quickstart-amazon-eks-cluster-resource-provider
quickstart-amazon-eks-cluster-resource-provider copied to clipboard
Published
20 hours ago •
aws-quickstart
aws-quickstart
User not authorized to perform kms:DescribeKey operation error
I'm getting the following errors
InvalidRequestException: User not authorized to perform kms:DescribeKey operation { RespMetadata: { StatusCode: 400, RequestID: "9d3ce0c8-2fb2-4849-80bc-7521fce89f1c" }, Message_: "User not authorized to perform kms:DescribeKey operation" }.
My setup is as followed:
EKS:
Type: "AWSQS::EKS::Cluster"
Properties:
Name: !Ref EKSClusterName
KubernetesNetworkConfig:
ServiceIpv4Cidr: "172.20.0.0/16"
ResourcesVpcConfig:
SubnetIds: !Ref SubnetIds
SecurityGroupIds: !Ref SecurityGroupIds
PublicAccessCidrs: !Ref EKSPublicAccessCIDRs
EndpointPrivateAccess: !If [ EnablePrivateEndpoint, true, false ]
EndpointPublicAccess: !If [ EnablePublicEndpoint, true, false ]
EnabledClusterLoggingTypes: !If [ LoggingEnabled, !Ref EKSClusterLoggingTypes, !Ref "AWS::NoValue" ]
EncryptionConfig: !If
- EnableEncryption
- - Resources: [ secrets ]
Provider:
KeyArn: !If [ CreateKey, !GetAtt KMSSecretsKey.Arn, !Ref EKSEncryptSecretsKmsKeyArn ]
- !Ref AWS::NoValue
RoleArn: !Ref RoleArn
Version: !Ref KubernetesVersion
KubernetesApiAccess:
Roles:
- Arn: !Ref NodeInstanceRoleArn
Username: 'system:node:{{EC2PrivateDNSName}}'
Groups: [ 'system:bootstrappers', 'system:nodes' ]
- Arn: !Ref FunctionRoleArn
Username: !Ref FunctionRoleArn
Groups: [ 'system:masters' ]
- !If
- AddRole
- Arn: !Ref AdditionalEKSAdminRoleArn
Username: !Ref AdditionalEKSAdminRoleArn
Groups: [ 'system:masters' ]
- !Ref 'AWS::NoValue'
Users:
- !If
- AddUser
- Arn: !Ref AdditionalEKSAdminUserArn
Username: !Ref AdditionalEKSAdminUserArn
Groups: [ 'system:masters' ]
- !Ref 'AWS::NoValue'
I would appreciate it if you can help me understand why I got the error. Does the role in RoleArn need to have the kms:DescribeKey permission?
