Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Lack of permission to create KMS Alias using Terraform #1177

Open
zidenis opened this issue Nov 6, 2024 · 0 comments
Open

[Bug]: Lack of permission to create KMS Alias using Terraform #1177

zidenis opened this issue Nov 6, 2024 · 0 comments
Labels
bug Something isn't working

Comments

@zidenis
Copy link

zidenis commented Nov 6, 2024

Installation method

Own AWS account

What happened?

When following the workshop guide to setup the environment with Terraform, the following error occurs:

Error: creating KMS Alias (alias/eks/eks-workshop): operation error KMS: CreateAlias, https response error StatusCode: 400, RequestID: 94f3be89-368d-4b98-9374-f4c4d511d56a, api error AccessDeniedException: User: arn:aws:sts::{account suppressed}:assumed-role/eks-workshop-ide-EksWorkshopIdeRole-LqlqA1nQsjV7/i-02d14764bdd1932b5 is not authorized to perform: kms:CreateAlias on resource: arn:aws:kms:us-west-2:{account suppressed}:alias/eks/eks-workshop because no identity-based policy allows the kms:CreateAlias action

   with module.eks.module.kms.aws_kms_alias.this["cluster"],
   on .terraform/modules/eks.kms/main.tf line 452, in resource "aws_kms_alias" "this":
  452: resource "aws_kms_alias" "this" {
│

What did you expect to happen?

The terraform module shoud create all resources without errors.

How can we reproduce it?

Just try to setup the environment as described in https://eksworkshop.com/docs/introduction/setup/your-account/using-terraform

Anything else we need to know?

The problem can be addressed manually by modifying permissions policies for the role eks-workshop-ide-EksWorkshopIdeRole-{hash}. Just change the inline policy eks-workshop-ide-base to allow action "kms:CreateAlias". After that, perform the terraform apply once more.

Terraform will perform the following actions:

  # module.eks.module.kms.aws_kms_alias.this["cluster"] will be created
  + resource "aws_kms_alias" "this" {
      + arn            = (known after apply)
      + id             = (known after apply)
      + name           = "alias/eks/eks-workshop"
      + name_prefix    = (known after apply)
      + target_key_arn = (known after apply)
      + target_key_id  = "22940659-c8e0-4964-84b3-546fd00d7aff"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
module.eks.module.kms.aws_kms_alias.this["cluster"]: Creating...
module.eks.module.kms.aws_kms_alias.this["cluster"]: Creation complete after 1s [id=alias/eks/eks-workshop]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

This issue seams to be related to #1091

EKS version

1.30
@zidenis zidenis added the bug Something isn't working label Nov 6, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
EKS Workshop Roadmap
Status: No status
Milestone
No milestone
Development

No branches or pull requests
1 participant
@zidenis