aws-cdk: [aws-eks] `ec2:DescribeVpcs` permission is missing when creating clusters
Today I’ve also gotten the same error but on the ec2:DescribeVpcs permission. This was not the case on Friday because I rolled out an EKS cluster with a CDK build done from the master branch. Adding the DescribeVpcs permission solved the problem, same as the PR in #8859
Seems like AWS is changing stuff on their end that requires more permissions?
_Originally posted by @jargelo in https://github.com/aws/aws-cdk/issues/8574#issuecomment-654241149_
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 7
- Comments: 20 (5 by maintainers)
Commits related to this issue
- fix(eks): cluster creation fails due to missing `ec2:DescribeVpcs` permission (#9029) Fixes https://github.com/aws/aws-cdk/issues/9027 ---- *By submitting this pull request, I confirm that my c... — committed to aws/aws-cdk by iliapolo 4 years ago
- fix(eks): cluster creation fails due to missing `ec2:DescribeVpcs` permission (#9029) Fixes https://github.com/aws/aws-cdk/issues/9027 ---- *By submitting this pull request, I confirm that my c... — committed to curtiseppel/aws-cdk by iliapolo 4 years ago
- fix(eks): Deployment fails for the first deployment in an account (#13103) Give our creation role the necessary `ec2` permissions to allow creating clusters on environments without an existing SLR. ... — committed to aws/aws-cdk by iliapolo 3 years ago
- fix(eks): Deployment fails for the first deployment in an account (#13103) Give our creation role the necessary `ec2` permissions to allow creating clusters on environments without an existing SLR. ... — committed to NovakGu/aws-cdk by iliapolo 3 years ago
- fix(eks): Deployment fails for the first deployment in an account (#13103) Give our creation role the necessary `ec2` permissions to allow creating clusters on environments without an existing SLR. ... — committed to aws/aws-cdk by iliapolo 3 years ago
- Bump CDK version to fix EKS issue https://github.com/aws/aws-cdk/issues/9027 — committed to rafaelpereyra/one-observability-demo by rapgaws 3 years ago
I’ve got the issue when deploying CDK app from scratch ( VPC and EKS as seperate stacks ). Deployment of EKS stack failed with the same error. During redeploy it worked fine. I am using CDK 1.60
I was able to reproduce this multiple times in a single account by manually deleting the
AWSServiceRoleForAmazonEKSSLR before each deployment. In this scenario (which simulates a blank account) - EKS will create the SLR upon first cluster deployment, and use it for all subsequent deployments as well.However, seems like there might be an issue with this first deployment flow - which I am following up on internally. In the meantime, I can verify that the patch policy @rafaelpereyra suggested solves the issue, and I’ve created a PR to include it in the default policy of the creation role.
I got the same problem.
A deployment takes 30minutes, so re-deploying isn’t a viable workaround for me.
Any other solutions?
Managed to reproduce this on a blank account as well, and also got the email that @PerArneng mentioned.
I believe the error is coming from a validation that EKS makes on the cluster role, and not necessarily from an operation that requires this action.
What happens is that the cluster role we pass gets created by default like so:
https://github.com/aws/aws-cdk/blob/8216738dc4a496a4114bad46b4a11bc1e205d8bc/packages/%40aws-cdk/aws-eks/lib/cluster.ts#L911-L916
This
AmazonEKSClusterPolicydoes contain theec2:DescribeVpcsaction, but I suspect that on a blank account, granting usage of a managed policy is what requires this additional validation.I’ll do some internal investigation to see what the best path forward here.
I’ve got the same issue with CDK 1.67.0 . If you need a simple test project, just use this on GitHub.
You can see the file log in aws-cdk-issue-9027.log . I can confirm what @kossmoboleat: if I run ‘cdk deploy’ just after this error, then the deploy is succesful 😐
Thanks @eladb , I was about to raise a new issue for this since I wasn’t sure you seen my comment.