Learning to K8 with Kops within AWS (I'm ok in the AWS zone I think), I'm working through setting up a simple service described in this medium article:
After deploying the service I get an IAM permissions error (redacted account number & domain name):
Warning SyncLoadBalancerFailed 19m service-controller Error syncing load balancer: failed to ensure load balancer: Error creating load balancer: "AccessDenied: User: arn:aws:sts::${AWS::Account}:assumed-role/masters.myfirstcluster.kops.${domain_name}/i-08a3ce916f7e03e55 is not authorized to perform: iam:CreateServiceLinkedRole on resource: arn:aws:iam::${AWS::Account}:role/aws-service-role/elasticloadbalancing.amazonaws.com/AWSServiceRoleForElasticLoadBalancing\n\tstatus code: 403, request id: c1a0598a-cd23-4e2a-9fd6-58904cbe76d5"
The AWS IAM Role, which is created by the kops binary masters.myfirstcluster.kops., which has been assumed by i-08a3ce916f7e03e55, and indeed it does not have a policy which would allow the API request. The role is created by the kops binary upon intstall.
Is there a kops API method to set the required policy to the role, or it is necessary to do this via AWS API?
Best Answer
Answering own question:
It was necesssary to change the policy attached to the master role (see IAM Roles), adding the following section to the
spec:key,kops edit cluster myfirstcluster.kops.${domain_name}: