[英]Failed to create fargate profile
尝试使用 amazon eks 创建 fargate 配置文件时(使用命令 eksctl create cluster --name myclustername --version 1.14 --fargate),我得到
[✔] all EKS cluster resources for "myclustername" have been created
[✔] saved kubeconfig as "/home/connor/.kube/config"
[ℹ] creating Fargate profile "fp-default" on EKS cluster "myclustername"
Error: failed to create Fargate profile "fp-default" on EKS cluster "myclustername": failed to create Fargate profile "fp-default": AccessDeniedException: Account 339969016160 is not authorized to use this service
status code: 403, request id: 1db7cf38-002e-48b8-8fa6-8a7b7eab324d
关于我需要添加什么权限来解决这个问题的任何想法? 我更喜欢尽可能通过 cli 进行所有管理
错误很可怕,因为它表明这是一个权限问题,而真正的问题是截至 2020 年 1 月 12 日,仅在四个区域支持带有 EKS (kubernetes) 的 fargate:
Region Name Region
US East (Ohio) us-east-2
US East (N. Virginia) us-east-1
Asia Pacific (Tokyo) ap-northeast-1
EU (Ireland) eu-west-1
请参阅: https : //docs.aws.amazon.com/eks/latest/userguide/fargate.html
虽然在您的笔记中并不明显,但我怀疑您正在尝试使用不在上述列表中的区域。
请注意,只要不与 EKS 结合使用,fargate 可在更多区域使用。
调试此问题的最佳方法可能是在集群的 Cloudformation 事件日志中查找相关错误。 它应该会告诉您问题的原因,以及是区域过载还是 id 是权限/IAM 相关问题。
您还可以将--verbose 5
添加到 eksctl 命令以在控制台中查看更好的输出。
如果是权限相关而不是区域容量错误,请确保您使用的 AWS 用户/配置文件至少具有以下权限:
# Cloud Formation
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "eksCtlCloudFormation",
"Effect": "Allow",
"Action": "cloudformation:*",
"Resource": "*"
}
]
}
# EKS
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"eks:*"
],
"Resource": "*"
}
]
}
#Autoscaling
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": "arn:aws:autoscaling:*:*:launchConfiguration:*:launchConfigurationName/*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": [
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:CreateAutoScalingGroup"
],
"Resource": "arn:aws:autoscaling:*:*:autoScalingGroup:*:autoScalingGroupName/*"
},
{
"Sid": "VisualEditor2",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations"
],
"Resource": "*"
}
]
}
#IAM
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:GetRole",
"iam:GetInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:CreateRole",
"iam:DeleteRole",
"iam:AttachRolePolicy",
"iam:PutRolePolicy",
"iam:ListInstanceProfiles",
"iam:AddRoleToInstanceProfile",
"iam:ListInstanceProfilesForRole",
"iam:PassRole",
"iam:DetachRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRolePolicy"
],
"Resource": [
"arn:aws:iam::<AWS Acct Id>:instance-profile/eksctl-*",
"arn:aws:iam::<AWS Acct Id>:role/eksctl-*"
]
}
]
}
#Networking
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "EksInternetGateway",
"Effect": "Allow",
"Action": "ec2:DeleteInternetGateway",
"Resource": "arn:aws:ec2:*:*:internet-gateway/*"
},
{
"Sid": "EksNetworking",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:CreateNatGateway",
"ec2:CreateVpc",
"ec2:AttachInternetGateway",
"ec2:DescribeVpcAttribute",
"ec2:DeleteRouteTable",
"ec2:AssociateRouteTable",
"ec2:DescribeInternetGateways",
"ec2:CreateRoute",
"ec2:CreateInternetGateway",
"ec2:RevokeSecurityGroupEgress",
"ec2:CreateSecurityGroup",
"ec2:ModifyVpcAttribute",
"ec2:DeleteInternetGateway",
"ec2:DescribeRouteTables",
"ec2:ReleaseAddress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:DeleteRoute",
"ec2:CreateRouteTable",
"ec2:DetachInternetGateway",
"ec2:DescribeNatGateways",
"ec2:DisassociateRouteTable",
"ec2:AllocateAddress",
"ec2:DescribeSecurityGroups",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DeleteNatGateway",
"ec2:DeleteVpc",
"ec2:CreateSubnet",
"ec2:DescribeSubnets"
],
"Resource": "*"
}
]
}
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.