EKS doesn't create AWSServiceRoleForElasticLoadBalancing service-linked role

[ivan-sukhomlyn]

I have issues

EKS cluster can't create AWSServiceRoleForElasticLoadBalancing at a new AWS account due to ec2:DescribeAccountAttributes action isn't included to the AmazonEKSClusterPolicy IAM policy that attached to IAM role for EKS cluster.

I'm submitting a...

• bug report
• feature request
• support request - read the FAQ first!
• kudos, thank you, warm fuzzy

What is the current behavior?

It happens during the process of K8S service creation with a type LoadBalancer for the first time.
I've tested it at 2 AWS accounts.

Kubernetes events:

Error syncing load balancer: failed to ensure load balancer: error creating load balancer: 
AccessDenied: User: arn:aws:sts::{{ some_AWS_account }}:assumed-role/{{ EKS_cluster_name }}20200526154556166200000001/1590515610048765945 
is not authorized to perform: ec2:DescribeAccountAttributes\n\tstatus code: 403, request id: ce38bbbf-f805-41c0-847f-8185f3436894"

What's the expected behavior?

The best way - it's to have an added action to the AWS managed policy for the EKS.

But, it would be nice to add the custom IAM policy to the EKS cluster IAM role that will include the ec2:DescribeAccountAttributes action to fix this issue before the AWS policy be updated.

Are you able to fix this problem and submit a PR? Link here if you have already.

Environment details

• Affected module version: 12.0.0
• EKS: 1.16
• Terraform version: 0.12.25

Any other relevant info

One of the previous PRs regarding the service-linked role for ELB - #160
AWS docs - link

[dpiddockcmp]

I haven't been able to reproduce this. I tried deleting the service linked role in a test account and a cluster was able to recreate it before creating a load balancer.

Are you using a permissions boundary that does not grant iam:CreateServiceLinkedRole to the eks role? AWS service linked roles docs. Or something else in your account that limits IAM permissions for the cluster role?

[ivan-sukhomlyn]

Hi @dpiddockcmp
Thanks for your reply.
No, I'm not using the permissions boundary. I deployed a cluster with default parameter regarding cluster IAM role(manage_cluster_iam_resources=true) for the Terraform module.

I faced the same issue with the creation of a service-linked role for ELB with EKS at a newly created account as mentioned in one of the previous issues - #183 (comment).

The root cause is that AWS Managed AmazonEKSClusterPolicy doesn't contain required permissions required for ELB service-linked role creation even allowing the creation of this role

        {
            "Effect": "Allow",
            "Action": "iam:CreateServiceLinkedRole",
            "Resource": "*",
            "Condition": {
                "StringLike": {
                    "iam:AWSServiceName": "elasticloadbalancing.amazonaws.com"
                }
            }
        }

@max-rocket-internet @dpiddockcmp Can we add some additional policy to the managed EKS cluster's IAM role by default? What do you think about it?

[dpiddockcmp]

I'm still not convinced that the call to DescribeAccountAttributes is the source of your issue.

In a test account I removed the service role: aws iam delete-service-linked-role --role-name AWSServiceRoleForElasticLoadBalancing

And then asked EKS to create a classic ELB: kubectl create service loadbalancer test --tcp=80:8080

Waited 15 minutes 🙄 and then looked at the full API hits in CloudTrail:

:20:30 eks: AssumeRole eks cluster role - ok
:20:30 eks: DescribeRouteTables - ok
:20:30 eks: DescribeSubnets - ok
:20:30 eks: CreateSecurityGroup - ok
:20:30 eks: DescribeSecurityGroups - ok
:20:30 eks: DescribeInstances - ok
:20:31 eks: CreateLoadBalancer - AccessDenied
:20:31 eks: CreateServiceLinkedRole - ok
:20:31 eks: DescribeSecurityGroups - ok
:20:31 eks: AuthorizeSecurityGroupIngress - ok
:20:31 eks: DescribeAccountAttributes - Client.UnauthorizedOperation
:20:31 eks: DescribeLoadBalancers - AccessPointNotFoundException
:20:31 eks: CreateTags [sg] - ok
:20:36 eks: DescribeRouteTables - ok
:20:36 eks: DescribeSubnets - ok
:20:36 eks: DescribeSecurityGroups - ok
:20:37 eks: DescribeSecurityGroups - ok
:20:37 eks: DescribeAccountAttributes - Client.UnauthorizedOperation
:20:37 eks: DescribeLoadBalancers - AccessPointNotFoundException
:20:37 eks: CreateLoadBalancer - AccessDenied
:20:37 eks: CreateServiceLinkedRole - InvalidInputException
:20:47 ELB: AssumeRole AWSServiceRoleForElasticLoadBalancing - ok
:30:47 ELB: DescribeAccountAttributes - ok
:20:47 eks: DescribeSecurityGroups - ok
:20:47 eks: DescribeSubnets - ok
:20:47 eks: DescribeRouteTables: ok
:20:47 eks: DescribeLoadBalancers: AccessPointNotFoundException
:20:47 eks: DescribeSecurityGroups: ok
:20:47 eks: DescribeVpcs: ok
:20:47 eks: DescribeInternetGateways: Client.UnauthorizedOperation
:20:47 eks: DescribeSubnets: ok
:20:47 eks: DescribeAccountAttributes: Client.UnauthorizedOperation
:20:48 eks: DescribeSecurityGroups: ok
:20:48 eks: DescribeLoadBalancers: ok
:20:48 eks: DescribeSecurityGroups: ok
:20:48 eks: CreateLoadBalancer: ok
:20:48 ELB: DescribeInternetGateways: ok
:20:48 eks: ConfigureHealthCheck: ok
:20:48 eks: DescribeLoadBalancerAttributes: ok
:20:48 eks: DescribeSecurityGroups: ok
:20:48 eks: ModifyLoadBalancerAttributes: ok
:20:54 ELB: CreateNetworkInterface: ok

There are multiple failed calls to DescribeAccountAttributes but it does not block the CreateServiceLinkedRole. The ELB service eventually gets the call to work via its service role.

The kube-controller-manager log shows a similar time line:

• Starts creating the resources for the ELB at :20:30. And at :20:31 errors with the failed call to ec2:DescribeAccountAttributes. We see above that the call to CreateLoadBalancer has also failed but the creation of the service account has been successfully started.
• Tries going through the flow again at :20:36 and fails with the same error. CreateLoadBalancer also fails. Service account isn't ready yet?
• Tries again at :20:47 and succeeds this time. The call to DescribeAccountAttributes was done via the service role.

[ivan-sukhomlyn]

@dpiddockcmp Thank you a lot for your such deep research regarding this issue.
I've created the EKS cluster at a new AWS account with a default EKS cluster role with the Terraform module. Unfortunately, the ELB service-linked role didn't create after a LoadBalancer service definition during 1h with errors described above.
After that, I've attached the EC2ReadOnly policy to the cluster role. Then service-linked role and LB were successfully created.

Anyway, I'm going to bootstrap one more AWS account soon with the same config. I will check it again and back to you.

[dpiddockcmp]

Maybe it would be interesting to look through the CloudTrail logs and see what's failing.

[ivan-sukhomlyn]

Hi @dpiddockcmp
I've tried once again and was waiting during ~1h for ELB service-linked role creation.
Unfortunately, the result was the same as described in the issue.

EKS cluster can't create an ELB service-linked IAM role on a new AWS account.

» kubectl get events -n kube-system
LAST SEEN   TYPE      REASON                   OBJECT                             MESSAGE
8s          Normal    EnsuringLoadBalancer     service/nginx-ingress-controller   Ensuring load balancer
55m         Warning   SyncLoadBalancerFailed   service/nginx-ingress-controller   (combined from similar events): Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::{{ new_account_id }}:assumed-role/{{ some-eks-cluster-role-}}20200609182020032300000001/1591727789516159494 is not authorized to perform: ec2:DescribeAccountAttributes\n\tstatus code: 403, request id: 0230f760-c5fd-4a8e-85e1-2ef93be4dfe7"

After that, I've added inline IAM policy with the ec2:DescribeAccountAttributes permissions to the EKS cluster IAM role.

The result was the same (ec2:DescribeInternetGateways permissions are required) as mentioned here #902 (comment)

» kubectl get events

21s         Warning   SyncLoadBalancerFailed   service/nginx-ingress-controller                     Error syncing load balancer: failed to ensure load balancer: error creating load balancer: "AccessDenied: User: arn:aws:sts::{{ new_account_id }}:assumed-role/{{ some-eks-cluster-role-}}20200609182020032300000001/1591727789516159494 is not authorized to perform: ec2:DescribeInternetGateways\n\tstatus code: 403, request id: c91a3082-6ce8-4d62-8a9b-e2588afd3121"

And only when mentioned permissions were attached to the IAM role, EKS cluster was able to create a service-linked IAM role and load balancer for the Kubernetes service.

CloudTrail events:

dd776e24-7a61-44a8-9e69-177af7ce78f9	2020-06-09, 10:51:51 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
cc0d62e9-600f-406d-8108-aa8ad5ae98cb	2020-06-09, 10:48:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
d6b08892-70ed-448e-86fd-510801fbf20a	2020-06-09, 10:47:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
42d1422b-9315-4737-af2d-1505446f35f2	2020-06-09, 10:46:51 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
3849ee46-fbc7-4dd1-9260-b56d7c346041	2020-06-09, 10:43:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
dcd3505c-13c0-4c73-8449-a2b0b4d8ed80	2020-06-09, 10:42:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
d3c2c60c-1b0a-4fb2-8881-658ddc0de0c8	2020-06-09, 10:41:51 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
04a5ce34-05a0-47e6-be62-0484b964d1d6	2020-06-09, 10:38:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
4f824955-0ddc-483e-bb5a-ea5b9cdf3353	2020-06-09, 10:37:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
ea64dada-6406-42a7-b1c5-52d1b48b3042	2020-06-09, 10:36:50 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
b1edabfb-62b9-4178-be41-c6c17ec04702	2020-06-09, 10:33:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
839923f1-b40a-4ef5-afd4-24fcc133cb39	2020-06-09, 10:32:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
fcd1d0e6-ddc5-4707-a849-ce0f43563e45	2020-06-09, 10:31:50 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
144aa9c8-9fa7-4063-bb26-4e24a1f0e458	2020-06-09, 10:28:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
5c624446-3354-45d6-8a13-9870d816ba1c	2020-06-09, 10:27:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
d166ca00-31d3-4be5-a376-263c9f9fd36f	2020-06-09, 10:26:49 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
0a53dd5e-b464-494f-8a3f-2ff4d37eb5cf	2020-06-09, 10:23:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
50111e74-8c4c-4592-a16b-ab50e2bbe5e2	2020-06-09, 10:22:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
7a65f4ea-e6f0-4b34-8108-ea55f5e62ca2	2020-06-09, 10:21:49 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
b190ea7c-bff1-446c-a09a-927aef68d7ed	2020-06-09, 10:18:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
7683062b-2ca3-446c-8520-c6792d6ada35	2020-06-09, 10:17:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
c5de9e39-7026-4e63-acdd-feb0673b9eff	2020-06-09, 10:16:49 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
83cb1c8a-a5ab-4e19-92e0-1bc44bcd38f9	2020-06-09, 10:13:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
575350f5-408b-48cc-ac1d-915abbda5bc9	2020-06-09, 10:12:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
fb6c563e-bdcc-45d7-8b6c-0456cbad88af	2020-06-09, 10:11:48 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
fb315cb8-64d6-4e0f-9f3a-51c588db6bc9	2020-06-09, 10:08:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
a488126f-c6a1-4692-a836-58c331920325	2020-06-09, 10:07:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
6cfde2c1-f10a-4dcb-a59a-743b023b50e0	2020-06-09, 10:06:48 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
e2129c6b-7515-4a29-aebf-b247d5961100	2020-06-09, 10:03:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
2115ef42-5564-4135-a5bc-7267e4d8139a	2020-06-09, 10:02:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
414e72de-8027-477b-ae2f-ce143afa103c	2020-06-09, 10:01:48 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
85027d5e-6424-4ea4-97a1-1d2ae025c7de	2020-06-09, 09:58:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
702128e5-8701-400c-a569-d0f297fe8ef1	2020-06-09, 09:57:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
4d88da2f-bd7d-479b-ab38-cb8d10d6178e	2020-06-09, 09:56:47 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
36b95517-7fe4-42af-b0cf-5da9132ab66b	2020-06-09, 09:53:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
1c40aacb-5af4-46ef-a4e7-a9d0437dcccf	2020-06-09, 09:52:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
9cf37bc2-97e5-45ea-9772-9be42db11299	2020-06-09, 09:51:47 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
d38d8213-c79b-4d10-9962-a7beebd21ee8	2020-06-09, 09:48:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
279a8131-53ce-47d7-befe-5cf85ff8faef	2020-06-09, 09:47:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
c7f65ca4-4711-4ddd-950c-18322fff40da	2020-06-09, 09:46:47 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
b6fd0b7d-d937-48e4-a95f-5279ce3ceba7	2020-06-09, 09:43:04 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
40891132-19d1-43fa-bbc9-d5de4943c350	2020-06-09, 09:42:20 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
4868787b-b6e3-43d2-bbc4-5d4dd85a0611	2020-06-09, 09:41:55 PM	1591728114280465294	CreateLogStream				eu-west-1		eks.amazonaws.com
5a70c2ce-d1a5-4800-891b-3052cdc0341c	2020-06-09, 09:41:55 PM	1591728114280465294	CreateLogStream				eu-west-1		eks.amazonaws.com
644790ae-6aee-474b-a025-13c71af4e429	2020-06-09, 09:41:55 PM	1591728114280465294	CreateLogStream				eu-west-1		eks.amazonaws.com
9960970f-81a7-4995-9648-4f80ebf5355b	2020-06-09, 09:41:55 PM	1591728114280465294	CreateLogStream				eu-west-1		eks.amazonaws.com
afea1cfe-4966-4515-b9de-b6d1ac18e465	2020-06-09, 09:41:55 PM	1591728114280465294	CreateLogStream				eu-west-1		eks.amazonaws.com
69c6b737-40ef-4c47-b67a-715dd16d4c6c	2020-06-09, 09:41:46 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
630d0249-9dd7-49a3-9418-ed8ed2c148ce	2020-06-09, 09:41:28 PM		RetireGrant				eu-west-1		AWS Internal
c7b5e6b5-8792-44b7-92fa-345b5e2e546c	2020-06-09, 09:41:26 PM		RetireGrant				eu-west-1		AWS Internal

23ca8e98-cf3d-44b3-b30f-0f0c270eaef9	2020-06-09, 09:37:59 PM	1591727829062507608	UnassignPrivateIpAddresses	EC2 NetworkInterface	[{"resourceType":"AWS::EC2::NetworkInterface","resourceName":"eni-01cff8f0e0f318f3b"}]		eu-west-1		52.213.188.5
5c890214-20d0-4197-8b94-b826c8860dfa	2020-06-09, 09:37:46 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com

9ffe7f36-f7c4-452e-9810-0670a5dca82d	2020-06-09, 09:37:05 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com

ae1b4200-45cd-4e95-845f-02c898cd3da2	2020-06-09, 09:36:53 PM	i-0a4251669e112e3b7	UpdateInstanceInformation				eu-west-1		52.213.188.5
1f1da5a5-cdb8-4de8-a8ec-dcc7e8c56930	2020-06-09, 09:36:52 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
a2aa9b0d-64f0-4b9c-bf20-3522c4921c88	2020-06-09, 09:36:52 PM	i-011648ec4e24a1e0a	UpdateInstanceInformation				eu-west-1		18.203.166.38
3dbae387-f0aa-4452-809f-e8427c30382c	2020-06-09, 09:36:49 PM	1591726817825023000	EnableMetricsCollection	AutoScaling AutoScalingGroup	[{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606270700000014"}]		eu-west-1		149.255.131.2
e0936ddd-7f38-4aaf-bfdb-73b24464daa4	2020-06-09, 09:36:49 PM	1591726817825023000	EnableMetricsCollection	AutoScaling AutoScalingGroup	[{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606332100000015"}]		eu-west-1		149.255.131.2
2f3ee321-04fb-4458-838b-28949a8f8291	2020-06-09, 09:36:48 PM	1591726817825023000	SuspendProcesses	AutoScaling AutoScalingGroup	[{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606332100000015"}]		eu-west-1		149.255.131.2
68634a8d-d93f-4663-9f49-f4293e72eb65	2020-06-09, 09:36:48 PM	1591726817825023000	SuspendProcesses	AutoScaling AutoScalingGroup	[{"resourceType":"AWS::AutoScaling::AutoScalingGroup","resourceName":"some-resource20200609183606270700000014"}]		eu-west-1		149.255.131.2
227f415a-1104-423c-8f5c-a8b66971d563	2020-06-09, 09:36:45 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
b187291a-25e0-45ab-afef-2de9c8b4d3da	2020-06-09, 09:36:35 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
e06f66a6-a518-4c76-b462-34a94f0530db	2020-06-09, 09:36:30 PM	1591727789516159494	CreateLoadBalancer	ElasticLoadBalancingV2 LoadBalancer	[{"resourceType":"AWS::ElasticLoadBalancingV2::LoadBalancer","resourceName":"a8da3ffd44b124ff6a0f37b471d76797"}]		eu-west-1	AccessDenied	eks.amazonaws.com
fde5ec32-d6df-46db-88b5-87dff2d0bf84	2020-06-09, 09:36:25 PM	AutoScaling	CreateGrant				eu-west-1		autoscaling.amazonaws.com
6b126191-1f35-4d96-94d1-f43b6fd2be5e	2020-06-09, 09:36:22 PM	AutoScaling	CreateGrant				eu-west-1		autoscaling.amazonaws.com

[ivan-sukhomlyn]

Could you please take a look at the PR #902?
It was helpful in my case.

Also, I can say, based on the previous issues and actual comments at the PR, this case is not specific only for me.

[geota]

I hit this on two new clusters today. Confirmed adding the permissions manually fixed my issue.

[dpiddockcmp]

Fixed in #902

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.