Fix for AWS EKS “is not authorized to perform: iam:CreateServiceLinkedRole”

[tonyxiao]

I'm submitting a...

• bug report
• feature request
• support request
• kudos, thank you, warm fuzzy

After deployingeks via this TF module in a brand new AWS account, the internet-facing k8s service I created could not create a load balancer. Turns out it's because this is a brand new AWS account and no ELB has been created in it before and the AWS user guide (as well as this module) assumes that AWSServiceRoleForElasticLoadBalancing already exists.

https://stackoverflow.com/questions/51597410/aws-eks-is-not-authorized-to-perform-iamcreateservicelinkedrole

Recommend adding

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": "iam:CreateServiceLinkedRole",
                "Resource": "arn:aws:iam::*:role/aws-service-role/*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeAccountAttributes"
                ],
                "Resource": "*"
            }
        ]
    }

To the cluster role policy.

[max-rocket-internet]

Hi @tonyxiao, this is a known issue. Could you test the fix in the PR:
#91
If it works, I think we will merge that.

[tonyxiao]

awesome, will test it again tomorrow

[max-rocket-internet]

All sorted @tonyxiao ?

[max-rocket-internet]

I'm gonna close this as I assume it's resolved. Just let us know if not 🙂

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.