnauthorizedOperation which means you don't have sufficient permission to create the cluster.
Please make sure you have configured your awscli correctly and you have sufficient permissions.
Required permissions are documented at https://github.com/weaveworks/eksctl/blob/master/userdocs/src/usage/minimum-iam-policies.md
Be sure to use the 12-digit Account Id from Account Settings when replacing the placeholders.
This is how you change the permissions of an aws user https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_change-permissions.html
Solution 2:[2]
I ran into this problem recently and was at a loss because I could successfully run
$ aws ec2 describe-availability-zones
The problem turned out to be a MFA requirement in IAM. Luckily an AWS support person assisted by pointing me to the AWS IAM Policy Simulator https://policysim.aws.amazon.com/home/index.jsp
By selecting my user, EC2, and describe-availability-zones, the simulator showed the reason for the failure.
Solution 3:[3]
I have not been able to find the perfect solution but for now you can provide your user with AdministratorAccess policy and it works in IAM.
Solution 4:[4]
First make sure you're running the official AWS CLI (installation instructions). If you're running an older CLI version, consider upgrading before you continue.
Then create a new IAM user following the eksctl documented minimum IAM permissions.
With your new IAM user created update AWS CLI to use that user's access and secret key via aws configure --profile default. The next time you run the command you should see output like:
[?] eksctl version 0.26.0
[?] using region us-west-1
[?] setting availability zones to [us-west-1a us-west-1c us-west-1c]
[?] subnets for us-west-1a - public:192.168.0.0/19 private:192.168.96.0/19
[?] subnets for us-west-1c - public:192.168.32.0/19 private:192.168.128.0/19
[?] subnets for us-west-1c - public:192.168.64.0/19 private:192.168.160.0/19
Solution 5:[5]
I had the same issue despite having administrator access, i then realized that the issue was a deny policy that only restricted creation of resources in EU, so for US it kept throwing the error. After disabling the policy, the command ran successfully. So might be worth checking if everything else fails.
Regards, Amdava MC.
Sources
This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.
Source: Stack Overflow
| Solution | Source |
|---|---|
| Solution 1 | vhs |
| Solution 2 | cschmack |
| Solution 3 | Kushagra Saxena |
| Solution 4 | |
| Solution 5 | Amdava |