ファーゲートプロファイルの作成に失敗しました
Amazon eksでfargateプロファイルを作成しようとすると(コマンドeksctl create cluster --name myclustername --version 1.14 --fargateを使用)、
[✔] all EKS cluster resources for "myclustername" have been created
[✔] saved kubeconfig as "/home/connor/.kube/config"
[ℹ] creating Fargate profile "fp-default" on EKS cluster "myclustername"
Error: failed to create Fargate profile "fp-default" on EKS cluster "myclustername": failed to create Fargate profile "fp-default": AccessDeniedException: Account 339969016160 is not authorized to use this service
status code: 403, request id: 1db7cf38-002e-48b8-8fa6-8a7b7eab324d
これを回避するために追加する必要がある権限に関するアイデアはありますか?すべての管理は、可能な限りCLIを使用して行います
これをデバッグする最良の方法は、クラスターのCloudformationイベントログで原因となるエラーを探すことです。問題の原因と、リージョンが過負荷になっているのか、IDであるのかが、権限/ IAM関連の問題であることがわかります。
--verbose 5をeksctlコマンドに追加して、コンソールでより適切な出力を表示することもできます。
それがアクセス許可に関連し、リージョン容量エラーではない場合、使用しているAWSユーザー/プロファイルに少なくとも以下のアクセス許可があることを確認してください。
# Cloud Formation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "eksCtlCloudFormation",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
}
]
}
# EKS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}
#Autoscaling
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations"
],
"Resource": "*"
}
]
}
#IAM
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::<AWS Acct Id>:instance-profile/eksctl-*",
"arn:aws:iam::<AWS Acct Id>:role/eksctl-*"
]
}
]
}
#Networking
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EksInternetGateway",
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Sid": "EksNetworking",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}