由于缺少对'iam:CreateServiceLinkedRole的权限，因此无法创建服务链接角色:AWSServiceRoleForAmazonEKSNodegroup

本文介绍了由于缺少对'iam:CreateServiceLinkedRole的权限，因此无法创建服务链接角色:AWSServiceRoleForAmazonEKSNodegroup的处理方法，对大家解决问题具有一定的参考价值，需要的朋友们下面随着小编来一起学习吧！

问题描述

我在AWS中创建了EKS集群，我想为相应的已创建集群创建节点组(工作节点)，但收到错误消息由于缺少对'iam:CreateServiceLinkedRole的权限，因此未能创建服务链接角色:AWSServiceRoleForAmazonEKSNodegroup".请帮助.

I created EKS cluster in AWS and i want to create Node group (worker nodes) for corresponding created cluster but getting error "Failed to create service linked role: AWSServiceRoleForAmazonEKSNodegroup due to missing permissions for 'iam:CreateServiceLinkedRole". Pls help.

我正在按照AWS文档中的说明进行操作( https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html )

I'm following the instructions present in AWS documentation (https://docs.aws.amazon.com/eks/latest/userguide/getting-started-console.html)

推荐答案

您可以参考 eksctl 文档页面:"> https://eksctl.io/usage/minimum-iam-policies/

You can refer to eksctl documentation page: https://eksctl.io/usage/minimum-iam-policies/

该页面显示了需要分配给AWS用户以管理AWS中的kubernetes集群的所有策略，但是在继续之前请先阅读我的完整答案.

That page shows all policies that need to be assigned to a AWS user in order to manage a kubernetes cluster in AWS, but read my entire answer before continuing.

重要

创建 EksAllAccess 和 IamLimitedAccess 时记得将< account_id> 替换为您的AWS账户ID.

Create EksAllAccess and IamLimitedAccess remembering to replace <account_id> with your AWS account id.

名为 AmazonEC2FullAccess 和 AWSCloudFormationFullAccess 的策略已经存在于AWS中.请勿使用内置政策.创建自己的名称(可以使用相同的名称).

Policies named AmazonEC2FullAccess and AWSCloudFormationFullAccess already exist in AWS. DO NOT USE the built-in policies. Create your own (you can use the same name).

AmazonEC2FullAccess 策略与内置版本略有不同.而且，上述页面上的版本仍缺少一个条目:"eks-nodegroup.amazonaws.com"，.

The AmazonEC2FullAccess policy differs a little bit from the built-in version. Moreover, the version on the above-mentioned page is still missing one entry: "eks-nodegroup.amazonaws.com",.

AmazonEC2FullAccess 策略定义的最后一部分应如下所示:

The last part of the AmazonEC2FullAccess policy definition should go like this:

{
    "Effect": "Allow",
    "Action": "iam:CreateServiceLinkedRole",
    "Resource": "*",
    "Condition": {
        "StringEquals": {
            "iam:AWSServiceName": [
                "autoscaling.amazonaws.com",
                "ec2scheduled.amazonaws.com",
                "elasticloadbalancing.amazonaws.com",
                "eks.amazonaws.com",
                "eks-fargate-pods.amazonaws.com",
                "eks-nodegroup.amazonaws.com",
                "spot.amazonaws.com",
                "spotfleet.amazonaws.com",
                "transitgateway.amazonaws.com"
            ]
        }
    }
}

您可以参考AWS文档以了解更多详细信息: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks-nodegroups.html

You can refer to AWS documentation for more details: https://docs.aws.amazon.com/eks/latest/userguide/using-service-linked-roles-eks-nodegroups.html

这篇关于由于缺少对'iam:CreateServiceLinkedRole的权限，因此无法创建服务链接角色:AWSServiceRoleForAmazonEKSNodegroup的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！