cluster_creator cannot create resources

[cdenneen]

So I'm setting enable_cluster_creator_admin_permissions = true to allow the TF role assumed to continue to create resources on the cluster. I was doing this with the old config-maps adding this user to system:masters. I've removed that user from the config-map in favor of trying not to use that anymore with the access entries replacement, slowly removing all of them, but when TF runs now it can't create things like namespaces or configmaps:

╷
│ Error: namespaces is forbidden: User "arn:aws:sts::REDACTED:assumed-role/terraform-role/EKSGetTokenAuth" cannot create resource "namespaces" in API group "" at the cluster scope
│ 
│   with module.eks-addons[0].module.eks_blueprints_addons.kubernetes_namespace_v1.aws_observability[0],
│   on .terraform/modules/eks-addons.eks_blueprints_addons/main.tf line 2557, in resource "kubernetes_namespace_v1" "aws_observability":
│ 2557: resource "kubernetes_namespace_v1" "aws_observability" {
│ 
╵
╷
│ Error: Have got the following error while validating the existence of the ConfigMap "aws-auth": configmaps "aws-auth" is forbidden: User "arn:aws:sts::REDACTED:assumed-role/terraform-role/EKSGetTokenAuth" cannot get resource "configmaps" in API group "" in the namespace "kube-system"
│ 
│   with module.k8s-cluster.module.aws-auth.kubernetes_config_map_v1_data.aws_auth[0],
│   on .terraform/modules/k8s-cluster.aws-auth/modules/aws-auth/main.tf line 31, in resource "kubernetes_config_map_v1_data" "aws_auth":
│   31: resource "kubernetes_config_map_v1_data" "aws_auth" {
│