Invalid IAM JSON policy in EKS Terraform Quickstart Docs
Problem to solve
The custom policy defined here for this documented working example for setting up an EKS Cluster via Terraform does not work. The docs could provide more comprehensive step-by-step clarification on how to navigate to the JSON Policy Editor, and how to attach it to an existing AWS IAM user/role.
Further details
Proposal
Remove inline comments in recommended Policy as verified by jsonlint.com
{
"Version": "2012-10-17",
"Statement": [{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:*",
"eks:*",
"elasticloadbalancing:*",
"autoscaling:*",
"cloudwatch:*",
"logs:*",
"kms:DescribeKey",
"iam:AddRoleToInstanceProfile",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile",
"iam:CreateRole",
"iam:CreateServiceLinkedRole",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListRolePolicies",
"iam:ListRoles",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:ListInstanceProfilesForRole",
"iam:DeleteRole"
"iam:PutRolePolicy"
"iam:GetRolePolicy"
],
"Resource": "*"
}]
}
See:
https://gitlab.com/gitlab-partner-demos/gitlab-terraform-eks/-/jobs/4562908885
╷
│ Error: reading inline policies for IAM role gitlab-terraform-eks-cluster-20230629021744412000000001, error: AccessDenied: User: arn:aws:iam::778223762522:user/gitlab-terraform-eks is not authorized to perform: iam:GetRolePolicy on resource: role gitlab-terraform-eks-cluster-20230629021744412000000001 because no identity-based policy allows the iam:GetRolePolicy action
│ status code: 403, request id: 3f43c0d1-f048-4900-a36a-7775443a3a07
│
│ with module.eks.aws_iam_role.this[0],
│ on .terraform/modules/eks/main.tf line 285, in resource "aws_iam_role" "this":
│ 285: resource "aws_iam_role" "this" {
│
╵
https://gitlab.com/gitlab-partner-demos/gitlab-terraform-eks/-/jobs/4561489049
│ Error: creating IAM Role (gitlab-terraform-eks-cluster-20230629020303840800000001): 1 error occurred:
│ * adding inline policy (gitlab-terraform-eks-cluster): AccessDenied: User: arn:aws:iam::778223762522:user/gitlab-terraform-eks is not authorized to perform: iam:PutRolePolicy on resource: role gitlab-terraform-eks-cluster-20230629020303840800000001 because no identity-based policy allows the iam:PutRolePolicy action
│ Error: creating KMS Alias (alias/eks/gitlab-terraform-eks): AccessDeniedException: User: arn:aws:iam::778223762522:user/gitlab-terraform-eks is not authorized to perform: kms:CreateAlias on resource: arn:aws:kms:us-east-2:778223762522:alias/eks/gitlab-terraform-eks because no identity-based policy allows the kms:CreateAlias action
│ status code: 400, request id: 8aba080a-7309-4d27-8763-c3643198e40f
│
│ with module.eks.module.kms.aws_kms_alias.this["cluster"],
│ on .terraform/modules/eks.kms/main.tf line 255, in resource "aws_kms_alias" "this":
│ 255: resource "aws_kms_alias" "this" {
│
╵
╷
│ Error: creating IAM OIDC Provider: AccessDenied: User: arn:aws:iam::778223762522:user/gitlab-terraform-eks is not authorized to perform: iam:CreateOpenIDConnectProvider on resource: arn:aws:iam::778223762522:oidc-provider/oidc.eks.us-east-2.amazonaws.com because no identity-based policy allows the iam:CreateOpenIDConnectProvider action
│ status code: 403, request id: 37215835-3570-48db-95e3-9510ccba24ae
│
│ with module.eks.aws_iam_openid_connect_provider.oidc_provider[0],
│ on .terraform/modules/eks/main.tf line 230, in resource "aws_iam_openid_connect_provider" "oidc_provider":
│ 230: resource "aws_iam_openid_connect_provider" "oidc_provider" {
│
╵
╷
│ Error: creating IAM Policy (gitlab-terraform-eks-cluster-ClusterEncryption20230630031157557900000001): AccessDenied: User: arn:aws:iam::778223762522:user/gitlab-terraform-eks is not authorized to perform: iam:CreatePolicy on resource: policy gitlab-terraform-eks-cluster-ClusterEncryption20230630031157557900000001 because no identity-based policy allows the iam:CreatePolicy action
│ status code: 403, request id: 94e2560a-5f6c-467f-a352-487056b37b55
│
│ with module.eks.aws_iam_policy.cluster_encryption[0],
│ on .terraform/modules/eks/main.tf line 350, in resource "aws_iam_policy" "cluster_encryption":
│ 350: resource "aws_iam_policy" "cluster_encryption" {
│
╵